Topics:
I, like many others across the cyber community, am eagerly awaiting the Trump Administration’s forthcoming cyber strategy. National Cyber Director Sean Cairncross has said the drafting process spans the entire interagency and prioritizes “speed, resiliency and looking to harden and modernize.” He has also emphasized fostering partnerships with the private sector, improving incentives for information sharing, and looking “for friction points to eliminate.” These are promising previews. They build on the Administration’s first-term cyber strategy, and the strategies of prior Administrations.
To deliver on these objectives, the Trump Administration’s forthcoming cyber strategy must pave the way for reduced internal and external barriers that prevent the U.S. government and industry from fully leveraging their collective capabilities to disrupt malicious cyber actors, including ransomware gangs and nation-state adversaries. At the same time, maintaining America’s global leadership position and safeguarding the homeland requires that these efforts to manage and disrupt cyber threats be grounded firmly within the rule of law.
When the new strategy comes out, I will be watching closely for how it aims to scale cyber disruptions, reduce friction points, and incentivize public-private collaboration that are essential to securing critical infrastructure and protecting American innovation.
The Trump Administration’s first National Cyber Strategy was light on public-private collaboration to combat cyber threats—an approach often referred to as operational collaboration. In Pillar Two, it emphasized working with industry to reduce technological barriers to obtaining time-sensitive evidence and collaborating with governments to reduce barriers to cooperation. Pillar Three underscored efforts to work with private-sector partners and others to identify, counter, and prevent the use of digital platforms for malign foreign influence operations. It also included a broad commitment to work “with partners when appropriate to impose consequences against malicious cyber actors in response to their activities against our nation and interests.”
In its 2021 report, the Ransomware Task Force called on the U.S. government to advance a whole-of-government strategy for reducing ransomware attacks, led by the White House; to disrupt the system that facilitates the payment of ransoms; and to target the infrastructure used by ransomware criminals. To achieve these and other objectives, the task force recommended that the government increase the sharing of ransomware intelligence; create target decks of ransomware developers, criminal affiliates, and ransomware variants; and conduct a sustained, aggressive, public-private anti-ransomware campaign.
The 2023 National Cybersecurity Strategy likewise called for integrated federal disruption activities and enhanced public-private operational collaboration. It encouraged industry to work more closely with public and private sector partners and committed the federal government to helping to overcome longstanding barriers to such collaboration.
At IST, we have spent the last several years analyzing the factors behind successful disruptions, investigating cases like Hive, Trickbot, and Emotet, among others. In addition to what went right, we have also been focused on what went wrong. In collaboration with a range of government and industry stakeholders involved in disruption, we have attempted to identify key obstacles to success. Most often, we found that it comes down to actually understanding stakeholders’ priorities.
Industry voluntarily discloses cyber threat indicators and related information to the government, but rarely hears whether the information was useful or how it will be used.
Industry remains eager to collaborate with the government to stop the abuse of their own and others’ platforms and technologies, including through information sharing and other actions to protect their rights and property. Yet we still too often hear that information sharing remains a “one-way street.” In other words, industry voluntarily discloses cyber threat indicators and related information to the government, but rarely hears whether the information was useful or how it will be used.
While detailed investigative steps must of course remain protected, industry is too often left waiting. In some cases, they are even exposed: learning only after the fact that their information was used in a disruption operation, without the opportunity to prepare for impacts on their own research or operations. This exposure could further frustrate engagement—pushing it below even the current, sub-optimal levels.
Who benefits most from these silos? Threat actors.
At least two major companies now maintain dedicated threat actor disruption units. This fall, Google announced it is establishing a cyber disruption unit; Microsoft established its Digital Crimes Unit in 2008. Microsoft has used criminal referrals and been granted court-authorized protection for its disruptive efforts. Similarly, Google has filed at least two lawsuits in federal court to disrupt threat actors.
These units, together with entities like the NCFTA and J-CAT, are central to scaling global disruptive efforts. But to drive lasting impact, more can and must be done to leverage the insights and abilities of these and other industry partners. To start, the government can help break down information and capability silos by reducing its policy barriers to help it more routinely share its priorities with industry. Addressing these barriers would significantly improve the government’s ability to more closely collaborate with industry on sustained counter-ransomware and similar campaigns.
The trend line in international disruptions has been positive. We are seeing more disruptions, faster disruptions, and bolder disruptions. And with fewer friction points—both within government and between government and industry—these disruptions could have an even greater impact on the ransomware ecosystem and serve as a model for countering other threat actors, including nation states. Like many in the cyber community, I am eagerly awaiting a cyber strategy that leads to such an outcome, and stand ready and willing to assist in achieving its objectives.
Megan Stifel has worked at the intersection of national security, law, and technology for more than two decades. She is currently the Chief Strategy Officer at the Institute for Security and Technology, where she also serves as Executive Director of the Ransomware Task Force. Megan previously served as a Director for International Cyber Policy at the National Security Council and in the US Department of Justice as Director for Cyber Policy in the National Security Division, as well as in the Criminal Division’s Computer Crime and Intellectual Property Section. She also worked for the US House of Representatives Permanent Select Committee on Intelligence. Megan is a Member of the Aspen Global Leadership Network and a Fellow at the National Security Institute.
