When the FBI and NSA failed to show up at RSA Conference 2026 in San Francisco this week, it wasn't a scheduling conflict. It was a stark sign of dysfunction in how America's government and private security firms coordinate against nation-state cyber threats.
A panel titled "Inside the Hunt for China's Typhoons: Disrupt, Deter, and Defend" was originally advertised as a behind-the-scenes look at joint FBI, NSA and industry operations against Beijing's cyber groups. Instead, federal speakers cancelled entirely, leaving an actual empty chair on the stage alongside private-sector panellists. The message was unambiguous.
What makes this absence particularly troubling is the timing. Australian Security Intelligence Organisation director-general Mike Burgess warned in November 2025 that hackers linked to the Chinese government and military had attempted to access Australia's critical infrastructure, including telecommunications networks, with the groups Salt Typhoon and Volt Typhoon also infiltrating U.S. systems for espionage and potential sabotage. The U.S. Cybersecurity and Infrastructure Security Agency, National Security Agency and Federal Bureau of Investigation assess that People's Republic of China state-sponsored cyber actors are seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States.
Yet even as these threats materialise, the institutions responsible for coordinating defence are retreating from the forum where they could do it most effectively.
The real scandal here isn't simply that government officials didn't attend a conference. It's the institutional failure that their absence exposes. Budget-driven absence is a logistical inconvenience, but a deliberate policy decision to reduce engagement with private industry at a moment when ransomware groups are targeting critical infrastructure at scale is a different matter entirely.
Consider what the private sector brings to this fight. An estimated 85% of the nation's critical infrastructure is owned and operated by the private sector, making their involvement in national cybersecurity unavoidable. When these companies discover intrusions, they often move faster than government can. EY managing director Dave Scott, who formerly led the FBI's Cyber Operations Branch, explained the tension candidly during the panel discussion: "We were, with the government, waiting for legal process and then waiting for the approvals and everything else to share that information."
That friction isn't academic. During the Scattered Spider campaign around 2023, Scott and others proposed standing up a real-time coordination cell between private and government cyber hunters. It never happened. Years later, the problem persists. Private firms identify threats and possess "exquisite information and intelligence," yet bureaucratic delays prevent urgent sharing at the moment it matters most.
To be fair, the case for this coordination runs both ways. Government agencies have investigative visibility and intelligence resources that private defenders simply lack. Recent ransomware operators are pivoting to identity infrastructure and phishing campaigns, categories where federal law enforcement and intelligence agencies have investigative visibility that private-sector defenders lack. Without government input, the private sector cannot see the full picture of these operations across multiple targets.
Yet the institutional incentive structure works against real-time collaboration. Classification rules, legal constraints, budget cycles and organisational turf wars create friction that adversaries exploit. When the FBI and NSA don't show up at the security industry's largest annual gathering, they're not just failing to attend a conference. They're signalling that something in the system is broken.
Coordinated partnerships between the government and private entities can provide the additional resources necessary to employ effective cybersecurity measures, and as cybersecurity is a complex field, implementation of capable cybersecurity may be beyond the capability of each party on its own. That premise assumes government and industry actually show up to the same table.
Whether the federal absence reflects budget cuts, policy shift or simple institutional inertia, the result is the same: a public-private partnership that exists only on paper whilst real threats advance on multiple fronts. San Francisco got an empty chair instead of answers.