“Defense Alone is Not Sufficient”: Subcommittee Chairman Ogles Opens Hearing on Strengthening America’s Approach to Offensive Cyber Operations

WASHINGTON, D.C. -- Today, Subcommittee on Cybersecurity and Infrastructure Protection Chairman Andy Ogles (R-TN) delivered the following opening statement in a hearing to examine how the United States can strengthen its approach to offensive cyber operations as part of a broader national security framework, including the evolving roles of federal agencies and the private sector.

Watch Chairman Ogles' Opening Statement here.

As prepared for delivery:

Today, the Subcommittee is meeting to examine a reality that the United States can no longer afford to avoid, namely that deterrence in cyberspace does not exist without credible, lawful, and operational offensive cyber capabilities. Defense alone is not sufficient. Resilience alone is not sufficient. Public attribution alone is not sufficient.

For more than a decade, the United States has invested heavily in cyber defense, information sharing, and resilience. Those investments are necessary and they have improved our ability to withstand attacks. But they have not altered adversary behavior. Malign cyber actors continue to penetrate American networks, steal sensitive data, surveil communications, and position themselves inside critical infrastructure with little fear of meaningful consequence.

That reality was reinforced again just days ago, when public reporting revealed that a Chinese state sponsored cyber actor known as Salt Typhoon compromised email systems used by staff supporting several congressional committees. This incident was the latest operation in a sustained campaign conducted by a broader group of Chinese cyber actors commonly referred to as the Typhoon cluster.

These actors are not criminals acting for profit. They are instruments of state power. Their operations are deliberate, persistent, and strategic in nature. They are designed to extract intelligence, pre position access, and shape the battlefield long before a crisis or conflict emerges. They target not only the executive branch and private industry, but now once again the legislative branch itself.

The question before this Subcommittee is not whether these threats exist. That is no longer in dispute. The question is why they continue, and what it will take to change the cost benefit calculation for adversaries who believe they can operate against the United States with impunity.

Currently, authorities for offensive cyber operations are dispersed across the Department of War, the Intelligence Community, and law enforcement, while civilian agencies like CISA play critical roles in defense, response, and resilience. Existing policy frameworks were developed for an earlier phase of the cyber threat environment, one that did not fully anticipate today's scale, speed, and persistence of state sponsored cyber activity.

They were also not designed for a world in which the vast majority of digital infrastructure targeted by adversaries is owned and operated by the private sector.

That reality is forcing a broader reassessment across the federal government. The Trump Administration has signaled its intent to pursue a more proactive and assertive cyber posture, one that emphasizes disrupting adversary capabilities before harm occurs, resetting adversary risk calculations, and exploring new ways to integrate private sector expertise into national cyber efforts.

This reflects an important recognition. The private sector is not merely a victim in cyberspace. American cybersecurity companies, cloud providers, telecommunications firms, and emerging technology startups are often the first to detect malicious activity, the first to analyze adversary tradecraft, and the first to develop tools capable of disrupting hostile infrastructure. In many cases, they already possess visibility and technical insight that rivals or exceeds that of the federal government.

The challenge is that much of this activity exists in legal and policy gray space. Companies face uncertainty about liability, retaliation, and regulatory risk. Government agencies face constraints on how they can partner, share information, and act with speed. Adversaries exploit these seams, operating continuously below the threshold of armed conflict while benefiting from ambiguity and restraint.

Today, our witnesses will help us assess how offensive cyber capabilities can be responsibly integrated into a modern homeland security framework.

I appreciate our witnesses for being here, and I look forward to their testimony and the discussion ahead.

Thank you.

###