Beyond Defense: Congress Wants To Industrialize U.S. Cyber Offense

On Tuesday, the House Subcommittee on Cybersecurity and Infrastructure Protection held a hearing titled, “Defense through Offense: Examining U.S. Cyber Capabilities to Deter and Disrupt Malign Foreign Activity Targeting the Homeland.”

Chairman Andy Ogles (R-TN) opened the hearing by declaring that the United States can no longer rely solely on a defensive posture. Citing recent breaches like Salt Typhoon (targeting Congressional staff) and Volt Typhoon (targeting critical infrastructure), Ogles argued that adversaries — primarily China, Russia, Iran, and North Korea — operate with impunity because they face no meaningful consequences.

The consensus among the subcommittee and the witnesses was that the U.S. must shift toward a proactive, “industrial-scale” offensive strategy to alter the risk calculus of state-sponsored actors.

Joe Lin, the CEO of Twenty Technologies, Inc., provided a blunt assessment: the United States is currently losing the cyber war because it treats offensive operations as “bespoke,” elite activities while adversaries operate at “machine speed.”

Lin called for codifying operator tradecraft into automated software systems. He argued that one operator should be able to manage hundreds of targets simultaneously to match the scale of Chinese campaigns. He emphasized that “patching” alone will never secure critical infrastructure. Deterrence requires the demonstrated ability to impose asymmetric costs upstream before attacks reach U.S. soil.

Emily Harding, the vice president of the defense and security department at the Center for Strategic and International Studies (CSIS), focused on the “escalation ladder,” noting that adversaries currently control it because U.S. responses have been muted.

CSIS war games revealed that senior U.S. officials often freeze during cyber crises due to a lack of a shared framework for what constitutes an “act of war.” Harding proposed several key shifts: treating cyber-attacks that imperil life as kinetic attacks, flipping risk tolerance so that the default answer for an operation is “yes,” and creating a dedicated Cyber Force to consolidate talent.

Frank Cilluffo, the director of the McCrary Institute, argued that the U.S. has allowed adversaries to define its strategy. He pushed for “operational collaboration,” where the private sector — which owns the vast majority of infrastructure — is treated as a partner in active defense rather than a passive victim. He noted that campaigns like Salt and Volt Typhoon are “pre-positioning” efforts designed to be triggered during a future kinetic conflict (e.g., a Pacific contingency).

Drew Bagley, the chief privacy officer at CrowdStrike, offered a nuanced view, reinforcing the necessity of defense while supporting targeted offense. While he cautioned against a “federated” or “vigilante” hack-back regime due to risks of collateral damage, he supported more persistent disruption of malicious infrastructure. He recommended that CISA and the private sector maintain a prioritized list of threat actors to be dismantled systematically through coordinated law enforcement and military action.

The subcommittee discussed the severe workforce shortage. Witnesses noted that while thousands of personnel were lost during recent agency “right-sizing” (DOGE-related shifts), the solution isn’t just “more bodies.” AI is being used by the PRC to automate espionage; the U.S. must adopt “Agentic AI” to defend and counter-attack at the same speed. Suggestions included a “Cyber Reserve” (similar to the National Guard) and a “Teach for America” style program for cyber professionals to serve in rural areas in exchange for loan forgiveness.

Rep. Morgan Luttrell (R-TX) raised the critical issue of undersea cables, through which 95% of global data flows. There is currently no “single home” in the government for undersea cable security. Harding and Bagley called for an increase in repair ships and the use of AI-driven maritime surveillance to identify “anomalous” ship patterns (like “fishing” vessels lingering over cable lines) before they can sabotage infrastructure.

A major takeaway was the need to move past “tit-for-tat” cyber responses. Witnesses argued that if China hits a U.S. water plant, the U.S. shouldn’t necessarily hit a Chinese water plant; it should use diplomatic, economic, or kinetic tools to hit a “pain point” that the adversary actually values.

Ogles concluded by signaling a “forward-leaning” posture, emphasizing that the Monroe Doctrine now extends into the digital realm. The subcommittee intends to pursue “operational collaboration” between the private sector and government to ensure that any breach of American digital boundaries carries a significant, punishing price.