Subcommittee on Cybersecurity and Infrastructure Protection Chairman Andy Ogles (R-TN) addressed the need for the United States to strengthen its offensive cyber operations during a hearing in Washington, D.C. The session focused on how these capabilities can be incorporated into a broader national security strategy, taking into account the changing responsibilities of federal agencies and the private sector.
In his opening statement, Ogles highlighted that while investments in cyber defense, information sharing, and resilience have improved the country's ability to withstand attacks, they have not deterred adversaries from targeting American networks. He pointed out that state-sponsored actors continue to infiltrate critical infrastructure with little fear of consequences.
"Today, the Subcommittee is meeting to examine a reality that the United States can no longer afford to avoid, namely that deterrence in cyberspace does not exist without credible, lawful, and operational offensive cyber capabilities. Defense alone is not sufficient. Resilience alone is not sufficient. Public attribution alone is not sufficient," Ogles said.
Ogles referenced a recent incident where "a Chinese state sponsored cyber actor known as Salt Typhoon compromised email systems used by staff supporting several congressional committees." He described this as part of an ongoing campaign by Chinese groups referred to as the Typhoon cluster. According to Ogles, these are "instruments of state power" whose actions are "deliberate, persistent, and strategic in nature."
He stated that these actors target both government branches and private industry: "They target not only the executive branch and private industry, but now once again the legislative branch itself."
Ogles questioned why such threats persist despite existing efforts: "The question before this Subcommittee is not whether these threats exist. That is no longer in dispute. The question is why they continue, and what it will take to change the cost benefit calculation for adversaries who believe they can operate against the United States with impunity."
He noted that current authorities over offensive cyber operations are spread across various government departments including those responsible for defense and intelligence gathering. Civilian agencies like CISA focus mainly on defense and response activities. Ogles argued that policy frameworks were created before recognizing today’s level of state-sponsored activity or acknowledging that most targeted digital infrastructure belongs to private companies.
Ogles mentioned changes under consideration within federal agencies: "The Trump Administration has signaled its intent to pursue a more proactive and assertive cyber posture, one that emphasizes disrupting adversary capabilities before harm occurs, resetting adversary risk calculations, and exploring new ways to integrate private sector expertise into national cyber efforts."
He emphasized the important role played by private companies: "The private sector is not merely a victim in cyberspace. American cybersecurity companies...are often the first to detect malicious activity...and develop tools capable of disrupting hostile infrastructure."
However, he acknowledged legal uncertainties faced by businesses when engaging in defensive or disruptive activities: "Companies face uncertainty about liability, retaliation, and regulatory risk." Government agencies also encounter challenges related to partnerships and timely action.
Concluding his remarks ahead of witness testimony at the hearing, Ogles said: "Today our witnesses will help us assess how offensive cyber capabilities can be responsibly integrated into a modern homeland security framework...I appreciate our witnesses for being here, and I look forward to their testimony and discussion ahead."
