Top NSC official wants to normalize offensive hacking as tool of US might

SAN FRANCISCO — In his first major discussion as the top cybersecurity official in the National Security Council, Alexei Bulazel said he wants to normalize the use of offensive cyber activity as a tool of U.S. national power.

At the RSAC Conference in San Francisco, Bulazel — a former NSC cyber policy director in President Donald Trump’s first term — told an audience of cybersecurity practitioners that the U.S. “could respond in-kind” to cyberattacks from China and other adversaries that have targeted various critical infrastructure systems across the nation.

He said the U.S. could “punch back” and argued that the Biden White House and prior administrations had been more hesitant to do this. 

“I’d also add that not responding is escalatory in its own right,” Bulazel said, contending that letting adversaries “walk all over you” incentivizes them to continue their activities. “You need to find some way to communicate this is not acceptable.”

The remarks, delivered just over 100 days into Donald Trump’s second term, are the clearest indication from the upper echelons of the White House to date that the U.S. is working out ways to hack back against foreign enemies and rivals. The dynamic has been in discussions for months, as Trump allies and others said the U.S. needed to respond to hacks carried out by Chinese government-aligned espionage groups that have accessed American telecom networks and other critical infrastructure.

One topic raised were letters of marque, a historically maritime legal mechanism used to authorize private entities to conduct warfare against enemy nations. While there have been discussions about it for years, Bulazel called the concept “ridiculous” and said that ideas to give the private sector legal permission to have more independent hacking authorities have been “taken to the absolute extremes.”

Besides offensive hacking, he said the U.S. should rethink the role it plays in protecting the private sector from cyberattacks, and stressed that administration officials want to engage further with industry counterparts to better share threat information. 

As for the Office of the National Cyber Director — whose nominated leader has not yet been confirmed — Bulazel said he expects the agency to continue on a major deregulation push in tandem with regulatory harmonization efforts kicked off during the Biden administration. 

Bulazel also discussed the Cyber Safety Review Board, which was established during the Biden administration to investigate major cybersecurity incidents but was disbanded shortly after Trump stepped back into the Oval Office. 

He said solutions around that will ultimately be addressed by Sean Plankey — nominated to run the Cybersecurity and Infrastructure Security Agency in DHS — but that in the past, it’s been hard to have experts on the board discuss sensitive cyber issues without raising potential conflicts of interest. Plankey’s nomination has been put on hold in the Senate because a top lawmaker is demanding the agency publicly release a 2022 report on telecom security vulnerabilities.

On CISA itself, Bulazel said the agency had a troubled past when it worked to taper disinformation online, a view widely shared by Trump officials who accused the agency of censorsing politically conservative viewpoints online. The mindset has prompted efforts in Trump 2.0 to significantly reduce the agency’s size and scope. 

“In this administration, we’re committed to having CISA stay laser-focused on the two things that are in its name, which are cybersecurity and infrastructure security,” he said.

Bulazel also indicated that he would be open to discussions about whether the dual-hatted leadership between NSA and U.S. Cyber Command should be split up, but did not opine to any particular side.

On spyware, Bulazel flagged that the U.S. recently signed onto the internal Pall Mall pact that commits to curb global spyware abuses, but noted that nation-states are still likely to use spyware as a tool for intelligence collection. “We’re going to obviously recognize the importance of them,” he said.