Subcommittee on Cybersecurity and Infrastructure Protection Chairman Andy Ogles (R-TN) addressed the need for a stronger approach to offensive cyber operations during a hearing in Washington, D.C. The session focused on how the United States can improve its national security framework by evolving the roles of federal agencies and the private sector in cyberspace.
In his opening statement, Ogles emphasized that defensive measures alone are not enough to deter cyber threats. He stated, “Today, the Subcommittee is meeting to examine a reality that the United States can no longer afford to avoid, namely that deterrence in cyberspace does not exist without credible, lawful, and operational offensive cyber capabilities. Defense alone is not sufficient. Resilience alone is not sufficient. Public attribution alone is not sufficient.”
Ogles noted that while investments in cyber defense and resilience have improved the country’s ability to withstand attacks, they have not changed adversary behavior. He referenced recent public reports indicating that a Chinese state-sponsored group known as Salt Typhoon had compromised email systems used by staff supporting several congressional committees. This incident was described as part of an ongoing campaign by Chinese actors targeting various branches of government.
He explained, “These actors are not criminals acting for profit. They are instruments of state power. Their operations are deliberate, persistent, and strategic in nature. They are designed to extract intelligence, pre position access, and shape the battlefield long before a crisis or conflict emerges. They target not only the executive branch and private industry, but now once again the legislative branch itself.”
Ogles questioned why such threats persist despite existing efforts: “The question before this Subcommittee is not whether these threats exist. That is no longer in dispute. The question is why they continue, and what it will take to change the cost benefit calculation for adversaries who believe they can operate against the United States with impunity.”
He pointed out that current authorities for offensive cyber operations are spread across multiple agencies including defense, intelligence, law enforcement, and civilian organizations like CISA. According to Ogles, policy frameworks were created during an earlier phase of cyber threats and do not fully address today’s challenges where much digital infrastructure belongs to private companies.
The Trump Administration has indicated plans for a more proactive approach to cybersecurity by focusing on disrupting adversary capabilities before harm occurs and integrating private sector expertise into national efforts.
Ogles highlighted the significant role played by private companies: “The private sector is not merely a victim in cyberspace. American cybersecurity companies, cloud providers, telecommunications firms, and emerging technology startups are often the first to detect malicious activity, the first to analyze adversary tradecraft, and the first to develop tools capable of disrupting hostile infrastructure. In many cases, they already possess visibility and technical insight that rivals or exceeds that of the federal government.”
However, he acknowledged legal uncertainties faced by these companies regarding liability and regulatory risks which complicate cooperation with government agencies.
“Today,” Ogles concluded,”our witnesses will help us assess how offensive cyber capabilities can be responsibly integrated into a modern homeland security framework.”
###
