Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Amberleigh Jack. This week's edition is sponsored by Thinkst.

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

Listen here

President Donald Trump, Gage Skidmore, Flickr license

President Donald Trump's Cyber Strategy contains an ambitious array of worthwhile goals. The administration's actions over the past year, however, directly undermine many of them, barring one. It raises the question: Can aggressive offensive cyber action compensate for lukewarm defensive efforts?

The strategy, released last Friday, one-ups the Biden era equivalent, at least superficially. Rather than five pillars, this one has six:

1. Shape Adversary Behaviour
2. Promote Common Sense Regulation
3. Modernize and Secure Federal Government Networks
4. Secure Critical Infrastructure
5. Sustain Superiority in Critical and Emerging Technologies
6. Build Talent and Capacity

The strategy's overall vibe is dominated by that first pillar: "Shape Adversary Behaviour". President Trump's foreword describes using cyber power for "disrupting and disorienting our adversaries". He concludes that "American Power will finally stand up in cyberspace". 

The strategy's introduction expands on that same theme. It lauds cyber operations for supporting the "globe-spanning operation to obliterate Iran's nuclear infrastructure" and "leaving our adversaries blind and uncomprehending" during the capture of Venezuelan President Nicolás Maduro. 

Although the language is far more aggressive, the first pillar feels like a continuation of one in the 2023 strategy: "Disrupt and dismantle threat actors". 

One significant difference, though, is a commitment to "unleash the private sector by creating incentives to identify and disrupt adversary networks". This is the kind of game-changing thinking we look for in strategy documents. Even something as incremental as encouraging internet giants to be more active in tackling cybercrime would be a good start. 

Unfortunately, the idea is just one in a string of bold promises in this pillar and would be one of the harder ones to implement. It would require detailed policy work and careful consideration of tradeoffs, which is not exactly what we've come to expect from the current administration. 

"Shape Adversary Behaviour" is the strategy's one pillar where the rhetoric does match the Trump administration's preference for aggressive action. So we expect that we'll be hearing a lot more about hard-hitting cyber operations. After all, it's not a demonstration of American cyber power if it is kept secret!  

We'd love to say the rest of the strategy contains motherhood statements, but that would be overly optimistic. Too many goals in remaining pillars have preemptively been undermined by actions taken by the Trump administration. 

Take "Modernise and Secure Federal Government Networks", for example, which contains many worthy goals. It promises the  government will elevate the importance of cyber in government leadership, implement cyber security best practices and "use the best technologies and teams to constantly test and hunt for malicious actors on federal networks". But you can't do all the wonderful things with one hand while dramatically cutting Cybersecurity and Infrastructure Security Agency staff with the other.  

Under "Sustain Superiority in Critical and Emerging Technologies", the government says it will secure the AI technology stack, promote innovation in AI security, rapidly adopt the technology plus secure the data, infrastructure and models that underpin US leadership. It will also "call out and frustrate the spread of foreign AI platforms that censor, surveil, and mislead their users" (Whether domestic AI platforms have the go-ahead to censor, surveil and mislead is left unstated). 

We'd love to know how the administration intends to do this. We could get behind something like a small-scale Operation Warp Speed to achieve some of these goals and drive adoption of AI in government.

But instead, the administration has picked a fight with leading AI company Anthropic. Last week the Department of Defense formally labelled the company a supply chain risk after a very public battle over how its technology could be used. 

So win the AI race by attacking your own companies? That hardly feels like a focussed effort to develop capability. 

We also have concerns about "Promote Common Sense Regulation". It states that defence should not be a "costly checklist" and promises to "reduce compliance burdens". This is a real problem and just this week a Government Accountability Office report determined that there is confusing and unnecessary overlap in different federal regulations.

We are worried, however, that the overriding motivation here is not sensible regulation, but simply less regulation. According to the strategy, streamlining cyber security regulations will "ensure that the private sector has the agility necessary to keep pace with rapidly evolving threats". If only regulations weren't such an impediment, companies would be so much better at security! 

The final two pillars "Secure Critical Infrastructure" and "Build Talent and Capacity", haven't been undermined by government actions recently. But both are sisyphean, long-term challenges. We expect we'll see incremental progress.   

The current administration is fully behind the first offensive pillar, though.

It leaves us wondering whether going all in on aggressively countering cyber adversaries will make up for half-hearted commitment to the rest of the strategy. 

Even very effective takedowns and disruptive cyber operations are speed bumps rather than roadblocks. They slow adversaries, but don't stop them. The US government took down Volt Typhoon's botnet, for example, but that didn't stop the group for good.

Of course, there is no magic bullet that will stop America's cyber adversaries. Slowing them down is about the best that can be hoped for, so we fully endorse this. 

We just hope the other pillars will get a bit of love now the strategy has been released.  

Exploits Are Too Valuable To Be Kept Secret

This week, both Risky Business Media and Techcrunch independently confirmed that the Coruna exploit kit was developed by Trenchant, a division of US contractor L3Harris. This drives home the risks of advanced cyber espionage capabilities developed by private sector contractors, being misused by adversaries. But the benefits of having these capabilities on hand still outweigh the risks of abuse.

The kit was discovered by Google's Threat Intelligence Group. There is also complementary analysis from mobile device security firm iVerify and from security researcher Daniel Wade. On this week's Risky Business podcast, hosts Patrick Gray, Adam Boileau and James Wilson discuss the "truly exquisite" Coruna exploits. And if you want even more technical detail, Risky Business Enterprise Technology Editor James Wilson takes a ridiculously deep dive in this solo podcast.

In February this year, the former general manager of Trenchant, Peter Williams, was sentenced to seven years in prison after pleading guilty to selling exploits to a Russian 0day broker Operation Zero. 

One concern regarding state cyber programs is that advanced cyber capabilities will be stolen and used maliciously. The WannaCry and NotPetya attacks in 2017, for example, both used the EternalBlue exploit that was stolen from NSA by the Shadow Brokers. These attacks caused damages ranging from hundreds of millions to billions of dollars. 

Prior to the Snowden leaks in 2013 it was unusual and rare to see leaks of damaging cyber-related material. Since then we've seen the Shadow Brokers leaks in 2016, Vault 7 in 2017, and now Coruna. 

At this point we'd have to concede that critics of these programs are right. Exploits will leak, at least some times. But even when they are stolen and misused, we think developing these capabilities is still an overall positive.

States typically take advantage of exploits for years while malicious users get a relatively short window of opportunity. For example, the NSA used EternalBlue for five years, but the vulnerability it took advantage of was quickly patched by Microsoft once it had been stolen. In fact, it was patched the month before EternalBlue was released publicly in April. WannaCry and NotPetya occurred in May and June respectively. 

The Coruna situation is a bit different. In our view, the real damage is the harm to US interests if Coruna was used for espionage. Williams' first sales occurred in 2022, but Google didn't detect Coruna being used in the wild until February 2025, at which point it was "used by the customer of a surveillance company". By July it was used in a watering hole against Ukrainian websites and by December it was being used on fake Chinese crypto and gambling websites. In court documents the loss to Trenchant was asserted to be more than USD$35 million. 

By the time Google released its report, Coruna was only able to target around 10% of iPhones currently in use. Trenchant's customers had an ongoing capability that adversaries had for a couple of years. 

At the time of Williams' guilty plea in October last year, we argued that governments need exploits and that there was still a role for private sector developers. We think these arguments still hold. 

The trick from a government’s perspective is to maximise the benefit while reducing the risk of these capabilities going walkabouts. 

It's hard to maximize those benefits by doing a lot more hacking. Operations are constrained by OPSEC considerations and the real risk that using a tool will result in it getting discovered. 

So it comes down to risk, where it is much easier to clamp down on personnel security. To those exploit developers who leave government service because they get fed up with restrictive security practices, we have bad news. Get ready for body scans and bag searches. 

Watch Amberleigh Jack and Tom Uren discuss this edition of the newsletter:

Three Reasons to Be Cheerful This Week:

1. Tycoon 2FA takedown: The Tycoon phishing-as-a-service platform has been taken down by an international operation involving Europol and a number of European police forces acting alongside private sector stakeholders. Tycoon 2FA was designed to defeat protections such as multi factor authentication, and Microsoft says it was responsible for around 62% of all the phishing attempts the company blocked. Microsoft seized 330 active Tycoon 2FA domains including control panels and fraudulent login pages. 
2. US to prioritise tackling cybercrime and fraud: Last week President Donald Trump issued an Executive Order to ramp up the fight against transnational organised crime scam operations. This in