We’re back! Before diving in, we wanted to take a moment to thank our former colleague, Ines Jordan Zoob, who worked tirelessly behind the scenes to make this podcast a huge success. And now… onto our special episode!

In our latest Distilling Cyber Policy podcast episode, hosts Alex Botting and Jen Ellis from the Center for Cybersecurity Policy & Law(CCPL) kick off the new season with guests Stacy O’Mara, Senior Director at Venable LLP and Leonard Bailey, former DOJ official, CCPL Fellow, and long-time leader on cyber enforcement and national security. Together, they unpack one of the hottest topics in today’s cybersecurity landscape: what role, if any, should offensive cyber operations play in countering cyber threats, and who should be allowed to conduct them?

Offensive cyber activity has become a central policy conversation as governments worldwide rethink what tools are necessary to counter increasingly sophisticated threats. Stacy and Leonard examine how the U.S. debate fits into a broader international landscape, noting that countries such as Japan, Australia, and the United Kingdom have already authorized state-led disruption operations. They discuss how global norms are shifting, how deterrence and escalation dynamics are changing in response to persistent cyberattacks, and what legal and diplomatic questions arise as offensive actions become more normalized across allied nations.

A major thread of the conversation centers on whether offensive cyber operations should remain exclusively within federal authority or whether a tightly scoped framework could allow limited private-sector participation. The idea of private-sector “hack back” has reemerged in Washington policy circles, though it continues to spark significant debate. 

Stacy and Leonard outline concerns such as the risk of misattribution, the potential for unintentional escalation, the likelihood of collateral damage across shared infrastructure, and the possibility of disrupting sensitive intelligence or law enforcement operations. You can read more of CCPL’s thoughts on offensive cybersecurity here. 

In this week’s news segment, the hosts discussed India’s proposed cybersecurity app, Sanchar Saathi, which would have been preinstalled on all devices to enable remote locking if a phone was stolen or misused. The mandatory, non-removable nature of the app prompted backlash over privacy, government access, and data management concerns. Although the order has been revoked, it’s unclear whether the move is temporary or permanent. Alex also highlighted new secure-by-design principles released by CISA and Australia to guide critical infrastructure owners as they integrate AI into operational technology environments. The framework focuses on four pillars: 

1. Educating personnel about AI 
2. Assessing its application within OT environments 
3. Establishing AI governance
4. Embedding AI safety and security

Finally, instead of our usual trivia segment, we welcomed Community Corner guest Bruno Marson, the main organizer of BSides Lisbon. Bruno shared insights into Portugal’s recent decision to include a carveout for security research in its NIS2 transposition – an important step in ensuring researchers can continue their vital work without fear of prosecution – a move that makes Portugal one of the few countries to explicitly protect good-faith security research!

You can find the latest Distilling Cyber Policy episode on Spotify and Apple. As always, if you would like to submit cyber policy trivia, or have topic ideas for upcoming episodes, please email tchopra@venable.com.