The United States is facing a new era of digital conflict — one in which cyberattacks are no longer isolated incidents but persistent, strategic campaigns targeting the nation’s critical infrastructure. Recent revelations about Volt Typhoon and Salt Typhoon — stealthy, state-sponsored operations by China embedded across U.S. utilities, transportation networks, telecommunications systems, and software supply chains — have heightened alarm within both government and industry. 

These incidents underscore an unsettling truth: adversaries are not just probing U.S. systems, they are establishing long-term footholds inside them. In response, calls to embrace offensive cyber capabilities have grown louder, including proposals to involve the private sector directly, especially since the existing focus on defensive measures is viewed as insufficient.

With respect to China, we’ve observed this threat actor using cyber capabilities as a strategic tool to advance its national interests, including economic growth, military modernization, political stability, and global influence. Cyber operations enable China to steal intellectual property, conduct espionage, influence foreign public opinion, and target critical infrastructure — all at relatively low cost and with plausible deniability. In response, a non-coordinated, private-sector-led approach to countering such aggression could be ineffective and potentially harmful. 

Private companies lack the legal authority, incomplete intelligence context, and diplomatic safeguards necessary to engage a nation-state adversary. Uncoordinated retaliation could escalate conflicts, cause collateral damage, and undermine broader national security efforts. It may also blur the lines between civilian and combatant actors, exposing companies to legal and ethical consequences. It may be unwise for a private-sector entity to unilaterally confront a state-level threat. A unified, government-led strategy with tightly integrated public-private collaboration should be considered for a credible and safe cyber defense posture.

The call to embrace an offensive cyber response raises profound and urgent questions: Are we prepared to unleash these tools? Who should wield them? How do we protect against unintended consequences? Could use of such tools actually make us more vulnerable?

Advocates argue that offensive cyber tools can deter adversaries and neutralize threats, but their deployment raises critical concerns about escalation, attribution, and collateral damage — including the risk of inadvertently harming innocent parties or foreign entities not responsible for malicious activities. Legal and ethical dilemmas abound, especially if offensive actions potentially bypass norms or set new precedents internationally. As the threat landscape intensifies, the nation must confront not only the tactical viability of offensive cyber operations but also their legal, ethical, and strategic implications.

It’s worth considering whether the evolution of U.S. offensive cyber capabilities should include the private sector. The risks involved may outweigh the benefits for private companies, particularly publicly traded ones. Beyond a shared sense of national security, how would a company justify participation in high-risk offensive cyber operations to its board of directors? What tangible return on investment exists? Even with enhanced legal protections, such as liability shields for hacking back, what would motivate a company to assume such risks?

To that end, might we take a closer look at improving our existing defensive capabilities? Consider other means for countering attacks from China, perhaps outside of cyberspace? What other tools might the nation deploy to deter and respond to this threat actor? 

This paper seeks to explore those questions and more, including why this is a prevalent topic, the risks and unintended consequences of the private sector engaging in offensive cyber operations, and potential models for how companies might work with the government in this realm. Some of those risks include:

• Legal Exposure: Offensive actions may violate domestic or international laws. If foreign entities or individuals are inadvertently harmed, they could seek legal recourse, leading to costly litigation or diplomatic fallout.
• Collateral Damage: Malicious cyber activity often relies on compromised infrastructure such as botnets, which may be owned by unwitting third parties. Disrupting this infrastructure could cause unintended harm to innocent actors and strain international relations.
• Reputational and Diplomatic Consequences: Offensive actions perceived as unprovoked or aggressive could damage the U.S.’s international standing, trigger diplomatic disputes, or escalate geopolitical tensions.
• Normalization of Offensive Tactics: If major nations and influential companies embrace offensive cyber operations, it could legitimize and proliferate such behavior globally — potentially enabling less-responsible actors to adopt similar tactics without sufficient oversight.
• Risk of Retaliation: Engaging in offensive cyber operations increases the likelihood of counterattacks, either directly from the targeted entity or from allied actors, escalating the threat landscape.

To address these challenges, the U.S. could explore new models for integrating private sector capabilities into a broader national offensive cyber strategy. Possible options include:

• A Dedicated Cyber Force: Establishing a government-led cyber unit staffed with skilled operators and governed by a robust legal and operational framework.
• Pre-Certified Private Entities: Creating a vetted group of private companies authorized to conduct specific cyber operations under federal oversight.
• A Regulated Cyber Market: Supporting the growth of a specialized market for offensive cyber services, potentially including licensing and accountability mechanisms.
• Public-Private Partnerships: Expanding existing collaboration models to allow private companies to engage in active cyber defense with federal support, legal protection, and operational guidance.

Under any of these models, close coordination between the public and private sectors would be essential. Operations must be conducted with appropriate training, clear oversight, a qualified workforce, and comprehensive liability protections. Only through a carefully managed and cooperative approach can offensive cyber operations be carried out safely, responsibly, and effectively.

As a cybersecurity community, we must remain vigilant and engage in meaningful, ongoing dialogue with a wide range of stakeholders across both the public and private sectors. This issue goes far beyond short-term responses or retaliatory actions against China. If we’re considering offensive cyber capabilities as part of a broader deterrence strategy, we need to step back and examine the bigger picture. This includes rethinking the role of the private sector in conflict — both within and beyond cyberspace — evaluating the potential consequences for international norms, and carefully considering the precedent set by authorizing private companies to conduct offensive cyber operations.

‍