Citizen Portal
Sign In

Members, witnesses debate whether private sector should be allowed or credentialed to strike back against cyber attackers

2578573 · March 12, 2025

Get AI-powered insights, summaries, and transcripts

Subscribe
AI-Generated Content: All content on this page was generated by AI to highlight key points from the meeting. For complete details and context, we recommend watching the full video. so we can fix them.

Summary

During the House Homeland Security hearing several members argued for stronger deterrence, including limited offensive options, while industry witnesses cautioned against private‑sector 'hack backs' and urged government leadership and safeguards.

Members of the House Homeland Security subcommittee and witnesses debated whether private companies should be empowered to conduct offensive cyber operations against attackers, and what role the federal government should play in deterrence and retaliation.

Representative Anthony D. Jimenez (questioner) framed the issue bluntly: ‘‘The only way that you’re gonna stop this is if the offensive party fears more the retaliation than what we do,’’ and he urged exploring offensive options or other mechanisms that impose consequences on attackers. Several members said the United States lacked a consistent retaliatory posture for many attacks and that adversaries will continue to strike if they face no meaningful consequences.

Industry witnesses expressed caution. Scott Aronson of the Edison Electric Institute said, ‘‘Electric companies do not wanna be in offensive cyber engagements.’’ He and other witnesses said the private sector generally prefers defensive measures and reliance on government‑led offensive capabilities, where attribution, legal authority and national security tradeoffs can be handled by appropriate agencies.

Witnesses noted practical limits: many utilities and other critical providers lack the personnel and legal authority for offensive operations; engaging in offensive cyber activities risks escalation and unintended consequences; and incorrect attribution can cause diplomatic or operational harm. Robert Mayer of US Telecom and Ari Schwartz of the Cybersecurity Coalition urged deeper operational collaboration so industry can more quickly share indicators with government partners and, where appropriate, enable government to act.

No formal policy changes or authorizations were made at the hearing. Members and witnesses agreed on the need for better government‑industry coordination, clearer authorities, and more resources for defense, attribution and response. Several members suggested exploring credentialed third‑party teams or other mechanisms to expand capacity for deterrence under government oversight, but witnesses recommended careful deliberation and legal safeguards before any change.

The exchange illustrates a sustained tension in U.S. cyber policy: private entities control most critical infrastructure and encounter attacks frequently, but government agencies retain primary authority for offensive operations and escalation decisions. Committee members signaled interest in continuing oversight and exploring legislative or operational models to improve deterrence while avoiding uncontrolled private offensive action.