Lawfare Daily: Sezaneh Seymour and Brandon Wales on Private-Sector Cyber Operations

Summary

The Lawfare Podcast: Deep Dive into Private-Sector Cyber Operations with Cezanne Seymour and Brandon Wales

Release Date: July 29, 2025

Introduction

In the episode titled Lawfare Daily: Cezanne Seymour and Brandon Wales on Private-Sector Cyber Operations, hosted by Alan Rosenstein of The Lawfare Institute, the conversation centers around the pressing issue of cyber threats and the potential role of the private sector in combating these challenges. Joining Alan are Cezanne Seymour, former Senior Editor at the National Security Council, and Brandon Wales, former Executive Director of the Cybersecurity and Infrastructure Security Agency (CISA). Together, they delve into their collaborative research report, "Partners or Provocateurs," which explores the feasibility and implications of authorizing private companies to engage in offensive cyber operations.

The Cybersecurity Landscape and Current Challenges

Brandon Wales opens the discussion by highlighting the persistent nature of cyber threats:

"The threats that we are facing in cyber have not been sufficiently managed using the tools that we have. To date, they have not sufficiently worked. We still have a ransomware epidemic in this country. We still have nation-states that operate with near impunity in cyber. They're looking for additional tools, and hackback is one of them."
[02:30]

Alan Rosenstein sets the stage by introducing the guests and their backgrounds, emphasizing the significance of leveraging private-sector capabilities to bolster national cybersecurity.

Framework Over Concrete Proposals

When questioned about their approach to proposing policy changes, Cezanne Seymour explains the rationale behind presenting a framework rather than a specific proposal:

"It's very easy to get lost in technical jargon in the cybersecurity conversations and forget that this isn't just about networks and hackers. It's really about national security risks that we're facing because of our systemically poor digital resilience... We're trying to lay out a first principle series of questions that we think are worth a thoughtful dispassionate discussion."
[04:26]

Brandon Wales adds nuance by stressing the complexity of the issue and the need for policymakers to have various options:

"There are multiple layers of complexity around this issue, each of which requires careful consideration as part of any policymaking process... We wanted to feed the policy process with the kind of information that will be essential for policymakers to come up with the best option."
[05:42]

Defining Cyber Operations: Defense vs. Offense

A significant portion of the discussion focuses on clarifying the types of cyber operations:

Brandon Wales distinguishes between defensive and offensive operations:

"Defensive operations are things that you're doing on your own network. Offensive operations are when you're going to be touching someone else's network, an adversary's network."
[07:11]

Cezanne Seymour offers a contrasting perspective, noting the blurred lines between these categories in real-world scenarios:

"In government, we think about offense and defense as two, or at least I used to think about them as two circles on a Venn diagram with almost no overlap... some overlap... the challenge may just be that they're not happening at scale or it's taking too long to be able to make them lawful to happen."
[08:23]

Timing and Relevance of the Research

Alan Rosenstein probes the urgency of the paper's release, given the ongoing debates around hacking back. Brandon Wales responds by pointing to increased legislative interest:

"There is certainly far more interest on the Hill than there has been in a long time... We still have a ransomware epidemic... They're looking for additional tools and hackback is one of them."
[09:47]

Cezanne Seymour underscores the escalating value of intangible assets in the digital economy and the corresponding rise in cyber threats:

"Over 90% of the S&P 500's value is in intangible assets like software, data, intellectual property... Internet connectivity has enabled hackers... why should we just continue to take punches? Why can't private companies punch back?"
[10:42]

Policy Objectives and Strategic Goals

The discussion shifts to identifying the strategic objectives behind enabling private-sector cyber operations. Cezanne Seymour emphasizes the importance of defining clear goals before shaping policy:

"What's clear is... the goal really is to expand capacity, the ability to act more quickly than currently we can... There is an aspect of participation that can actually complement the picture in a way that's, you know, advances our national security and resilience goals."
[16:56]

Brandon Wales concurs, highlighting the need to maximize private-sector innovation while minimizing risks:

"How do we get the most out of the private sector? Because that is really a strategic advantage for the United States."
[20:36]

Operational Mechanics: Balancing Speed and Control

Alan Rosenstein explores the practical models for private-sector engagement in cyber operations. Brandon Wales outlines the spectrum of government involvement:

"The more the US Government is involved, the more it can control the impact... The less it's involved, potentially some of that information is not available to the private sector... If you're trying to speed up the speed and scale of operations, then you want to reduce friction."
[21:17]

Cezanne Seymour further elaborates on potential models, including licensing regimes that allow predefined responses:

"Are you going to give entities permission to basically act immediately when they're attacked... There's the question of giving permission to those entities before or forcing entities to come to the government for permission after they're attacked."
[23:00]

Legal Considerations: Navigating the CFAA and Beyond

A critical segment of the conversation addresses the legal barriers to private-sector cyber operations. Cezanne Seymour articulates the limitations imposed by current U.S. law:

"Under the Computer Fraud and Abuse Act... any effort to access another system without authorization can trigger liability. So CFAA has to be addressed in some real way."
[34:17]

Brandon Wales reinforces the necessity for legislative action to provide clarity and authority:

"You'll need some type of congressional action either to amend the CFAA or to pass some other type of legislation that will give certain authorities... The private sector's ability to conduct hack back requires very clear statutory clarity."
[35:15]

International Law and Attribution Challenges

Alan Rosenstein introduces the complexities of international law and the risks of collateral damage in offensive cyber operations. Cezanne Seymour highlights the difficulties multinational companies would face:

"The global legal context is so important because... if the US moves in this direction, we would be the first to explicitly authorize... what the implications are both domestically and internationally."
[43:45]

Brandon Wales elaborates on the practical challenges, noting that companies might limit operations to regions with lower legal liabilities:

"They may be willing to conduct operations in places like Iran or China directly, but not in Western European countries... because of the potential for criminal and civil legal risk in third countries."
[45:20]

Concluding Reflections: Government's Role and Future Directions

In wrapping up, Alan Rosenstein poses a fundamental question about the necessity of private-sector involvement in cyber operations. Brandon Wales draws a historical parallel to privateers and emphasizes the insufficiency of government efforts alone:

"We are not meeting the moment the threats are more aggressive and at a scale where government action alone has proven insufficient... Offensive cyber operations may be part of that conversation, but that alone isn't going to be enough."
[48:21]

Cezanne Seymour adds a critical perspective on national resilience, advocating for a multifaceted policy approach beyond just offensive measures:

"If our national end goal is resilience, then there are probably much more effective policy changes that we should be prioritizing... standards, software liability, etc. Offensive operations aren't a silver bullet."
[51:48]

Alan closes the episode by thanking the guests and reiterating the importance of the ongoing dialogue around enhancing national cybersecurity through strategic public-private partnerships.

Key Takeaways

Complexity of Private-Sector Cyber Operations: Defining clear boundaries and objectives is essential to avoid unintended consequences and ensure effective collaboration between government and private entities.
Legal Hurdles: Current U.S. laws, particularly the Computer Fraud and Abuse Act (CFAA), pose significant barriers. Legislative reforms are necessary to provide the private sector with the authority to engage in offensive cyber activities legally.
International Implications: Operating across borders introduces challenges related to international law and the risk of collateral damage, making it imperative to consider global legal standards and cooperation.
Strategic Necessity: Given the scale and sophistication of existing cyber threats, a combined effort involving both government and private sector entities is vital for enhancing national resilience and security.
Beyond Offensive Measures: Strengthening digital resilience through comprehensive policy reforms, including improving infrastructure security and reducing the burden on end-users, is crucial alongside any offensive cyber strategies.

Notable Quotes with Timestamps

Brandon Wales on insufficient current tools:
"We still have a ransomware epidemic in this country... hackback is one of them."
[02:30]
Cezanne Seymour on the importance of defining objectives:
"What are we trying to accomplish here when we talk about offensive cyber operations..."
[04:26]
Brandon Wales on government involvement affecting speed:
"... the more the US Government is involved, the more it controls the impact... the less it's involved, potentially some of that information is not available to the private sector."
[21:17]
Cezanne Seymour on digital resilience:
"If our national end goal is resilience, then there are probably much more effective policy changes that we should be prioritizing..."
[51:48]

This comprehensive discussion underscores the evolving landscape of cybersecurity, the shifting roles of government and private entities, and the intricate balance between defensive measures and the potential for offensive operations by non-state actors. As cyber threats continue to escalate, the insights shared by Cezanne Seymour and Brandon Wales provide a critical framework for policymakers and stakeholders aiming to fortify national and economic security in the digital age.

Summary

The Lawfare Podcast: Deep Dive into Private-Sector Cyber Operations with Cezanne Seymour and Brandon Wales

Release Date: July 29, 2025

Introduction

The Cybersecurity Landscape and Current Challenges

Brandon Wales opens the discussion by highlighting the persistent nature of cyber threats:

"The threats that we are facing in cyber have not been sufficiently managed using the tools that we have. To date, they have not sufficiently worked. We still have a ransomware epidemic in this country. We still have nation-states that operate with near impunity in cyber. They're looking for additional tools, and hackback is one of them."
[02:30]

Alan Rosenstein sets the stage by introducing the guests and their backgrounds, emphasizing the significance of leveraging private-sector capabilities to bolster national cybersecurity.

Framework Over Concrete Proposals

When questioned about their approach to proposing policy changes, Cezanne Seymour explains the rationale behind presenting a framework rather than a specific proposal:

"It's very easy to get lost in technical jargon in the cybersecurity conversations and forget that this isn't just about networks and hackers. It's really about national security risks that we're facing because of our systemically poor digital resilience... We're trying to lay out a first principle series of questions that we think are worth a thoughtful dispassionate discussion."
[04:26]

Brandon Wales adds nuance by stressing the complexity of the issue and the need for policymakers to have various options:

"There are multiple layers of complexity around this issue, each of which requires careful consideration as part of any policymaking process... We wanted to feed the policy process with the kind of information that will be essential for policymakers to come up with the best option."
[05:42]

Defining Cyber Operations: Defense vs. Offense

A significant portion of the discussion focuses on clarifying the types of cyber operations:

Brandon Wales distinguishes between defensive and offensive operations:

"Defensive operations are things that you're doing on your own network. Offensive operations are when you're going to be touching someone else's network, an adversary's network."
[07:11]

Cezanne Seymour offers a contrasting perspective, noting the blurred lines between these categories in real-world scenarios:

"In government, we think about offense and defense as two, or at least I used to think about them as two circles on a Venn diagram with almost no overlap... some overlap... the challenge may just be that they're not happening at scale or it's taking too long to be able to make them lawful to happen."
[08:23]

Timing and Relevance of the Research

Alan Rosenstein probes the urgency of the paper's release, given the ongoing debates around hacking back. Brandon Wales responds by pointing to increased legislative interest:

"There is certainly far more interest on the Hill than there has been in a long time... We still have a ransomware epidemic... They're looking for additional tools and hackback is one of them."
[09:47]

Cezanne Seymour underscores the escalating value of intangible assets in the digital economy and the corresponding rise in cyber threats:

"Over 90% of the S&P 500's value is in intangible assets like software, data, intellectual property... Internet connectivity has enabled hackers... why should we just continue to take punches? Why can't private companies punch back?"
[10:42]

Policy Objectives and Strategic Goals

"What's clear is... the goal really is to expand capacity, the ability to act more quickly than currently we can... There is an aspect of participation that can actually complement the picture in a way that's, you know, advances our national security and resilience goals."
[16:56]

Brandon Wales concurs, highlighting the need to maximize private-sector innovation while minimizing risks:

"How do we get the most out of the private sector? Because that is really a strategic advantage for the United States."
[20:36]

Operational Mechanics: Balancing Speed and Control

Alan Rosenstein explores the practical models for private-sector engagement in cyber operations. Brandon Wales outlines the spectrum of government involvement:

"The more the US Government is involved, the more it can control the impact... The less it's involved, potentially some of that information is not available to the private sector... If you're trying to speed up the speed and scale of operations, then you want to reduce friction."
[21:17]

Cezanne Seymour further elaborates on potential models, including licensing regimes that allow predefined responses:

"Are you going to give entities permission to basically act immediately when they're attacked... There's the question of giving permission to those entities before or forcing entities to come to the government for permission after they're attacked."
[23:00]

Legal Considerations: Navigating the CFAA and Beyond

A critical segment of the conversation addresses the legal barriers to private-sector cyber operations. Cezanne Seymour articulates the limitations imposed by current U.S. law:

"Under the Computer Fraud and Abuse Act... any effort to access another system without authorization can trigger liability. So CFAA has to be addressed in some real way."
[34:17]

Brandon Wales reinforces the necessity for legislative action to provide clarity and authority:

"You'll need some type of congressional action either to amend the CFAA or to pass some other type of legislation that will give certain authorities... The private sector's ability to conduct hack back requires very clear statutory clarity."
[35:15]

International Law and Attribution Challenges

"The global legal context is so important because... if the US moves in this direction, we would be the first to explicitly authorize... what the implications are both domestically and internationally."
[43:45]

Brandon Wales elaborates on the practical challenges, noting that companies might limit operations to regions with lower legal liabilities:

"They may be willing to conduct operations in places like Iran or China directly, but not in Western European countries... because of the potential for criminal and civil legal risk in third countries."
[45:20]

Concluding Reflections: Government's Role and Future Directions

"We are not meeting the moment the threats are more aggressive and at a scale where government action alone has proven insufficient... Offensive cyber operations may be part of that conversation, but that alone isn't going to be enough."
[48:21]

Cezanne Seymour adds a critical perspective on national resilience, advocating for a multifaceted policy approach beyond just offensive measures:

"If our national end goal is resilience, then there are probably much more effective policy changes that we should be prioritizing... standards, software liability, etc. Offensive operations aren't a silver bullet."
[51:48]

Alan closes the episode by thanking the guests and reiterating the importance of the ongoing dialogue around enhancing national cybersecurity through strategic public-private partnerships.

Key Takeaways

Complexity of Private-Sector Cyber Operations: Defining clear boundaries and objectives is essential to avoid unintended consequences and ensure effective collaboration between government and private entities.
Legal Hurdles: Current U.S. laws, particularly the Computer Fraud and Abuse Act (CFAA), pose significant barriers. Legislative reforms are necessary to provide the private sector with the authority to engage in offensive cyber activities legally.
International Implications: Operating across borders introduces challenges related to international law and the risk of collateral damage, making it imperative to consider global legal standards and cooperation.
Strategic Necessity: Given the scale and sophistication of existing cyber threats, a combined effort involving both government and private sector entities is vital for enhancing national resilience and security.
Beyond Offensive Measures: Strengthening digital resilience through comprehensive policy reforms, including improving infrastructure security and reducing the burden on end-users, is crucial alongside any offensive cyber strategies.

Notable Quotes with Timestamps

Brandon Wales on insufficient current tools:
"We still have a ransomware epidemic in this country... hackback is one of them."
[02:30]
Cezanne Seymour on the importance of defining objectives:
"What are we trying to accomplish here when we talk about offensive cyber operations..."
[04:26]
Brandon Wales on government involvement affecting speed:
"... the more the US Government is involved, the more it controls the impact... the less it's involved, potentially some of that information is not available to the private sector."
[21:17]
Cezanne Seymour on digital resilience:
"If our national end goal is resilience, then there are probably much more effective policy changes that we should be prioritizing..."
[51:48]

wavePod

Powered by Wave AI

Summary

Summary