Risky Bulletin Podcast Summary

Podcast: Risky Bulletin
Episode: Srsly Risky Biz: Peter Williams, Ex-ASD, Pleads Guilty to Selling Eight Exploits to Russia
Release Date: October 30, 2025
Host: Amberly Jack
Guest/Expert: Tom Uren, Policy and Intelligence Editor

Episode Overview

This episode delves into the high-profile case of Peter Williams, a former senior executive and ex-ASD affiliate, who pleaded guilty to selling zero-day exploits to Russia. The conversation broadens to discuss the tensions and complexities between public sector and private sector development of cyber capabilities, the inherent security challenges, spillover effects from leaks and espionage, and the current state of US and UK national cyber strategy and policy failures.

Key Topics and Discussion Points

1. The Peter Williams Case: Ex-ASD Exec Sells Exploits to Russia

Peter Williams’ Background: Former general manager at L3Harris Trenchant, with history at ASD (Australian Signals Directorate).
- “This guy, former general manager of L3, Harris Trenchant, has just … pleaded guilty to selling exploits to Russian Zero day broker Operation Zero.” — Amberly Jack [00:35]
- Williams’ path: ASD → exploit firm → L3Harris Trenchant GM.
Implications for Private vs. Public Sector Capabilities:
- The case raises questions over whether exploit development should stay within government only.
Tom Uren argues for private sector inclusion:
- “Let’s not cut out the private sector when it comes to developing these exploits for government, it’s neither practical or a good idea at all.” — Amberly Jack summarizing Tom’s stance [00:48]

Why Can't Governments Centralize Exploit Development?

Fragmented Government Needs:
- Different agencies (e.g., NSA vs. FBI) have divergent operational needs, making centralization unmanageable.
- NSA: Persistent, careful use for intelligence.
- FBI: Short-term, law enforcement focus.
- “There is no such thing as the government … a lot of different agencies … want to use [exploits] in quite different ways.” — Tom Uren [01:47]
Example - NSA & FBI:
- NSA prizes long-term access and secrecy.
- FBI has evidentiary needs, lower sophistication targets, higher risk of revealing tools in court.
- “If NSA develops something, it is not going to want to give it to the FBI, because the FBI will go, well, I can use it willy-nilly … because of that it becomes very hard to share capabilities across government.” — Tom Uren [05:36]

2. Security Implications: Does In-House Mean More Secure?

Security inside Government vs. Contractors:
- Theoretically, in-house could be "arguably more secure," but Tom is skeptical about clear advantages.
- L3Harris and similar firms are highly regulated and secure by design.
- “I’m not sure that you’re actually better off in or out of government because there’s actually like some very, very large and serious leaks that have occurred from government agencies like the Snowden leaks and Shadow Brokers …” — Tom Uren [09:28]

Insider Risk and the Govt-Private Talent Pipeline

Movement of Talent:
- Many skilled cyber experts leave agencies for private sector due to frustrations with bureaucracy and stricter security culture.
- “There is a, it’s actually a well-trodden pathway of people who go into agencies like NSA or ASD … get fed up … leave for the private sector which is more free.” — Tom Uren [09:08]
No Such Thing as Perfect Security:
- Every major leak triggers a reactive tightening of security, but complete prevention remains elusive.
- “You’re never going to get perfect security so leaks are going to happen. … it’s kind of a cost of doing business.” — Tom Uren [10:55, 12:09]

3. US Cyber Workforce and Policy: Cuts, Gaps, and Waning Power

National Cyber Director Sean Cairncross’ Comments:
- Urges a stronger message to China over cyber intrusions, especially critical infrastructure.
- “We’ve not done enough to send a message to China that what they’re doing is unacceptable.” — Tom Uren paraphrasing Cairncross [12:34]
Solarium Commission 2.0 Annual Review:
- First time it reported backwards progress, citing funding cuts, workforce shrinkage, and organizational disbanding.
- Most recommendations are simply to "restore" what was lost.
Shift of Power to ONCD:
- Top recommendation: Empower the Office of the National Cyber Director (ONCD)—suggesting increasing central, individual authority.
- Tom is skeptical this will offset systemic resource gutting:
  - “You can’t compensate for like cutting CISA. You can’t compensate for the changes at the State Department where they’ve lost a lot of cyber diplomacy and it’s also being dispersed. So there’s no central center of gravity, I guess.” — Tom Uren [14:31]
- “Having one strong individual … is better than having no strong individual. Plus cuts at CISA. Plus cuts at the State Department.” — Tom Uren [15:18]
- Of note: This centralization of executive power may mesh with Donald Trump’s management preferences.

4. Real-World Impact of Data Leaks: UK MoD Leak Kills 49 Afghans

Tragic Leak Consequences:
- UK Ministry of Defence accidentally leaked spreadsheet with IDs of 19,000 Afghans who worked alongside UK during the Afghanistan war.
- Taliban reprisals led to the deaths of 49 individuals; others beaten, threatened.
- “My father was brutally beaten to the point that his toenails were forcibly removed … My parents remain under constant and serious threats.” — Tom Uren [17:06]
Government Response:
- UK spent £2 billion relocating more than 20,000 at-risk people.
Misalignment of Risk Response:
- Official UK advice was “use a VPN and limit your social media use,” laughably irrelevant in a war zone.
- “Totally inappropriate if you’re in Afghanistan and the government is hostile to the kind of work that you’ve done in the past.” — Tom Uren [18:18]

Notable Quotes

“There is no such thing as the government … a lot of different agencies … want to use [exploits] in quite different ways.”
— Tom Uren [01:47]
“I’m not convinced that in-house development is drastically more secure, but I think you can argue that it is.”
— Tom Uren [09:59]
“You’re never going to get perfect security so leaks are going to happen. … it’s kind of a cost of doing business.”
— Tom Uren [10:55, 12:09]
“We’ve not done enough to send a message to China that what they’re doing is unacceptable.”
— Tom Uren [12:34]
“You can’t compensate for like cutting CISA. You can’t compensate for the changes at the State Department … there’s no central center of gravity, I guess.”
— Tom Uren [14:31]
“Totally inappropriate if you’re in Afghanistan and the government is hostile to the kind of work that you’ve done in the past.”
— Tom Uren [18:18]

Timestamps for Key Segments

[00:35]: Introduction to the Peter Williams/Trenchant case—exploits sold to Russia.
[01:47]: Why centralizing exploit capability in government isn't practical.
[05:36]: NSA vs. FBI operational differences and sharing challenges.
[09:08]: The private sector as a talent outlet for ex-government cyber experts.
[09:59]: Skepticism regarding strict in-house security superiority.
[10:55]: The inevitability of leaks and fatalistic approach to cybersecurity improvements.
[12:34]: US National Cyber Director’s comments and Solarium Commission’s sobering scorecard.
[14:31]: Tom's critique of centralizing power amid budget and workforce cuts.
[16:13]: UK Ministry of Defence leak—real-world mortal consequences for Afghan allies.
[18:18]: Inappropriate official responses to critical leaks in life-and-death situations.

Summary & Takeaways

The Williams case underscores complex tensions between government and private sectors in developing cyber capabilities and securing them.
There is no single “government” stakeholder or priority—fragmentation and difference of mission, risk appetite, and operational use abound.
Neither public nor private sector can confidently guarantee airtight security; leaks are inevitable—what changes is the review and incremental tightening.
The ongoing attrition of US cyber talent and resources inflicts real, perhaps lasting, damage on defense posture.
Data leaks can have deadly, real-world consequences, and sometimes official “cyber” advice is utterly misaligned with ground realities.

Tone:
Informative but realistic (sometimes fatalistic), pragmatic, bringing sophisticated analysis to hard policy trade-offs and their often messy implications.

For more analysis:
Read Tom Uren’s writing in the Seriously Risky Business newsletter at Risky Biz.

Risky Bulletin Podcast Summary

Episode Overview

Key Topics and Discussion Points

1. The Peter Williams Case: Ex-ASD Exec Sells Exploits to Russia

Peter Williams’ Background: Former general manager at L3Harris Trenchant, with history at ASD (Australian Signals Directorate).
- “This guy, former general manager of L3, Harris Trenchant, has just … pleaded guilty to selling exploits to Russian Zero day broker Operation Zero.” — Amberly Jack [00:35]
- Williams’ path: ASD → exploit firm → L3Harris Trenchant GM.
Implications for Private vs. Public Sector Capabilities:
- The case raises questions over whether exploit development should stay within government only.
Tom Uren argues for private sector inclusion:
- “Let’s not cut out the private sector when it comes to developing these exploits for government, it’s neither practical or a good idea at all.” — Amberly Jack summarizing Tom’s stance [00:48]

Why Can't Governments Centralize Exploit Development?

Fragmented Government Needs:
- Different agencies (e.g., NSA vs. FBI) have divergent operational needs, making centralization unmanageable.
- NSA: Persistent, careful use for intelligence.
- FBI: Short-term, law enforcement focus.
- “There is no such thing as the government … a lot of different agencies … want to use [exploits] in quite different ways.” — Tom Uren [01:47]
Example - NSA & FBI:
- NSA prizes long-term access and secrecy.
- FBI has evidentiary needs, lower sophistication targets, higher risk of revealing tools in court.
- “If NSA develops something, it is not going to want to give it to the FBI, because the FBI will go, well, I can use it willy-nilly … because of that it becomes very hard to share capabilities across government.” — Tom Uren [05:36]

2. Security Implications: Does In-House Mean More Secure?

Security inside Government vs. Contractors:
- Theoretically, in-house could be "arguably more secure," but Tom is skeptical about clear advantages.
- L3Harris and similar firms are highly regulated and secure by design.
- “I’m not sure that you’re actually better off in or out of government because there’s actually like some very, very large and serious leaks that have occurred from government agencies like the Snowden leaks and Shadow Brokers …” — Tom Uren [09:28]

Insider Risk and the Govt-Private Talent Pipeline

Movement of Talent:
- Many skilled cyber experts leave agencies for private sector due to frustrations with bureaucracy and stricter security culture.
- “There is a, it’s actually a well-trodden pathway of people who go into agencies like NSA or ASD … get fed up … leave for the private sector which is more free.” — Tom Uren [09:08]
No Such Thing as Perfect Security:
- Every major leak triggers a reactive tightening of security, but complete prevention remains elusive.
- “You’re never going to get perfect security so leaks are going to happen. … it’s kind of a cost of doing business.” — Tom Uren [10:55, 12:09]

3. US Cyber Workforce and Policy: Cuts, Gaps, and Waning Power

National Cyber Director Sean Cairncross’ Comments:
- Urges a stronger message to China over cyber intrusions, especially critical infrastructure.
- “We’ve not done enough to send a message to China that what they’re doing is unacceptable.” — Tom Uren paraphrasing Cairncross [12:34]
Solarium Commission 2.0 Annual Review:
- First time it reported backwards progress, citing funding cuts, workforce shrinkage, and organizational disbanding.
- Most recommendations are simply to "restore" what was lost.
Shift of Power to ONCD:
- Top recommendation: Empower the Office of the National Cyber Director (ONCD)—suggesting increasing central, individual authority.
- Tom is skeptical this will offset systemic resource gutting:
  - “You can’t compensate for like cutting CISA. You can’t compensate for the changes at the State Department where they’ve lost a lot of cyber diplomacy and it’s also being dispersed. So there’s no central center of gravity, I guess.” — Tom Uren [14:31]
- “Having one strong individual … is better than having no strong individual. Plus cuts at CISA. Plus cuts at the State Department.” — Tom Uren [15:18]
- Of note: This centralization of executive power may mesh with Donald Trump’s management preferences.

4. Real-World Impact of Data Leaks: UK MoD Leak Kills 49 Afghans

Tragic Leak Consequences:
- UK Ministry of Defence accidentally leaked spreadsheet with IDs of 19,000 Afghans who worked alongside UK during the Afghanistan war.
- Taliban reprisals led to the deaths of 49 individuals; others beaten, threatened.
- “My father was brutally beaten to the point that his toenails were forcibly removed … My parents remain under constant and serious threats.” — Tom Uren [17:06]
Government Response:
- UK spent £2 billion relocating more than 20,000 at-risk people.
Misalignment of Risk Response:
- Official UK advice was “use a VPN and limit your social media use,” laughably irrelevant in a war zone.
- “Totally inappropriate if you’re in Afghanistan and the government is hostile to the kind of work that you’ve done in the past.” — Tom Uren [18:18]

Notable Quotes

“There is no such thing as the government … a lot of different agencies … want to use [exploits] in quite different ways.”
— Tom Uren [01:47]
“I’m not convinced that in-house development is drastically more secure, but I think you can argue that it is.”
— Tom Uren [09:59]
“You’re never going to get perfect security so leaks are going to happen. … it’s kind of a cost of doing business.”
— Tom Uren [10:55, 12:09]
“We’ve not done enough to send a message to China that what they’re doing is unacceptable.”
— Tom Uren [12:34]
“You can’t compensate for like cutting CISA. You can’t compensate for the changes at the State Department … there’s no central center of gravity, I guess.”
— Tom Uren [14:31]
“Totally inappropriate if you’re in Afghanistan and the government is hostile to the kind of work that you’ve done in the past.”
— Tom Uren [18:18]

Timestamps for Key Segments

[00:35]: Introduction to the Peter Williams/Trenchant case—exploits sold to Russia.
[01:47]: Why centralizing exploit capability in government isn't practical.
[05:36]: NSA vs. FBI operational differences and sharing challenges.
[09:08]: The private sector as a talent outlet for ex-government cyber experts.
[09:59]: Skepticism regarding strict in-house security superiority.
[10:55]: The inevitability of leaks and fatalistic approach to cybersecurity improvements.
[12:34]: US National Cyber Director’s comments and Solarium Commission’s sobering scorecard.
[14:31]: Tom's critique of centralizing power amid budget and workforce cuts.
[16:13]: UK Ministry of Defence leak—real-world mortal consequences for Afghan allies.
[18:18]: Inappropriate official responses to critical leaks in life-and-death situations.

Summary & Takeaways

The Williams case underscores complex tensions between government and private sectors in developing cyber capabilities and securing them.
There is no single “government” stakeholder or priority—fragmentation and difference of mission, risk appetite, and operational use abound.
Neither public nor private sector can confidently guarantee airtight security; leaks are inevitable—what changes is the review and incremental tightening.
The ongoing attrition of US cyber talent and resources inflicts real, perhaps lasting, damage on defense posture.
Data leaks can have deadly, real-world consequences, and sometimes official “cyber” advice is utterly misaligned with ground realities.

Tone:
Informative but realistic (sometimes fatalistic), pragmatic, bringing sophisticated analysis to hard policy trade-offs and their often messy implications.

For more analysis:
Read Tom Uren’s writing in the Seriously Risky Business newsletter at Risky Biz.

wavePod

Srsly Risky Biz: Peter Williams, Ex-ASD, Pleads Guilty to Selling Eight Exploits to Russia

Get Free Podcast Summaries in Your Inbox

Pick Your Shows

Subscribe Free

Get Instant Summaries

Summary

Risky Bulletin Podcast Summary

Episode Overview

Key Topics and Discussion Points

1. The Peter Williams Case: Ex-ASD Exec Sells Exploits to Russia

Why Can't Governments Centralize Exploit Development?

2. Security Implications: Does In-House Mean More Secure?

Insider Risk and the Govt-Private Talent Pipeline

3. US Cyber Workforce and Policy: Cuts, Gaps, and Waning Power

4. Real-World Impact of Data Leaks: UK MoD Leak Kills 49 Afghans

Notable Quotes

Timestamps for Key Segments

Summary & Takeaways

Summary

Risky Bulletin Podcast Summary

Episode Overview

Key Topics and Discussion Points

1. The Peter Williams Case: Ex-ASD Exec Sells Exploits to Russia

Why Can't Governments Centralize Exploit Development?

2. Security Implications: Does In-House Mean More Secure?

Insider Risk and the Govt-Private Talent Pipeline

3. US Cyber Workforce and Policy: Cuts, Gaps, and Waning Power

4. Real-World Impact of Data Leaks: UK MoD Leak Kills 49 Afghans

Notable Quotes

Timestamps for Key Segments

Summary & Takeaways