Srsly Risky Biz: President Trump's best ever cyber strategy - Risky Bulletin

Summary4 min read

Risky Bulletin Podcast Summary
Episode: Srsly Risky Biz: President Trump’s best ever cyber strategy
Date: March 12, 2026
Host: Amberly Jack
Guest: Tom Uren

Main Theme

This episode unpacks the newly released US Cyber Strategy under President Trump, focusing on its six pillars and the gap between written policy and government action. It also delves into the risks and trade-offs of relying on the private sector for offensive cyber tools, using the Karuna exploit kit leak as a case study.

Key Discussion Points & Insights

1. The Six Pillars of Trump’s Cyber Strategy

[00:58] Amberly introduces the main topic: “Tom, let's talk about Donald Trump’s cyber strategy for America. This strategy, there are six pillars of action here.”
[01:06] Tom sets the stage: The Trump administration cares strongly about projecting American cyber power (“shape adversary behavior”) but has been undermining or neglecting other pillars.

2. Administration’s Focus and Contradictions

[02:06] Tom on the main pillar:

“The one that stood out to me is the very first pillar, which is shape adversary behavior. Like I said, the administration likes to demonstrate American power… annihilating them utterly. That’s something everyone is behind.”
Tom expresses discomfort with the aggressive tone, though acknowledges the logic behind showing power.
[03:01] Other pillars, such as modernizing and securing federal government networks, are seen as necessary but underfunded and understaffed—particularly as agencies like CISA have faced drastic budget cuts.
- “Up until this point in the administration, the Cybersecurity and Infrastructure Security Agency, CISA, it’s basically being cut drastically. So they’ve had to really slim down and focus on particular things.” (03:31)
[04:00] Amberly and Tom emphasize the lack of centralized leadership and missed opportunity to transform government cyber capabilities using new technologies like AI.

3. The Nature and Limitations of the Strategy Document

[05:51] The strategy is short (four pages without Trump’s preamble). Tom contrasts this with more detailed strategies used in countries like Australia.
[06:10] Tom critiques:

“The problem I have with this strategy is not that it’s short, it’s that it doesn’t have any choices about what we’re going to do. For example, we’re going to do a whole lot of really great things. Yeah, that’s nice, but which one’s the most important?”
[07:00] The “unleash the private sector” idea is buried in the text and not given prominence despite being potentially “game-changing.”
- Quoting the strategy: “Unleash the private sector by creating incentives to identify and disrupt adversary networks.”
- Tom sees this as innovative, paralleling how US adversaries often leverage their private sectors for state purposes.

4. Implementation Skepticism and Contradictory Actions

[09:46] Amberly asks if Tom believes the publication of the strategy will change government behavior.
[10:07] Tom is blunt:

“None at all. That’s the short answer.”
The team discusses a recent public spat with AI firm Anthropic. Tom argues that if the US wants to dominate AI for cybersecurity, making enemies in the sector is “totally counterproductive.”

5. The Karuna Exploit Kit Leak – Is Private Sector Involvement Worth It?

[11:51] The conversation pivots to the Karuna kit, developed by L3Harris Trenchant, leaked over several years and sold to unknown adversaries.
Tom’s position: Despite leaks, the benefits of government/private sector collaboration on cyber tools outweigh the risks.
[12:26]

“Usually you have an exploit leak and the adversary uses it for a relatively short time. Intelligence agencies had used it for years prior.”
[15:09] Karuna was leaked, resold, and used for about “a couple of years” against US interests before trickling down to criminal activity (“…used against Ukrainian interests and then most recently by Chinese crypto and gambling websites. So it's slowly going down the bottom of the hierarchy pole…”).
[16:49] Tom’s analogy:

“I think it’s like, you know, a 1983 BMW M3 that's now been driven by your redneck cousin or something.”

Notable Quotes & Memorable Moments

Tom Uren [02:06]:
“Taking it to the adversary and destroying them, annihilating them utterly. That’s something that everyone is behind. And I’m actually… not really a fan of that aggressive language, but the actual intent is fine.”
Tom Uren [06:10]:
“The problem I have with this strategy is not that it’s short, it’s that it doesn’t have any choices about what we’re going to do… which one's the most important?”
Tom Uren [10:07]:
“None at all. That’s the short answer.” (On confidence in improved alignment between policy and practice.)
Tom Uren [12:26]:
“I think it’s a legitimate argument… the track record is that… quite powerful techniques tools have leaked from intelligence agencies.”
Tom Uren [16:49]:
“It’s like, you know, a 1983 BMW M3 that's now been driven by your redneck cousin.”

Timestamps & Key Segments

[00:58] – Introduction to Trump’s Cyber Strategy and six pillars
[03:01] – Discussion on cuts to CISA and modernization challenges
[05:51] – Strategy document length and comparative approaches
[06:10] – Lack of prioritization in the strategy; the hidden “unleash the private sector” idea
[09:46] – Contradictions between current government actions and new policy pillars
[10:07] – Lack of faith in policy implementation
[11:51] – The Karuna exploit kit leak: risk assessment and lessons
[16:49] – Memorable analogy on exploit lifecycle

Final Thoughts

Tom and Amberly close with practical skepticism toward the Trump administration’s cyber strategy, citing a focus on show-of-force at the expense of deeper, more coordinated reforms. The episode calls attention to the risks and recurring challenges in government-private sector collaboration for offensive cyber capabilities, arguing that despite setbacks, the approach still holds value.

Listeners are encouraged to check out further coverage on the Karuna exploit kit by team member James Wilson on the Risky Biz features feed.

Loading summary

Transcript28 lines

[00:05]
A
Hey, everyone, and welcome along to Seriously Risky Biz. My name is Amberly Jack, and this is our podcast all about cybersecurity policy and intelligence. Very shortly, I'll bring in Tom Uren. We're have a chat about the Seriously Risky Business newsletter that Tom wrote. You can read that and subscribe over at our website, Risky Biz. But first, I'd like to thank our sponsors for this week's show, which is thinx, the makers of thinxt Canary. And you can find them at T H I N K S T Tom, let's talk about Donald Trump's cyber strategy for America. This strategy, there are six pillars of action here. And Tom, you've had a good read through this, and you've kind of come to the conclusion that the US Government really cares about one of them. So I guess let's start at the top here. Tom, how has the administration been undermining quite a few of what it now says are the six policy pillars that underpin this document?
[01:06]
B
Yeah. So the way I think about this, maybe the best way is to step back. So quite a few months ago, before the Trump administration came into power, I wrote a piece that said, here's what I think will happen. There'll be more offensive cyber action, because that is a demonstration of American power. And that's something that President Trump is very keen on, and many of his administration are, and that cyber security policy is fundamentally something that Trump doesn't really care about. And so they'll have good people who do good work, and you get kind of a plodding, incremental cyber strategy. This isn't quite that in that the way this strategy has come together is that there's just a whole lot of ideas and good ideas, things that are worth doing, but they're all stuck together and they're just, we will do this, we will do that, we will do this, we will do that.
[02:06]
A
Yeah.
[02:07]
B
Now, the one that stood out to me is the very first pillar, which is shape, adversary behavior. Like I said, the administration likes to demonstrate American power. So this is one example where, yes, getting all our cyber horses in a row and taking it to the adversary and destroying them, annihilating them utterly. That's something that everyone is behind. And I'm actually like, I'm not really a fan of that kind of aggressive language, but the actual intent is fine.
[02:38]
A
Yeah.
[02:40]
B
Now, the problem with many of the other pillars is that they've got good ideas, but parts of the Trump administration have actually been undermining them.
[02:50]
A
Right.
[02:51]
B
So, for example, and I think and
[02:54]
A
it doesn't leave you with a whole lot of faith that they're going to be implemented to the, to the fullest extent.
[03:02]
B
I think that's fair. So, for example, there's a pillar which is modernize and secure federal government networks. This in some sense is a pillar that you think has to be there. Like that's a thing that I would find it surprising if it wasn't in anybody's cybersecurity strategy. And like that's a worthy goal. Yes. Federal government networks, they typically always need modernization.
[03:31]
A
Sounds great.
[03:32]
B
And it seems like. Tell me more. Tom, there's now actually a moment in time where you could perhaps do that in a transformational way by using new technologies. Yet at the same time, up until this point in the administration, the Cybersecurity and Infrastructure Security Agency, cisa, it's basically being cut drastically. So they've had to really slim down and focus on particular things. And what's striking is that the reporting I've seen about what they're focusing on, part of it matches what's in the strategy, but a lot of it does not match what's in the strategy. So they've said that they'll really focus on operational technology. So that is one of the pillars. Secure critical infrastructure, but the modernize and secure federal government networks, that pillar of the strategy also talks about providing leadership, developing new technologies and deploying them. And that doesn't happen by magic. You need people to actually lead. Those people need to have the technical support to like, what are we leading people to? I think this is a sort of time where there are potentially transformative technologies like AI. But is every government department just going to go out and try and figure it out for themselves? I think it really makes sense for there to be a central place where people say, you know, here is a model government organization. You know, this is the standard, if there is such a thing. And how do these new technologies fit into that? What's a cost effective and efficient way where we can really kick some big wins and not cost a lot more money? And I think if you don't have any people, it's very, very hard to do that. I think there's a missed opportunity there. I think I really would have liked to have seen here we'll have a big bang project to figure out what those technologies are, how they fit into what the government technology stack already is, and then that will lead the path for other government departments to follow. There's none of that in there.
[05:51]
A
Helpful. Taking a look at the cyber strategy if you take away Trump's kind of preamble at the beginning there, this is four pages long. And I know, Tom, that you have read through a few strategies in your time. Is that kind of standard?
[06:11]
B
Mostly they're longer. So I think different countries have different cultures around them. So the Australian culture, for example, is to have a lot of detail about where the money's coming from, how much you're going to spend, what project in particular will get that amount of money, and it's down to the hundreds of thousands of dollars, what those different projects are. I'm not really a fan of that. I think a strategy document should be setting out what you want to try and achieve, and you don't need necessarily to spell out all the nuts and bolts. It's probably not unhelpful, but I figure the point of the strategy is to say, this is what we want to do. This is how we're going to win whatever game we're playing. And so the problem I have with this strategy is not that it's short, it's that it doesn't have any choices about what we're going to do. So, for example, we're going to do a whole lot of really great things. Yeah, that's nice, but which one's the most important? I would love to do all these great things. So, for example, in the Shape Adversary Behavior pillar, it says, you know, we'll be the best cyberpower. We'll dominate everywhere. We'll tackle adversaries all over the place. And there is actually one really interesting idea in there, which is to unleash the private sector. And it doesn't explain at all what that might mean. Let me just find the words unleash the private sector by creating incentives to identify and disrupt adversary networks. So I think that's actually like, really interesting idea. That's an idea that has the potential to change the landscape, I suppose, in comparison to other, well, America's cyber adversaries. They have typically harnessed their private sector to do work essentially for the state. So it's kind of, you know, if we're trying to level the playing field, this is a great way to do it. But it's buried in the middle of the paragraph. It's not even like, is it more important than other things? Is it something you're going to focus on? I don't know. And so it doesn't feel like it's really interesting, but it's not. It's the sort of thing I would have made more the centerpiece, because you're doing all these other things anyway. They're, you know, using Cyber Command more, using FBI disruption more. You already have the tools in place to do this. This is a new thing, but it's just sort of left hanging out there.
[08:46]
A
Yeah. And as you, as you sort of pointed out in the newsletter as well, Tom, it's not the easiest of the things in the strategy to implement.
[08:54]
B
Well, I think it's really easy to do something where you've got unintended consequences. And so this is the sort of thing where you want to get your ducks in a row so that you're not making things worse for some reason. And that takes a lot of policy thinking considering trade offs. It's not necessarily something that has been the Trump administration's strong suit, I don't think. But going back to the strategy overall, I guess my criticism is you've got this game changing idea and it's buried in the middle of a paragraph and it's not highlighted as here's something new and different that we're doing. Here's a way of really reshaping the environment and that it's concerning because it doesn't mean I've got no confidence that I'll actually devote the time and effort I think it should get.
[09:46]
A
Mm. We've talked a little bit and you've written in the newsletter as well, about the fact that some of these pillars seem to kind of contradict what the US Government has been doing. Do you, Tom, have a lot of faith that now these have been written out and they have been published that that is not going to be the case anymore?
[10:07]
B
None at all. That's the short answer. I think the AI example is really interesting. So there's a lot in the strategy about harnessing AI to improve cyber security actually really totally makes sense. Again, it's the sort of thing where like a focus project I think would really be useful. Very helpful as it is, it's just a collection of we will do this, we will do that. The problem, I think is that like in the weeks before the strategy was announced, the Pete Hegseth at the Department of War basically picked a fight with Anthropic. So it takes two to tangle. I think Anthropic could have done better there as well, but in the fallout, he's designated as a supply chain risk. So I think if you want to dominate AI, which is potentially very important for the future of the US and its interests, that seems just totally counterproductive. But it sort of fits within the dynamic of asserting government power and so In, I think the sort of hierarchy for the administration is demonstrating power and then, you know, so demonstrating power over an AI company is its primary, you know, it's, it ticks all. Its what it. It's at the top of the hierarchy of needs. And so I don't think that changes when you release a strategy like you still want what you want, but you never know. Now, at least there's a paper with President Trump's name on it to point to.
[11:51]
A
Hey, Tom. I want to move on to something that's kind of on everyone's mind this week, the Corona exploit kit, which has now been revealed to have been developed by L3Harris Trenchant. Tom, you have in the newsletter looked into this argument of whether the risk of having private organisations develop these tools for government use is worth the risk of them potentially handing, winding up in the hands of adversaries. And you, Tom, have come out the other side and said, yes, in fact, it is.
[12:27]
B
Yeah. So every time there's a leak like this, this argument pops up. I think it's a legitimate one. I think the view from inside intelligence organizations is that we do all these things to keep secrets. We have personnel vetting, we have lockdown facilities, there's a lot of computer and personnel security. Things are very inconvenient, to be frank, and that means we can keep secrets. I think the track record is that now we've got several examples where quite powerful techniques tools have leaked from intelligence agencies. And it seems like it's not a certainty, but it's a very high likelihood over a long enough period of time. So we've got 2016 Shadow Brokers, 2017 from CIA Vault 7 leaks, and now this from a private sector, basically a defense contractor subsidiary. And so I think there's really two messages there. One is for people who work in those agencies, yeah, leaks are going to happen. I guess it's easy to fool yourself that they're not. And it's about, I guess, adjusting whatever balance there is. I know a few people who ended up in organizations like Trenchant and sometimes some of those people left government work because the security restrictions were outrageous. Maybe not outrageous, but they were very definitely stringent. And I guess my message to them is, yeah, like exploits do leak. This is something that is a pain for everyone and unfortunately security will be getting tighter and it's just a nature of the business. Now, part of my argument that it was worthwhile is that usually you have an exploit leak and the adversary uses it for a relatively short time. And so you take what was an ongoing capability for the. This is a loaded term but I'll say for the good guys and betraying my own bias and that the bad people get to use it for a relatively short period of time. So I go into the piece of a couple of examples where in fact adversaries used it for months and intelligence agencies had used it for years prior.
[15:05]
A
Now this Corona kit is a little bit different.
[15:09]
B
Yep.
[15:09]
A
Right.
[15:10]
B
So the story is that it was leaked over a number of years. It appears that whoever. So it was leaked to a zero day broker and they unsold it to someone, we don't know who. It seems that that someone had access to it for a couple of years where it was current and capable of affecting the most up to date iPhones it seems like. So a couple of years actually seems like a relatively long time. At the same time this didn't prevent trenchants customers from using it. So it's not as if they lost anything. I think the real loss is whatever damage was done to US geopolitical interests. And we don't know what that was because we don't know who that customer was and we don't know what they used it for. By the time Google discovered it it was, I think it was like a hand me down sweater or something like that. It was no longer quite as current it had been, it was no longer that useful for the first customer, probably the most significant customer from a geopolitics point of view. And so they'd, I don't know, they sort of ebayed it off I guess. And it was used against Ukrainian interests and then it was used most recently by Chinese crypto and gambling websites. So it's like slowly going down the
[16:47]
A
bottom of the hierarchy pole there. Yeah, yep.
[16:50]
B
I think it's like, you know, a 1983 BMW M3 that's now been driven by your redneck cousin or something, I'm not sure. And so we don't know what that damage was like. I'm sure it was significant but at the same time that was an ongoing, I guess you'd call it a program. Right. Where trenchant was providing these up to date capabilities, updating them. Whoever the legitimate customers were had a UBT capability that was just ongoing, whereas these adversaries, whoever they are, had it for a couple of years. So I think just measuring it in time, I'll concede is not the most accurate measure, but I think it is a measure and so I think that on the whole these programs are worth doing. It's just, you know, each time a leak like this happens, there's changes in procedures and practices and life gets a bit more annoying and difficult.
[17:56]
A
We should also mention as well, if you do want to take a bit of a deeper dive into Karuna, our colleague affectionately known around the office as the New Guy James, James Wilson, has done a very deep dive into Karuna in a podcast in our features feed, so you can find that on Risky Biz as well. Hey Tom, we will leave it there, but thank you so much for joining me yet again. And of course you can read and subscribe to Tom's Seriously Risky Business newsletter over at our website, Risky Biz. But Tom, always a pleasure and look forward to chatting again next week.
[18:31]
B
Thanks Amber. Sam.