Contractors could hack back against adversaries, top cyber Democrat says

Rep. Eric Swalwell, the House Homeland Security Committee’s leading Democratic voice on cybersecurity matters, suggested Wednesday that government contractors could be deployed to conduct offensive cybersecurity operations against foreign adversaries.

Speaking at an Axonius event in Washington, D.C., the California congressman said the concept is worth exploring, in part, because “the federal government does not have the resources to protect every company that gets hit,” and that the moves could deter adversaries like Russia from targeting low-resourced critical infrastructure sectors.

The remarks make Swalwell one of the first Democrats to publicly suggest that the private sector take a broader role in hacking back against foreign rivals. The dynamic has been floated in recent months largely by Republicans as a way to respond to headline-making Chinese intelligence intrusions into U.S. telecom systems and other infrastructure.

“What I would be interested in exploring, so you don’t put the credit union or the public utility in a position where they have to fight Russia, is if you could have the credentialed, experienced private contractor ... do the offensive piece,” knowing that the U.S. can’t shield every company targeted in hacks, he said.

“The federal government can’t really help everybody,” he added. “But if we all just know the laws of bullies, if you let them continue to punch you, and you don’t punch back, they’re only going to continue to take your lunch money.”

The FBI and the intelligence community already have longstanding relationships with tech and cybersecurity companies whose services are embedded into their work environments, though the dynamic described by Swalwell would mean granting the private sector direct authority to offensively hack.

A handful of American intelligence and defense elements — such as the National Security Agency and U.S. Cyber Command — have legal authority to access adversaries’ networks, though much of their activities are clandestine and are not made known to the public. 

Morgan Adamski, the executive director of U.S. Cyber Command, said at an Information Technology Industry Council event Wednesday that the combatant command is looking to partner further with the private sector in 2025.

Cyber Command conducted 80 “hunt forward” missions over the past year, she said. Hunt forward operations are typically defensive and involve U.S. cyber warriors embedding into allied computer environments to observe and detect malicious cyber activity on host nation networks.

Directing the private sector to hack back may present legal challenges because private firms would have to consider the consequences of mistakenly harming civilians. But that dynamic may have to become a part of a Trump administration strategy to hack back, as Chinese cyber operatives have often used stolen credentials to target various civilian critical infrastructure systems around the country.

Republicans have publicly urged the Trump administration to spur offensive cyber operations, but they have not provided a specific roadmap, at least in public forums. In crafting a plan to carry out these activities, the Trump White House would likely have to define target sets for U.S. cyber warriors and the private sector to attack. 

In January, former NSC cybersecurity and emerging tech official Anne Neuberger told Politico that the Biden administration had conducted classified offensive cyber activities against nations that targeted U.S. critical infrastructure.

Nextgov/FCW Staff Correspondent Alexandra Kelley contributed to this report.