IST Chief Strategy Officer Megan Stifel provided the opening keynote at CyberNextDC 2025 on October 8, 2025, hosted by the Cybersecurity Coalition and the Cyber Threat Alliance. What follows are her remarks as prepared for delivery.
Good morning. Thanks to Ari, Bri, & Michael. We’re very appreciative of the opportunity to partner with you all over the years on a number of projects, many of which have focused on ransomware. The new Administration is getting settled in and–up until recently–we were roughly “on schedule” for political leadership across recent administration changes.
We’re here today as members of the cybersecurity community. In my remarks today, I’m going to talk about some things that have been going right—and not so right—in a way that might inform the Administration’s approach. But it’s important to remember that our collective lack of political will to realign incentives and shift the responsibility for security onto the organizations best positioned to manage it has left us vulnerable. So too has our failure to realign our enforcement and investigative resources to focus on the actors and activities that put us at highest risk. As a result, we’re exposed not just to ransomware, but to cross sector, cascading failures.
These failures don’t just threaten our wallets, they put human lives at risk. So far, we haven’t felt the full impact of these cascading failures at scale. And I truly hope we never do. But here’s the truth: we will never achieve a vision of advancing national security and global stability through technology built on trust if it’s just us–the cyber experts–having the conversation.
Now, with that sustainability-framed soap boxing out of the way: there is a lot we can do in our own policy sphere to improve the nation’s cybersecurity posture. And thus, I thought CyberNext would be a great place to take stock of the past and consider what policymakers and industry can do to best support this vision of a future enabled by secure and trustworthy technology.
The Ransomware Task Force is a useful, though imperfect, model for such an exercise. As many of you probably remember, in the early days of the prior administration, we were still dealing with the sudden shift to work from home. That shift further opened the door for criminals and nation state actors to take advantage, make profits, and extend their footholds in our digital ecosystem.
The Task Force set out in 2021 to identify key actions governments and industry could take to help mitigate the scourge of ransomware, recognizing that many such actions wouldn’t just combat ransomware; they would also have knock-on effects that would also build resilience to other cybersecurity threats along the way. Ransomware served as a talking stick to cut through reactive, attack-driven responses and clarify the focus on actions that could bring about ecosystem-level change. So, with the Task Force as our lens–and with National Cyber Director Cairncross installed and a new cybersecurity strategy on the horizon–let’s, as Alice does, peer through the looking glass.
We need to reflect on where we’ve been, yes, but also see past that reflection to look to the future. In fact, I propose to you all that the evolving threat and policy landscapes have opened up the possibility for novel policy solutions. And, to frame our journey, I’ve chosen another classic–albeit one published 95 years after Lewis Carroll’s novel: Sergio Leone’s 1966 western The Good, the Bad, and the Ugly. For someone whose early career involved wiretapping terrorists, expanded to cyber, and is a lawyer, I’m still an optimist. So let’s start with the good.
We should celebrate progress in building international cooperation to combat ransomware. Just in the past few weeks, we’ve seen arrests of key actors responsible for disruptions in the UK, United States, and across Europe. These arrests are part of an upward trend in international, sequenced operations across governments–and with private sector partners–that have targeted LockBit, Hive, and BlackSuit, to name just a few. Earlier this year, ODNI asserted that international law enforcement operations were responsible for slowing the year-over-year growth in reported ransomware attacks from 77 percent in 2023 to just 15 percent in 2024.
And in other good news, we are seeing lower rates of ransom payments. According to Coveware, roughly a quarter of victims were paying ransoms in the last quarter of 2024, down from 50% of victims in prior years. This drop is likely the result of a combination of the LE efforts to disrupt the threat actors, in addition to improved defenses and better recovery strategies.
The Counter Ransomware Initiative is another example of progress in the international arena. Later this month, the group will meet for the 5th year in a row. Its ranks have grown from 31 to now over 75 members from governments and international organizations, and last year the CRI added a six-member private sector advisory panel, which IST was honored to join as the U.S. participant. At this year’s Summit, the CRI will participate for the first time in a table top exercise with industry, supported by IST and our partners in the Ransomware Task Force. We hope this will be the first of many opportunities for greater industry participation in the CRI.
Building on the utility of the CRI, IST has been working in collaboration with the Organization of American States on a country-specific ransomware task force for Brazil, and we’ll be publishing our final report this fall. We also anticipate launching an RTF for Mexico within the next month.
But to defeat ransomware, we know that international collaboration must extend beyond the formalities and pleasantries of the CRI. The RTF and others have emphasized that limiting profits is central to eradicating ransomware. As you all know, crypto is king in the land of ransomware. When the Task Force issued its 2021 report, the ransomware payment ecosystem was underexplored as a potential means of cutting into criminal gains. We built a map of the payment ecosystem, depicting the entities that could have visibility about a payment once initiated by the victim or an associated organization. With this assessment in hand, we can now better identify points in the payment process and with them the relevant entities with whom we can collaborate to gather additional intelligence or induce friction, including asset seizures.
Whether we’re talking about gathering intelligence or interdicting payments, however, there’s an assumption that the exchange complies with existing requirements, like FATF Recommendation 16, also known as the Travel Rule, which requires Virtual Asset Service Providers and financial institutions to collect, hold, and transmit certain information about the originator and beneficiary of a virtual asset transfer to prevent money laundering and terrorism financing.
With the Travel Rule, the framework to follow—and stop—the money is now fully in place. Troublingly, however, of the CRI members who are members of the FATF, few have implemented the Travel Rule. This Administration has a unique opportunity to continue to advance the ball. Proactively working to regulate cryptocurrencies and fold them into traditional financial structures makes them easier to incorporate into transnational frameworks—and to stop fraud and other illicit uses of crypto, including ransomware. We have heard the Administration state they want to expand digital currencies to complement traditional financial payments–or even take their place. We’ve heard that they want to build public trust and confidence to usher in a new era of finance and innovation. Leveraging advances in domestic rulemaking to push partners to treat digital currencies under a more traditional KYC/AML regime could be a great step in the right direction.
The point of these examples is not to pat ourselves on the back or to suggest that the next steps will be easy. Rather, it is to highlight areas–international cooperation, following the money–where both the solution is correct and the trendline is positive. In any review of the current cybersecurity posture, success against these two criteria should point to continued support. But what happens when we aren’t seeing progress–either because the solution is faulty or implementation is lackluster? We find ourselves in the land of the bad. While by our account 50% of the Task Force’s original recommendations have seen significant progress, 50% have not. It’s those lagging 24 that I want to focus on: the unfinished business, which also has broader implications for our national resilience to ransomware and other urgent cyber threats.
Recognizing the insecure and end of life platforms that in large part enabled ransomware to disrupt organizations both large and small, the RTF recommended exploring a range of incentives–government grants, tax breaks, fine alleviation, insurance subrogation–that would drive long term adoption of more secure practices and technologies. Yet what we see today are grant programs ranging from window dressing to check box exercises that, while well intentioned, fail to drive meaningful improvements for their intended recipients. That’s because they fail to address a root cause of vulnerability: antiquated, inefficient systems. For the government–when it’s open–dependence upon these outdated systems is a productivity tax.
Outside of government, both for those relying on government services delivered through these dinosaurs and for those who can’t afford to or are unable to upgrade, overcoming this debt is like running through quicksand–an Alice in Wonderland kind of struggle where our attempts to get out leave us further mired in the muck, with legacy systems never truly going away.
This Administration has already shown incredible impatience with some of the antiquated processes that have become entrenched over the years. I would urge them to channel this energy towards some of the IT systems that reflect these processes. The cyber Executive Order from June continues to push for a “rules-as-code” approach that reflects this principle. But without significant investments to replace legacy IT, both within government and in key critical infrastructure, like state systems or water facilities, technological constraints will remain an economic barrier—and a key source of national security vulnerability.
If the case for IT modernization is strong, but execution is weak, what about targeted cybersecurity investments? Sadly, it’s pretty much the same story. Consider the Cyber Safety Review Board report on Storm-0558. State Department employees successfully discovered very advanced actors in their systems because State had invested in cybersecurity tools. Even the rash of recent edge network device exploits, like the Cisco vulnerability from a couple of weeks ago, is driven by threat actors’ desire to dodge monitoring technology.
This is actually good news. Our adversaries are being forced to react to our defensive measures. Our interventions are working. Except the momentum behind these targeted investments in core cybersecurity technologies and capabilities, like logging and endpoint monitoring, that were driven by Solarwinds and spurred by efforts like the RTF, has nearly completely died out:
- The billions of dollars requested to enable core cybersecurity functionality on government systems has mostly failed to materialize.
- The CISA State and Local Cyber Grant Program has expired.
- The future of the wildly successful FCC cybersecurity pilot for schools and libraries is in limbo, something that my IST colleagues and others in this room have recently weighed in on following the Supreme Court’s decision on the constitutionality of the Universal Service Fund.
- In other words, whereas those with resources are successfully increasing the degree of difficulty for adversaries to gain access—and seeing a corresponding drop in opportunistic targeting—those on the front lines who lack the resources to protect themselves with effective tools are exposed.
Yet this is also a bright spot for the Administration: the Fiscal Year 2026 President’s Budget includes new money for the EPA to provide these sorts of targeted investments for water facilities. This targeted approach will be critical to restarting the momentum that had begun to lag long before the current team came in.
Of course, these interventions are focused on users of technology. What about the producers whose software is, per the Verizon DBIR, increasingly used as an initial access vector to get on victims’ systems? Secure by Design, which describes a decades’ long effort to advance a secure software development lifecycle to enable a market dominated by products that are secure from the start, is in its nascent stages as a government priority, when it should be a point of pride for many U.S. companies.
Of greater importance however is the return on investment that would flow from a tech policy strategy that places a high priority on shifting to a “secure-to-market” business strategy, including through procurement and other incentives. Instead, today entities in financial services, retail, basically all software-dependent sectors, spend substantial resources managing third and fourth party risks–risks created in large part by, in the words of JP Morgan Chase CISO Pat Opet “fierce competition among software providers [that] has driven prioritization of rapid feature development over robust security.”
To put a finer point on it, leading U.S. companies are expending significant resources on cleaning up other U.S. companies’ sloppy software. These are funds that could otherwise support new products and services–in other words, innovation. A great first step would be to close out procurement changes, such as those in the Internet of Things Cybersecurity Improvement Act of 2020—signed by President Trump in his first term—that have been languishing the last nearly five years.
And with that, we’ve arrived at the ugly: issues where solutions haven’t really been tried, but where I’m nonetheless hopeful we can see some progress. When we launched the RTF report, ransomware gangs were directly harming organizations by locking victims out of their data. Today, that is less prevalent, in part because of the progress policymakers made, and in part because of industry advances. So why isn’t this part of the good? Because through the looking glass, it turns out you don’t need to lock up data to extort victims.
Now, we’re seeing what some refer to as criminal lawfare. Remember when ALPHV reported MeridianLink to the SEC for failing to comply with the requirement to report material incidents within 4 days, which at the time wasn’t even in effect? Criminals are using our best regulatory intentions against us. And they are leveraging the threat of lawsuits, whether from shareholders or nominally aggrieved customers, to raise the stakes.
Addressing these challenges requires a new type of policy intervention, one which aims to reduce the cost of defeating a frivolous lawsuit—while still preserving the ability to hold companies accountable for negligence. Policymakers must not eliminate reporting requirements altogether. We still live in a suboptimal information environment. Instead, they should continue work to harmonize and streamline reporting in the United States and internationally. At the same time, we must recognize that criminals are looking to exploit our legal system for their own gains. All of these are also themes we hear from the Administration, so I am hopeful we will see increased attention on this pernicious issue.
But the ugly gets worse and far more dangerous for everyday Americans. Some of you know that my colleague Joshua Corman, who will join the Luminaries panel in a few minutes, is leading a project as part of the Cyber Resilience Corps, thanks to the support of Craig Newmark Philanthropies. His project, UnDisruptable27, seeks to bolster the resilience of our lifeline critical infrastructure. The water we drink, the hospitals we rely on, and the power we use in our daily lives are essential—without them, our already brittle communities will break. As Josh likes to say, we are too dependent on undependable things.
Josh’s project responds to a reality that we have known for several years: state actors attributed to the PRC have compromised the IT systems of several critical infrastructure sectors, including communications, energy, transportation, and water and wastewater. Some of these actions have gone beyond traditional espionage. They reflect a more aggressive approach by the Chinese government: one that involves pre-positioning in our infrastructure to disrupt these critical functions or to deter us from acting against the PRC in a time of crisis.
Last year, we also learned that actors from the MSS had gained access to more than 600 organizations after infiltrating global telecommunications carriers. According to public reporting, Salt Typhoon’s multi-year campaign not only compromised the United States’ lawful intercept programs, but also built the ability to track the movements of U.S. intelligence officers, law enforcement and its sources, and other high priority targets across the country. By some reports, it could track any American, anywhere.
The Administration has shown a willingness to leverage our capabilities across a broad range of policy areas to bring about change in the international trade landscape. Addressing the “Typhoons” could be an opportunity to elevate cybersecurity challenges in the US-China relationship. These challenges are core to our national security, public health and safety, and economic security, yet cybersecurity has been on the backburner for years.
So where does this leave us? When we step back through the looking glass, where do we find ourselves? I would say: there’s a lot to be said for being reflective. When we hold up a mirror and see the good–more frequent disruptions, an expanding CRI, bringing the crypto economy into the light–we know where we can double down, but also where policymakers’ attention need not linger. When we see the bad–the missed opportunities on IT modernization, stalled momentum on targeted cyber investments, unimplemented secure by design proposals–we know where follow through is missing, where we need to find the drive to succeed. But most importantly, when we see the ugly–criminal lawfare and the rapidly increasing sophistication of PRC cyber threats–we know it’s time to step through the looking glass. Looking backwards will only get us so far, and we need to see novel policy thinking. That, anyway, is how I reflect when I look back at nearly five years of the Ransomware Task Force.
And I think the White House, and Director Cairncross in particular, have a unique opportunity in their forthcoming strategy to let the good flourish, push the bureaucracy to overcome the bad, and lead the country to tackle the ugly. What can I say: despite what you might think, I am an optimist! I’m an optimist when I remember the struggles our adversaries go through to attempt to counteract our defense. I’m an optimist when I remember the progress we can make when policymakers and practitioners come together to address urgent national security needs. I’m an optimist when I remember the wonderful things I’ve seen accomplished by the community gathered here, in this room. And, as Lewis Carroll wrote in Through the Looking Glass: “It’s a poor sort of memory that only works backwards.” Thank you!
