Full Report
The scale and sophistication of foreign adversaries targeting critical infrastructure have made it imperative that offensive cyber – and the rules of the road on use – be added to our cybersecurity arsenal.
Analysis Summary
# Main Topic
The increasing scale and sophistication of foreign adversaries targeting U.S. critical infrastructure necessitate the immediate integration of offensive cyber capabilities and clear rules of engagement into the national cybersecurity defense strategy.
## Key Points
- Investments in cyber defense and information sharing alone are insufficient to alter the behavior of state-sponsored cyber actors, particularly China.
- Current offensive cyber authorities within DoD, IC, and law enforcement are inadequate as they were not designed for a landscape where the majority of targeted digital infrastructure is privately owned.
- Experts argue that "time is not on our side" to field these capabilities effectively.
- Offensive cyber operations are viewed as an important deterrent required to change the cost-benefit calculation for persistent adversaries.
- Private-sector partners, especially critical infrastructure owners, must be treated as essential partners, not just passive victims, in formulating policy regarding offensive operations.
- There are significant concerns regarding oversight, interagency coordination, escalation risk, and ensuring offensive operations are paired with strong defensive postures.
## Threat Actors
- Foreign adversaries targeting U.S. critical infrastructure (general classification).
- Specific mention of state-sponsored actors such as **China**.
## TTPs
- The context focuses more on strategic necessity rather than specific tactical TTPs used by adversaries, but notes that adversaries are effectively operating against the U.S. with "impunity."
- Related mention of **China’s Salt Typhoon espionage campaign** targeting congressional staff emails, indicating widespread espionage activity.
## Affected Systems
- U.S. Critical Infrastructure (primary focus).
- Digital infrastructure owned and operated by the private sector.
- Congressional staff email systems (as an example of adversary targeting via the Salt Typhoon campaign).
## Mitigations
- Adding offensive cyber capabilities to the national cybersecurity arsenal.
- Establishing clear "rules of the road" and necessary legal authorities for the use of offensive cyber operations.
- Continuing to invest in cyber defense and resilience.
- Utilizing non-cyber levers such as sanctions to shape adversary behavior.
- Developing frameworks to guide private-sector partners on permissible offensive actions under legal safeguards.
## Conclusion
The consensus among experts presenting to the House subcommittee is that the current purely defensive posture against increasingly sophisticated foreign adversaries targeting critical infrastructure is unsustainable. The immediate requirement is to develop and field appropriate offensive cyber capabilities, coupled with clear policy and legal frameworks, to act as a deterrent and elevate the cost for state-sponsored actors. Caution must be exercised regarding escalation risks while simultaneously avoiding unnecessary restraint that encourages continued adversary activity.