The discussion around offensive cyber operations in the U.S. may be quickly moving from theoretical to practical. The Center for Cybersecurity Policy and Law’s event, Offensive Cyber Operations: Charting a Legal and Strategic Path Forward, featured a series of speakers and panels with calls to rethink deterrence and disruption, grappling with the blurred lines between offense and defense, and managing a cyber landscape where the attackers are moving faster than the defenders.

Speakers from government, industry, and academia confronted the realities of ransomware gangs wielding nation-state tools, debated the wisdom of “hacking back,” and explored how private and public actors might collaborate at speed and scale. More than a discussion of risks, the forum highlighted bold proposals – such as building dedicated disruption units and redefining how the U.S. measures success in cyberspace – that could reshape a national cybersecurity strategy.

Key Themes and Highlights

Strategy and Deterrence

• Passive defense has failed to prevent escalation; adversaries must face visible, timely consequences.
• Offensive operations should never be reactive one-offs — they must be guided by clear policy objectives and integrated into coordinated campaigns.
• Deterrence works when adversaries believe their own critical infrastructure and assets could be targeted in return.

 Public-Private Collaboration

• Legal clarity and frameworks are necessary to enable the private sector to bring speed, visibility, and technical innovation to participate effectively in disruption efforts.
• Time to move beyond information-sharing to joint disruption campaigns, executed at speed and scale.
• Intelligence must drive action, not just awareness, according to industry leaders.

Threat Landscape and Tools

• Nation-state actors, ransomware gangs, and AI-enhanced attacks define today’s “wild west” cyber environment.
• Consensus that “hack back” alone is risky and insufficient — instead, the U.S. must leverage the full spectrum of tools: active defense, disruption, diplomacy, sanctions, and covert operations.
• Innovation – such as AI-enabled defenses – offers a rare advantage that should be scaled aggressively.

 Leadership and Global Coordination

• Without international cooperation, offensive cyber risks devolving into a global free-for-all.
• Stronger U.S. leadership is needed to move debate forward and define basic operating procedures.

Event Recap

Keynote: Dmitri Alperovitch, Chairman, Silverado Policy Accelerator

In his keynote address, Alperovitch delivered an argument for rethinking the role of offensive cyber operations in national security strategy and challenged the prevailing notion that offensive cyber actions are inherently escalatory, calling that view misguided and dangerous. According to Alperovitch, passive cyber defense has led to greater escalation by emboldening adversaries, who face no meaningful accountability.

He also emphasized that state-sponsored cyber threats have become increasingly sophisticated and dangerous, now targeting critical infrastructure, intellectual property, and essential services. Despite years of attempts to name, shame, indict, or deter foreign cyber actors, attacks have only intensified.

Crucially, Alperovitch argued that deterrence does work — the relative scarcity of destructive cyberattacks on U.S. operational technology (OT) systems suggests that adversaries fear retaliation. He noted that nation-state actors are just as reliant on digital infrastructure, which helps maintain a fragile balance of mutual deterrence.

To shift the strategic landscape, he called for a more integrated and strategic use of the full national security toolkit — combining offensive cyber, diplomacy, covert operations, and military capabilities. The key, he stressed, is not to leap to the latest tool, but to start with clear strategic objectives and design coordinated response packages accordingly.

In closing, Alperovitch urged policymakers to stop asking "What can we do?" and instead ask "What are we trying to achieve, and what tools will get us there?"

Panel #1: “To Hack Back or Not Hack Back, That is the Question, Or Is It?”

• Jennifer Daskal, Partner, Venable LLP
• Megan Stifel, Chief Strategy Officer, Institute for Security and Technology
• Frank Ciluffo, Director, McCrary Institute for Cyber & Critical Infrastructure Security, Auburn University
• Cristin Flynn Goodwin, Founder, Advanced Cyber Law LLC
• Rob Sheldon, Senior Director, Public Policy and Strategy, Crowdstrike

The opening panel brought together leading voices from industry and academia to debate the challenges and tradeoffs of offensive cyber operations. Panelists underscored that adversaries, from nation states to financially motivated groups, are innovating faster than defenders by exploiting unmanaged devices, social engineering, and impersonation tactics. 

A central theme from the panel was that offensive cyber operations must not be reactive one-offs, but instead guided by clear policy objectives and embedded with sustained, coordinated campaigns. Panelists stressed that effective deterrence depends on adversaries believing that their own critical infrastructure and assets could be targeted in return. 

Offensive measures, panelists stressed, cannot substitute for long-term strategy: every adversary requires its own tailored playbook, and the government must define overarching goals while leveraging the private sector’s unique visibility and technical capacity. 

While views differed on the scope and risks of “hacking back,” there was broad consensus on the need for a more strategic, integrated approach; one that combines offense, defense, and diplomacy to shift the cost calculus for bad actors. The discussion reflected both the urgency of moving beyond a purely reactive posture and the complexity of deciding when, how, and by whom cyber offense should be deployed.

Keynote: Michael Daniel, President & CEO, Cyber Threat Alliance

In his keynote address, Daniel tackled the complexities of offensive cyber operations and the need to rethink current approaches. 

He clarified that true offensive cyber activity has three defining elements:

1. It takes place on someone else’s device.
2. It does not have the owner’s permission.
3. It is intended to cause disruption or damage, whether temporary or permanent.

By this definition, espionage, surveillance, or simply blocking malicious traffic on one’s own network do not qualify. Offensive operations, he emphasized, are not ends in themselves but tools meant to advance broader policy objectives, with different forms, overt, covert, or clandestine, applied depending on the intended outcome.

Daniel also explored why these capabilities remain so controversial. Rooted in the intelligence world, offensive cyber operations have historically been shrouded in secrecy, limiting open debate about their use. Their effects can also be unpredictable, making collateral consequences harder to anticipate than in traditional domains. Complicating matters, these capabilities are no longer confined to governments, as demonstrated daily by ransomware groups and other malicious actors. 

Looking ahead, Daniel urged greater exploration of operational collaboration between the public and private sectors, arguing that partnerships executed at speed and scale could be critical in determining how, and whether, offensive cyber tools can be used responsibly and effectively.

Panel #2: “Offensive Cyber: The Spectrum of Tools in the Toolbox”

• Cailtin Clarke, Senior Director, Cybersecurity Services, Venable LLP
• John Keefe, Founder, Ex Astris Scientia 
• Morgan Adamski, Principal, PwC
• Josh Stiefel, Vice President of Government Relations, Second Front 

The second panel explored the wide range of tactics available for offensive cyber operations and the persistent challenges of deterrence. Panelists emphasized that while terminology matters, particularly in distinguishing concepts like “hack back,” “active defense,” and offensive operations, the real challenge lies in defining objectives and measuring outcomes. 

Keefe noted that current deterrence strategies have largely failed, with malicious actors operating with impunity. Adamski stressed that some threats cannot be deterred at all—particularly when civilian infrastructure is involved—making it essential to focus on reducing the success rate of attacks rather than trying to prevent every attempt.

There was also spirited debate about the role of the private sector in augmenting government capacity. Some viewed industry involvement as essential to inject speed and agility into government operations, while others warned that relying too heavily on private actors reflects a failure to build adequate public capacity. Proposals like “letters of marque” raised questions about oversight, liability, and the risks of outsourcing offensive capabilities.

Without faster, outcome-driven campaigns and a willingness to take calculated risks, the U.S. risks falling behind as adversaries continue to adapt.

Keynote: Sandra Joyce, Vice President, Google Threat Intelligence

Joyce opened her keynote with a blunt assessment: while the cybersecurity community has excelled in effort, it continues to fall short on outcomes. Threat actors are becoming bolder and more sophisticated, from North Korea targeting hospitals and even neonatal intensive care units, to commercial surveillance vendors offering tools for hire. 

Traditional defenses such as intelligence sharing are no longer sufficient and the real purpose of intelligence must be to drive action. That action, she argued, must center on disruption — moving up the adversary’s value chain to impose costs and deny leverage. She highlighted the SolarWinds incident as a case where exposure and “burning” Russian tools, rather than staying silent, ultimately yielded better results and limited long-term damage.

Joyce called for a fundamental evolution in security strategy, emphasizing proactive, intelligence-led disruption. She pointed to the promise of AI as a defensive advantage, noting how large language models are already helping Google detect vulnerabilities before adversaries exploit them. Partnerships, across law enforcement, governments, and industry, will be essential to scale disruption efforts. 

Google is forming a new “disruption unit” to pursue legal and ethical operations against adversaries, Joyce announced, inviting collaborators to join. She emphasized that defenders must move beyond passive information sharing to embrace active, creative, and collaborative campaigns that impose real consequences on malicious actors.

Panel #3: “Under Attack, Under Constraints: How Industry Can Respond Using Active Cyber Defense Measures in Real Time”

• Davis Hake, Senior Director, Cybersecurity Services, Venable LLP
• Andrew McClure, Managing Director, Forgepoint Capital
• Joe McCaffrey, Chief Information Security Officer, Anduril
• Vishaal “V8” Hariprasad, Chief Executive Officer, Resilience
• Brandon Wales, Vice President, Cybersecurity Strategy, SentinelOne

In the third panel, cybersecurity leaders examined how the private sector can take a more active role in cyber defense – not just in reacting to threats, but in disrupting them. 

Panelists agreed the threat landscape is rapidly expanding, with McCaffrey likening it to a “wild west” where nation-state tools are now accessible to ransomware gangs and low-level hackers. Cheap, temporary infrastructure complicates attribution and slows law enforcement. Ransomware remains the top organizational threat; while better backups reduce ransom payments, tactics like double extortion and AI-enhanced attacks are growing more severe.

They described the asymmetry between the U.S. and foreign cyber strategies: the U.S. treats offensive cyber as a centralized government activity, while countries like China leverage private-sector capabilities for scalability. Without new incentives, legal clarity, and frameworks, the U.S. will struggle to close this gap. The private sector could be a force multiplier but requires permission, structure, and motivation.

Ultimately, the panel agreed the tools, talent, and urgency exist — what’s needed now is leadership from government and industry to redefine active cyber defense. With the right framework, the private sector can play a larger role in defending against threats and shaping the future of cyber operations.

Keynote Address: Chris Painter, Founding Partner, The Cyber Policy Group

In his keynote, Painter urged the U.S. to move beyond debate and take real action on cyber deterrence. He dismissed the notion that legal constraints are the main barrier, pointing out that discussions around “hack backs” and red lines have gone on for years with little progress.

Painter argued that the U.S. still fails to impose timely, visible consequences on cyber adversaries and called for a more strategic approach that goes beyond sanctions and targets what adversaries actually value. Clearer policies are also needed to define what kinds of attacks will trigger a response. Grouping espionage, disruption, and influence operations into a single “cyber threat” category, he warned, only clouds decision-making.

International coordination, Painter stressed, is critical. As more nations build offensive capabilities, without cooperation, we risk a global cyber free-for-all. Painter also advocated for smarter public-private collaboration, including shared damage assessments, intelligence exchange, and early-stage support like tipping and queuing. The government should lead, but industry has a supporting role to play.

His final warning: without a shift in focus and urgency, we’ll be having the same conversations in five years. “I don’t want another Groundhog Day,” he said. 

Panel #4: “Red Lines and Rules of the Road: Cyber Defense in a Global Context”

• Peter Brown, Senior Director, Global Security and Technology Strategy, Venable LLP
• Kathryn Condello, Fellow, National Security/Emergency Preparedness, Lumen Technologies
• Matt Hayden, Vice President, General Dynamics Information Technology
• Mark Montgomery, Senior Director CCTI and Senior Fellow at Foundation for Defense of Democracies

The final panel assessed how governments, industry, and allies must adapt to rising cyber threats, particularly ransomware and vulnerabilities in critical infrastructure. Once seen as a criminal issue, ransomware now shapes global cybersecurity collaboration. While threat intelligence sharing has improved, panelists noted that operational coordination and tool-sharing still lag. Meanwhile, U.S. infrastructure remains underprotected, with state actors like China quietly preparing for future disruption.

Condello pointed to more proactive models abroad, notably in the United Kingdom and Japan, and urged theU.S. to cut through bureaucratic delays and match that urgency. Some rejected outdated ideas like letters of marque that would deputize private companies to conduct offensive cyber operations, warning of serious risks without oversight or legal clarity. Instead, there were calls for building a dedicated national cyber force, empowering the National Guard, and giving federal agencies faster response capabilities.

Ultimately, panelists called for a shift from reactive policy to decisive action. The tools exist – but to close the gap, the U.S. must treat cybersecurity as a national security priority.

Conclusion

The message from the day was unmistakable: the old playbook of reactive defense and fragmented partnerships is no longer enough. Across panels and keynotes, leaders emphasized the need for operational collaboration that delivers tangible consequences for attackers, backed by legal clarity and strategic vision. 

Whether through public-private disruption campaigns, smarter international coordination, or reframing deterrence itself, the consensus was that the U.S. must act with greater urgency and creativity. Offensive cyber operations will always be complex and contentious, but this event made clear that standing still is the riskiest option of all.

The full event can be viewed here.