National Cyber Director Sean Cairncross said Monday that he does not intend for the private sector to fully engage in offensive cyber operations on behalf of the U.S. government.
“There’s an enormous amount of capability on the private sector side,” he said. “I’m not talking about private sector, industry or companies engaged in a cyber offensive campaign.”
The statement, made during a fireside chat at a McCrary Institute event, pushes back on speculation that private industry would be tasked in hacking campaigns authorized by government officials, a concept that surfaced in discussions leading up to the release of the Trump National Cyber Strategy earlier this month.
Cairncross said he wants to use the “ability of our private sector … to inform and share information so that the [U.S. government] can respond” defensively or in a more agile way.
Private-sector cyber firms provide myriad services like threat intelligence, defensive products and specialized hacking toolkits that are relied on heavily by U.S. government operators and analysts. But the government has not directed the private sector to directly carry out cyber intrusions or “hack backs” against adversaries on its behalf.
The private sector engagement hits on one of the cyber strategy’s key pillars, which is focused on reshaping the behavior of foreign adversaries to disincentivize hacking. Cairncross said he wants various U.S. agencies — including non-cyber offices like the Departments of State and Commerce — to contribute to that goal.
American cyber and intelligence giants like the NSA, CIA, FBI, Cyber Command and others already have legal authorities to offensively target foreign adversaries using their own hacking capabilities.
The cyber strategy’s other pillars include promoting common-sense regulation; modernizing and securing federal government networks; securing critical infrastructure; sustaining superiority in critical and emerging technologies; and building cyber talent and capacity.
