Risky Bulletin Podcast Summary
Episode: Srsly Risky Biz: President Trump’s best ever cyber strategy
Date: March 12, 2026
Host: Amberly Jack
Guest: Tom Uren
Main Theme
This episode unpacks the newly released US Cyber Strategy under President Trump, focusing on its six pillars and the gap between written policy and government action. It also delves into the risks and trade-offs of relying on the private sector for offensive cyber tools, using the Karuna exploit kit leak as a case study.
Key Discussion Points & Insights
1. The Six Pillars of Trump’s Cyber Strategy
- [00:58] Amberly introduces the main topic: “Tom, let's talk about Donald Trump’s cyber strategy for America. This strategy, there are six pillars of action here.”
- [01:06] Tom sets the stage: The Trump administration cares strongly about projecting American cyber power (“shape adversary behavior”) but has been undermining or neglecting other pillars.
2. Administration’s Focus and Contradictions
- [02:06] Tom on the main pillar:
“The one that stood out to me is the very first pillar, which is shape adversary behavior. Like I said, the administration likes to demonstrate American power… annihilating them utterly. That’s something everyone is behind.”
- Tom expresses discomfort with the aggressive tone, though acknowledges the logic behind showing power.
- [03:01] Other pillars, such as modernizing and securing federal government networks, are seen as necessary but underfunded and understaffed—particularly as agencies like CISA have faced drastic budget cuts.
- “Up until this point in the administration, the Cybersecurity and Infrastructure Security Agency, CISA, it’s basically being cut drastically. So they’ve had to really slim down and focus on particular things.” (03:31)
- [04:00] Amberly and Tom emphasize the lack of centralized leadership and missed opportunity to transform government cyber capabilities using new technologies like AI.
3. The Nature and Limitations of the Strategy Document
- [05:51] The strategy is short (four pages without Trump’s preamble). Tom contrasts this with more detailed strategies used in countries like Australia.
- [06:10] Tom critiques:
“The problem I have with this strategy is not that it’s short, it’s that it doesn’t have any choices about what we’re going to do. For example, we’re going to do a whole lot of really great things. Yeah, that’s nice, but which one’s the most important?”
- [07:00] The “unleash the private sector” idea is buried in the text and not given prominence despite being potentially “game-changing.”
- Quoting the strategy: “Unleash the private sector by creating incentives to identify and disrupt adversary networks.”
- Tom sees this as innovative, paralleling how US adversaries often leverage their private sectors for state purposes.
4. Implementation Skepticism and Contradictory Actions
- [09:46] Amberly asks if Tom believes the publication of the strategy will change government behavior.
- [10:07] Tom is blunt:
“None at all. That’s the short answer.”
- The team discusses a recent public spat with AI firm Anthropic. Tom argues that if the US wants to dominate AI for cybersecurity, making enemies in the sector is “totally counterproductive.”
5. The Karuna Exploit Kit Leak – Is Private Sector Involvement Worth It?
- [11:51] The conversation pivots to the Karuna kit, developed by L3Harris Trenchant, leaked over several years and sold to unknown adversaries.
- Tom’s position: Despite leaks, the benefits of government/private sector collaboration on cyber tools outweigh the risks.
- [12:26]
“Usually you have an exploit leak and the adversary uses it for a relatively short time. Intelligence agencies had used it for years prior.”
- [15:09] Karuna was leaked, resold, and used for about “a couple of years” against US interests before trickling down to criminal activity (“…used against Ukrainian interests and then most recently by Chinese crypto and gambling websites. So it's slowly going down the bottom of the hierarchy pole…”).
- [16:49] Tom’s analogy:
“I think it’s like, you know, a 1983 BMW M3 that's now been driven by your redneck cousin or something.”
Notable Quotes & Memorable Moments
- Tom Uren [02:06]:
“Taking it to the adversary and destroying them, annihilating them utterly. That’s something that everyone is behind. And I’m actually… not really a fan of that aggressive language, but the actual intent is fine.” - Tom Uren [06:10]:
“The problem I have with this strategy is not that it’s short, it’s that it doesn’t have any choices about what we’re going to do… which one's the most important?” - Tom Uren [10:07]:
“None at all. That’s the short answer.” (On confidence in improved alignment between policy and practice.) - Tom Uren [12:26]:
“I think it’s a legitimate argument… the track record is that… quite powerful techniques tools have leaked from intelligence agencies.” - Tom Uren [16:49]:
“It’s like, you know, a 1983 BMW M3 that's now been driven by your redneck cousin.”
Timestamps & Key Segments
- [00:58] – Introduction to Trump’s Cyber Strategy and six pillars
- [03:01] – Discussion on cuts to CISA and modernization challenges
- [05:51] – Strategy document length and comparative approaches
- [06:10] – Lack of prioritization in the strategy; the hidden “unleash the private sector” idea
- [09:46] – Contradictions between current government actions and new policy pillars
- [10:07] – Lack of faith in policy implementation
- [11:51] – The Karuna exploit kit leak: risk assessment and lessons
- [16:49] – Memorable analogy on exploit lifecycle
Final Thoughts
Tom and Amberly close with practical skepticism toward the Trump administration’s cyber strategy, citing a focus on show-of-force at the expense of deeper, more coordinated reforms. The episode calls attention to the risks and recurring challenges in government-private sector collaboration for offensive cyber capabilities, arguing that despite setbacks, the approach still holds value.
Listeners are encouraged to check out further coverage on the Karuna exploit kit by team member James Wilson on the Risky Biz features feed.