Global Cyber Policy in Focus: Reflections from RSA Conference 2025

Key Themes from RSA: Sharing Security Responsibility and a Desire for Public and Private Cooperation

Speakers at RSA 2025 highlighted the dual collective-action problems shaping today’s cybersecurity landscape: an insecure technology stack and a diverse set of nation-state and criminal actors ready to exploit it. Speakers described the misalignment between who bears the costs of defense and who benefits from it—a recurring theme that reinforced cybersecurity’s nature as a public good. From the Expo floor to expert panels, there was broad agreement that addressing these risks requires more equitable burden-sharing across sectors and borders.

In that context, our conversations with government representatives explored how public-private collaboration models are evolving to meet these demands. Several former U.S. officials emphasized the need to accelerate attribution and intelligence sharing through more structured engagement with industry—steps they framed as foundational to any credible cyber deterrence strategy. European counterparts echoed these points, pointing to emerging efforts to formalize joint response capabilities. The takeaway was clear: meeting today’s threats will require more integrated, institutionalized cooperation between governments and the private sector.

Delegations Indicate Some Areas of Growing Consensus

International attendance at RSA was particularly strong this year, with numerous delegations seeking to understand and influence cybersecurity partnerships. There was strong alignment around core security principles— support for coordinated vulnerability disclosure, a commitment to secure-by-design development, and a desire to deepen cross-border cooperation on threat intelligence.

Governments increasingly recognize that they cannot act alone to deliver effective cyber regulations or robust vulnerability-disclosure programs. There’s a strong and growing consensus among international policymakers that ethical hacking and independent security testing have an essential role to play in the security of both the public and private sectors. Several countries are actively developing or refining legal frameworks to better support these practices—an encouraging trend that reflects the global shift toward openness, accountability, and collaboration. Durable, trusted partnerships with industry are increasingly viewed as essential to develop the resilient infrastructure and skilled workforce required to stay ahead of rapidly evolving cyber threats.

Opportunities for Deeper Partnerships Amid Uncertainty

Regional priorities, especially in relation to public-private cooperation, showed interesting variations:

Europe

European stakeholders highlighted an increased focus on control over data and infrastructure, championing formalized public-private frameworks through initiatives like national cloud proposals and the EU Cloud Certification Scheme. They stressed that they remain committed to enabling best-in-class products and services, but trusted partners will need to align with the EU’s more structured approach through regulation. Simplification efforts--which aim to harmonize GDPR, CRA, NIS2, and other requirements--were discussed, albeit in early stages and with a clear desire to maintain core protections.

Asia-Pacific & Pacific Islands

This region emphasized that they are all in on the U.S. when it comes to operational collaboration with industry partners, particularly regarding foundational technologies. Other regional players are developing hybrid models that balance formal requirements with flexible implementation. The Pacific Island nations are particularly interesting, as they're advancing collective digital strategies that position private companies as development partners rather than just vendors.

Global and Transnational Mechanisms

Despite geopolitical headwinds, the most promising international initiatives all feature strong industry participation. The Tallinn Mechanism and Pall Mall Process were frequently mentioned as examples where private sector expertise directly informs international cybersecurity policy. These aren't just government-to-government discussions anymore--the most effective international framework processes have industry participants contributing their expertise about the threat landscape along with their government counterparts.

HackerOne is a Partner in Global Cybercrime Prevention 

As we saw across this year's discussions at RSA, stakeholders worldwide remain aware that they can't tackle cybersecurity challenges alone. Whether it's achieving digital sovereignty, streamlining regulations, or building effective coordinated vulnerability disclosure, the path forward requires genuine collaboration with industry partners. Industry brings critical technical expertise and day-to-day operational insights that can help tackle thorny collective action problems from cross-border cybercrime to supply chain vulnerabilities.

At HackerOne, we’re committed to being a trusted partner in this work. Whether it's advising on vulnerability disclosure policy, enabling secure development through ethical hacking, or fostering public-private collaboration, we’re focused on solutions that scale and support a more secure ecosystem.

There's no magic bullet or overnight fix, but by strengthening these vital trust relationships, we're building the foundation for a more secure digital future together. And that's something worth investing in.