Top NSC Official Wants to Normalize Offensive Hacking as Tool of US Might
In a speech at the RSAC Conference in San Francisco, Alexei Bulazel, the top cybersecurity official in the National Security Council, sparked controversy by suggesting that the United States should normalize the use of offensive cyber activity as a tool of national power. This stance marks a significant shift in the country's approach to cyber warfare, and raises questions about the implications for international relations and domestic policy.
Bulazel, a former NSC cyber policy director under President Donald Trump, argued that the U.S. should "respond in-kind" to cyberattacks from adversaries like China, which have targeted critical infrastructure systems across the nation. He contended that not responding to these attacks would be escalatory and incentivize further aggression.
"You need to find some way to communicate this is not acceptable," Bulazel said. His remarks were met with a mixture of applause and concern from the audience, many of whom are familiar with the complex and often contentious nature of cyber warfare.
The idea of normalizing offensive hacking has been discussed for months, as Trump allies and others have argued that the U.S. needs to respond to hacks carried out by Chinese government-aligned espionage groups that have accessed American telecom networks and other critical infrastructure. Bulazel's comments are the clearest indication yet from the upper echelons of the White House that the U.S. is working on ways to hack back against foreign enemies and rivals.
One topic raised during discussions has been letters of marque, a historically maritime legal mechanism used to authorize private entities to conduct warfare against enemy nations. Bulazel called the concept "ridiculous" and said that ideas to give the private sector legal permission to have more independent hacking authorities have been "taken to the absolute extremes."
Besides offensive hacking, Bulazel also emphasized the need for the U.S. to rethink its role in protecting the private sector from cyberattacks. He stressed that administration officials want to engage further with industry counterparts to better share threat information and improve cybersecurity.
On another front, Bulazel discussed the Office of the National Cyber Director, whose nominated leader has not yet been confirmed. He said he expects the agency to continue on a major deregulation push in tandem with regulatory harmonization efforts kicked off during the Biden administration.
Bulazel also touched on the Cyber Safety Review Board, which was established during the Biden administration to investigate major cybersecurity incidents but was disbanded shortly after Trump stepped back into the Oval Office. He said solutions around that will ultimately be addressed by Sean Plankey, nominated to run the Cybersecurity and Infrastructure Security Agency in DHS.
Plankey's nomination has been put on hold in the Senate because a top lawmaker is demanding the agency publicly release a 2022 report on telecom security vulnerabilities. Bulazel also mentioned that the agency had a troubled past when it worked to taper disinformation online, which was widely shared by Trump officials who accused the agency of censoring politically conservative viewpoints online.
"In this administration, we're committed to having CISA stay laser-focused on the two things that are in its name, which are cybersecurity and infrastructure security," Bulazel said. He also indicated that he would be open to discussions about whether the dual-hatted leadership between NSA and U.S. Cyber Command should be split up, but did not opine to any particular side.
Finally, Bulazel flagged the recent signing of the internal Pall Mall pact by the U.S., which commits to curb global spyware abuses. However, he noted that nation-states are still likely to use spyware as a tool for intelligence collection, and acknowledged that the U.S. must continue to address these challenges.
The implications of Bulazel's comments are far-reaching, and will be closely watched by policymakers, industry experts, and the general public alike. As the U.S. navigates its complex cyber landscape, it remains to be seen whether Bulazel's approach will be successful in normalizing offensive hacking as a tool of national power.