Skip to content
SPECIAL

THREATS TO CRITICAL INFRASTRUCTURE IN IRAN CONFLICT

READ MORE

‘Time is not on our side’ to field offensive cyber capabilities, experts warn House committee

Twenty Technologies, Inc. CEO Joe Lin, left, CSIS Defense and Security Department Vice President Emily Harding, McCrary Institute Director Frank Cilluffo, and CrowdStrike Chief Privacy Officer Drew Bagley testify before the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection on Jan. 13, 2026. (House Homeland Security Committee video)

By Bridget Johnson

The scale and sophistication of foreign adversaries targeting critical infrastructure in the United States have made it imperative that offensive cyber capabilities – and the rules of the road on their use, along with necessary authorities – be added to our cybersecurity arsenal, experts told a House hearing today.

Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection Chairman Andy Ogles (R-Tenn.) said that investments in cyber defense, information sharing and resilience have not been enough and have not changed the behavior of state-sponsored cyber actors such as China. The hearing came just days after the Financial Times reported that China, via its Salt Typhoon espionage campaign, hacked congressional staff emails on several committees.

“The question is why they continue, and what it will take to change the cost-benefit calculation for adversaries who believe they can operate against the United States with impunity,” Ogles said, adding that current offensive cyber authorities within the Department of Defense, intelligence community and law enforcement were “not designed for a world in which the vast majority of digital infrastructure targeted by adversaries is owned and operated by the private sector.”

Homeland Security Committee Ranking Member Bennie Thompson (D-Miss.) cautioned that while “the United States’ offensive cyber capability is second to none … with that awesome power comes awesome responsibility.” He advocated continuing to invest in defense and resilience, use tools such as sanctions and other diplomatic levers to shape adversaries’ behavior, and work with U.S. allies as “the use of offensive cyber operations could shift global norms.”

“I am concerned that we are putting the cart before the horse with a hearing on offensive cyber activity when we have not yet had a hearing on why [CISA] has lost one-third of its workforce over the past year,” Thompson said. “…We ought to be cautious about pursuing an approach involving the use of offensive cyber tools that could result in retaliation or escalation if we are not in a position to help defend U.S. networks.”

McCrary Institute for Cyber and Critical Infrastructure Security Director Frank Cilluffo warned lawmakers that “the status quo ain’t cutting it.” Cyberspace “is now an always-on, always-contested domain” in the eyes of our adversaries and China’s Typhoon campaigns together “form a perfect storm,” he said.

Offensive cyber capabilities should be incorporated as an “important deterrent to our adversaries,” Cilluffo said, while addressing questions about oversight, interagency coordination, escalation risk and pairing offensive ops with strong cyber defense. Private-sector partners – including critical infrastructure entities already on the front lines – are too often treated by policy “as passive victims rather than essential partners,” he added, and will need to know “how far they should be permitted to go, under what legal authorities and with what safeguards.”

“The stakes are high,” Cilluffo told lawmakers. “As adversaries deepen their access into American networks, the United States must decide whether to remain constrained by outdated frameworks or adapt to the realities of 21st-century conflict.”

Joe Lin, co-founder and CEO of Twenty Technologies, Inc., a cyber-warfare systems company, told lawmakers that the United States is “not postured to defeat adversaries in cyberspace” and that unnecessary restraint of offensive cyber operations has encouraged foes. “They escalate and we absorb,” he said, calling the “mismatch” of U.S. offensive cyber ops relying on small teams conducting one-off operations “the core problem.”

Lin said that the U.S. must demonstrate “speed, scale and persistence” in offensive cyber capabilities that would be a “core instrument of national power” – a critical infrastructure security imperative that may be “uncomfortable culturally but unavoidable strategically.”

“Time is not on our side” to build “industrial-scale responses,” he warned, later telling Ogles that episodic reactions will “never be enough to change the cost calculus of our adversaries.”

Center for Strategic and International Studies Defense and Security Department Vice President Emily Harding emphasized that the mindset around cyberattacks must change from viewing them as “inevitable nuisances” to hostile actions in which “our adversaries control the escalation ladder.” Particularly when critical infrastructure such as water or power is targeted, a cyberattack can turn into a mass casualty event – and thus should be seen “as any other attack on civilians,” she said.

Harding said that moving forward with offensive cyber operations should be the default position. “Be bold,” she advised, stressing that “dramatic change is needed in the cyber domain.”

“We are redefining proportionality in the cyber domain,” she added.

CrowdStrike Chief Privacy Officer Drew Bagley framed his recommended course of action as “active defense” that “remains foundational” in cybersecurity as new threat actors emerge and the threat landscape routinely changes.

Bagley recommended a “most-wanted list” to identify and “radically increase” takedowns of adversarial campaigns to prevent them from operating at scale.

Thompson asked panelists whether, given reductions this year in the federal workforce, the people are there to properly go on offense.

“We will never have enough people,” Lin replied, describing the imbalance with adversaries as 50-to-1 “or in some case 100-to-1.” He advocated focusing on the level of human expertise and technology needed to be successful.

“We do want to lean heavily into a reserve capability,” Harding said, noting the authorities and cyber talent in the Coast Guard as well as National Guard members who work in cyber in the private sector. Future capabilities should pair AI with creative individuals who can “think like the enemy.”

Information sharing should be built upon in a comprehensive cyber plan that includes offensive capabilities, the experts agreed.

“We’ve got to move beyond information sharing to operational collaboration,” Cilluffo said, comparing the dynamic to public and private sectors being in the “same foxhole, same fight” and building trust, “which is everything.”

Even with some lawmakers expressing concerns about cyber staffing levels and the responsible use of offensive cyber, committee members generally supported exploring the addition of these capabilities to the toolbox. “We need to whack them twice as hard so this stuff stops,” Rep. Carlos Gimenez (R-Fla.) said.

“Think of it as suppressive fire,” Cilluffo said, or blitzing the other team’s quarterback.

Harding noted that ratcheting up cyber activities doesn’t necessarily mean a like-for-like response, particularly if civilians could be harmed. “We don’t necessarily need to respond to an attack on critical infrastructure with an attack on critical infrastructure,” she said.

Lin said cyberattacks needed to be viewed as the “digital equivalent of explosives” targeting critical infrastructure and our warfighters need to be equipped with relevant authorities and technology. “What we’re seeing from our adversaries is wholesale adoption of artificial intelligence for offensive cyber,” he said, referencing the November Anthropic report on the first reported AI-orchestrated cyber espionage campaign. “There has to be wholesale adoption on our end.”

“We’ve literally ceded the battlefield to our enemy,” Cilluffo said. “We need to be able to shape that environment. We don’t want to get to that point where it’s too late.”

Click to listen highlighted text!