‘Physical military response’ should be on table to battle cyber adversaries, McMaster tells Congress

Former National Security Advisor H.R. McMaster told a Wednesday field hearing of the House Homeland Security Committee that “a physical military response may be appropriate and necessary” against cyber actors “that prove difficult to deter.”

McMaster noted that “deterrence by denial and effective response to cyberattacks also requires actions against hostile cyber actors that extend beyond the cyber domain,” which include “often inadequate” sanctions and financial actions and may call for an even stronger response. “And it is important to convince difficult-to-deter adversaries that they cannot accomplish their objectives through a cyberattack because our defenses are strong and we can recover rapidly,” he said.

Corridor CEO and co-founder Jack Cable, who led CISA’s Secure by Design initiative, told the committee in prepared remarks that he’s seen “how insecure software can jeopardize our public safety” and “how technological advancements like AI can both help improve our collective state of security and magnify existing vulnerabilities.”

“As this committee has highlighted, state-sponsored hackers from the People’s Republic of China are currently burrowed within our critical infrastructure. Should China invade Taiwan, they stand to conduct destructive cyberattacks on our power grids, water systems, telecom providers and more,” Cable said. “But these attacks are not inevitable, nor unpreventable. The vast majority of cyberattacks take advantage of either a preventable software vulnerability or an insecure default configuration.” 

He added that “it’s only a matter of time until AI coding assistants introduce a severe vulnerability in critical software that is exploited.”

The hearing, hosted by the Hoover Institution at Stanford University, leaned on security leaders with government and private-sector expertise to discuss leveraging technology to secure cyberspace and streamline compliance.

“We must raise the cost of cyberattacks for our adversaries,” House Homeland Security Committee Chairman Mark Green (R-Tenn.) said. “From strengthening our offensive posture in cyberspace to creating innovative cybersecurity solutions, the U.S. must make it more challenging and costly for adversaries to strike.”

“Second, we must ensure that American businesses — especially private owners and operators of critical infrastructure — are investing in cybersecurity,” he added. “There needs to be a greater demand for products designed with cybersecurity in mind, accompanied by a supply shift toward more secure information technology and operational technology.”

Cybersecurity and Infrastructure Protection Subcommittee Chairman Andrew Garbarino (R-N.Y.) advocated “a whole-of-society approach” to stay ahead of the nation’s adversaries — “one that unlocks the full potential of our innovative capacity to address and prevent vulnerabilities in our IT and OT.”

“By sharing information about emerging threats and empowering CISA to manage cross-sectoral relationships, information sharing will help develop the tools we need to understand how threat actors operate in cyberspace,” he said. “Innovation plays a critical role in keeping up with new tactics, techniques, and procedures of threat actors as our adversaries attempt to compromise U.S. networks by any means necessary.”

Committee Ranking Member Bennie Thompson (D-Miss.) expressed concern that “policies without funding won’t accomplish much.”

“I am concerned that the current administration’s policies may stunt innovation and ultimately undermine security,” Thompson said. “The president has eliminated DHS Centers of Excellence, urged cyber and tech talent across the government to quit their jobs, proposed drastically reducing funding for the National Science Foundation, and disrupted funding for the work of our national labs.”

Cybersecurity and Infrastructure Protection Subcommittee Ranking Member Eric Swalwell (D-Calif.), citing Stanford as “the perfect venue to highlight the importance of sustained public-private partnerships in technological innovation,” said he fears “the current administration’s efforts to cut funding for universities and for research and development and to cut immigration and student visas will undermine our nation’s ability to innovate going forward.”

“As China continues to ramp up its research and development, we cannot afford to pull back our public investment in technological development and universities,” he said. “Doing so would harm our economic competitiveness and our national security.”

Wendi Whitmore, chief security intelligence officer at Palo Alto Networks, said in prepared remarks that “the emergence of agentic AI, autonomous systems capable of making decisions and adapting tactics without human intervention, poses a significant escalation” of the cyber threat. “In the future, agentic AI will be able to independently execute multi-step operations, leading to faster, more adaptive, and difficult-to-contain cyberattacks.” 

“Meanwhile, the pace of AI adoption across companies and industries vastly increases the total size of the digital attack surface that can be exploited by adversaries, even further complicating the cyber defense picture,” she added.

Whitmore, who served on the first DHS Cyber Safety Review Board, cited her company’s research that found AI-assisted attacks “could reduce the time to exfiltration to just 25 minutes, a 100x increase in speed.”

However, she stressed that AI, including AI-driven security operations centers, will continue to be “a game changer not only for the bad guys, but also for the cyber defenders who ward off the crooks, criminals, and nation states that threaten our digital way of life.” Stopping threat actors “before they can encrypt systems or steal sensitive information, which is now frequently happening in mere hours,” would not “be possible without the power of AI.”

Whitmore advocated a focus on measurable cyber outcomes and zero-trust promotion to counter Salt Typhoon, as well as promoting “secure AI by design,” defense industrial base resilience, regulatory harmonization and modernized procurement.

Former CISA Assistant Director for Cybersecurity Jeanette Manfra, now senior director for global risk and compliance for Google Cloud, promoted a regulatory approach “that is agile and focuses on aligning baseline requirements across sectors” and prioritizes “tangible outcomes over mere checklist compliance.”

Manfra said that Google welcomed the FedRAMP modernization effort and told lawmakers in prepared remarks that “any harmonized standards should implement a risk-based approach – ensuring compliance options are aligned to specific risk levels or categories to maximize flexibility and efficiency commensurate with the level of risk associated with a particular technology, application, or use case.” She advocated “a clear approach to reciprocity for different certification regimes” as well as continued public-private dialogue fostered by Congress.

McMaster, a senior fellow at Stanford’s Hoover Institution, told lawmakers that, despite efforts to protect the national security innovation base and critical infrastructure, “the threat in cyberspace has grown due to AI advancements and the increased connectivity of physical objects to cyberspace.”

“To reduce the threat from malicious cyber actors, the United States and its allies must enhance both offensive and defensive cyber capabilities,” he said in prepared remarks. “We must also improve system and infrastructure resilience through cooperation across government, businesses, and academia. And, consistent with the premise of this hearing, it is vital to integrate all elements of national power and efforts of likeminded partners to impose high costs on nation states and non-state actors that attack or threaten our nation through cyber espionage or attacks.”

Stressing the importance of public-private collaboration to counter escalating threats, he added that “private-sector companies that specialize in cybersecurity and countering cyber espionage hold promise to bridge the divide between the tech sector and government.”

“The line between government and private sector intelligence and security is blurring,” he said. “Government would benefit from contracting cutting-edge commercial capabilities. And it is likely that some private-sector companies will conclude that they need to be active on adversary networks to detect and preempt attacks on their systems, data, or intellectual property. Because companies that go offensive in cyberspace risk incurring foreign government penalties, assuming liability for harm inflicted on innocent third parties, and sparking an escalation to armed conflict, public- and private-sector coordination is essential for integrating offense and defense in cyberspace.”

McMaster urged Congress to “prohibit U.S. capital from accelerating the CCP’s efforts to surpass the United States in a range of critical emerging technologies, such as quantum computing and AI-related technologies,” citing Chinese companies traded in the U.S. debt and equity markets. “The easiest first step in strengthening deterrence might be to stop underwriting our demise,” he said.

Cable said that software developers need to understand security and companies should erect guardrails as “secure by design software is our best hope to defend against PRC cyber threats.” He stressed that “there doesn’t have to be a tradeoff between security and innovation.”

“CISA’s Secure Software Development Self-Attestation form is a good starting point,” he told lawmakers. “I encourage Congress and the administration to expand on this to include more outcomes-based product security measures, such as from CISA’s pledge and the Product Security Bad Practices list, to further incentivize software manufacturers to build their products with security from the start.”

Cable also urged Congress to reform the Computer Fraud and Abuse Act (CFAA) and associated laws “to exempt good-faith security research” as “the security community should not and cannot rely solely on prosecutorial discretion to protect” ethical hackers.

The CISA veteran further recognized “the exodus of technical talent that has occurred at CISA over the last several months.”

“In the face of increasing threats, we can’t undermine the capacity of America’s Cyber Defense Agency and its ability to attract and retain the best technical talent,” Cable said. “This only makes us less secure as a nation.”