Four former NSA chiefs representing a near-complete history of US Cyber Command debate the role of offensive cyber in the government at RSAC.
RSAC 2026 CONFERENCE – San Francisco – When it comes to cyberattacks, what crosses the "red line" and justifies a kinetic response?
That was one of the major questions posed to four former National Security Agency (NSA) directors and US Cyber Command leaders, who weighed in on the US government's offensive cybersecurity strategy as part of a keynote panel at RSAC 2026 Conference on Tuesday.
The keynote, titled "Inside Offensive Cyber: Lessons from Four NSA Directors" featured Tim Haugh, Paul Nakasone, Mike Rogers, and Keith Alexander. Alexander was appointed by former President Barack Obama to establish and lead the US Cyber Command, and was succeeded in the post by Rogers, Nakasone, and Haugh, respectively.
The panel followed the release of President Donald Trump's cyber strategy earlier this month, which prioritized offense and deterrence. Offensive cyber in a military context covers a wide range of activity. It can include taking down threat actor infrastructure and conducting surveillance against adversaries (as the US has been repeatedly accused of doing against China and others). It also includes attacks like Stuxnet, which caused major damage to Iran's nuclear program and has been attributed to US and Israel, though neither government has formally confirmed involvement.
The 50-minute discussion, moderated by venture capitalist Ted Schlein, covered a wide range of topics, such as how the US's view toward offensive cyber has evolved over time from a more secretive concept to something public facing. The panelists also discussed how the NSA became the basis of US military cyberwarfare, the evolving (and increasing) role of the private sector, and the idea that offensive capabilities are necessary to defend the country.
Alexander said early detractors of the US's move into offensive cyber argued against the Internet becoming a place for warfare. "It already is," he said. "Because it is, we have to be the best at it, because our nation is the most digitized nation in the world."
While much of the conversation was generally in support of offensive cyber actions, two of the most interesting questions involved whether the US government still cares about cyber, and what the so-called "red line" is where a cyberattack may be met with kinetic military force (something the Obama administration reserved the right to do back in 2011).
Nakasone put it bluntly. "Whatever the president says [the red line] is, that's it at the end of the day," he said. "That's the determination, and we can all think what it is, but he's the one that determines whether or not we're going to take some type of distinct action based upon this."
Rogers added to this, saying that, when working with President Obama, the former commander advocated in favor of establishing criteria for when kinetic response may be appropriate, such as when a cyberattack directly causes loss of life.
Speaking to the broader topic of responding to adversaries, Haugh said that what all commanders would do in these cases is to "give options to our policymakers" for varying levels of response and the associated risk, so that others can take that counsel based on what decisionmakers may be comfortable with.
Alexander said that, as a commander, "you need to give the president and the National Security Council flexibility to respond." What you don't want, he said, is to have hard rules that leave no room for flexibility or context, because there may be situations where the president decides that, for example, launching missiles as a response to a cyberattack isn't the best course of action, even if that attack fits a certain criteria. To that end, Alexander argued against having legislation that codifies such policies into laws, because "you don't want Congress legislating something that they don't really understand."
At this year's RSAC Conference, the US government had effectively zero official presence compared to a fairly prominent one in previous years. Agencies abruptly pulled out of the show as former CISA Director Jen Easterly was hired as RSAC CEO back in January.
There were some different approaches to this question. Alexander was more diplomatic, saying, "I think the key players in cyber continue to do what they need to do and train, get ready and do their operation. … My experience is they're out there working just as hard as they ever were and they're progressing."
Rogers was more directly critical of the current administration.
"I see a private sector that is very network owners that are very energized and focused. I see a government that's unwilling to expend political capital to really drive fundamental change in cyber," he said. "And it's a reflection of the fact that, politically, we are so divided and as a society, we are so divided. Think about it, we're the largest economy in the world. We don't have a single federal data privacy framework. We don't have a single major piece of cyber legislation, and compare that with the rest of the Five Eyes as examples."
Rogers said the situation "frustrates the hell out of me personally," adding that there's a notable lack of cooperation between the government and the cybersecurity industry. "We need political leadership synchronized with the private sector to get where we need to go," he said. "And neither can do it by themselves. It just isn't there."
RSAC 2026 CONFERENCE – San Francisco – When it comes to cyberattacks, what crosses the "red line" and justifies a kinetic response?
That was one of the major questions posed to four former National Security Agency (NSA) directors and US Cyber Command leaders, who weighed in on the US government's offensive cybersecurity strategy as part of a keynote panel at RSAC 2026 Conference on Tuesday.
The keynote, titled "Inside Offensive Cyber: Lessons from Four NSA Directors" featured Tim Haugh, Paul Nakasone, Mike Rogers, and Keith Alexander. Alexander was appointed by former President Barack Obama to establish and lead the US Cyber Command, and was succeeded in the post by Rogers, Nakasone, and Haugh, respectively.
The panel followed the release of President Donald Trump's cyber strategy earlier this month, which prioritized offense and deterrence. Offensive cyber in a military context covers a wide range of activity. It can include taking down threat actor infrastructure and conducting surveillance against adversaries (as the US has been repeatedly accused of doing against China and others). It also includes attacks like Stuxnet, which caused major damage to Iran's nuclear program and has been attributed to US and Israel, though neither government has formally confirmed involvement.
The 50-minute discussion, moderated by venture capitalist Ted Schlein, covered a wide range of topics, such as how the US's view toward offensive cyber has evolved over time from a more secretive concept to something public facing. The panelists also discussed how the NSA became the basis of US military cyberwarfare, the evolving (and increasing) role of the private sector, and the idea that offensive capabilities are necessary to defend the country.
Alexander said early detractors of the US's move into offensive cyber argued against the Internet becoming a place for warfare. "It already is," he said. "Because it is, we have to be the best at it, because our nation is the most digitized nation in the world."
While much of the conversation was generally in support of offensive cyber actions, two of the most interesting questions involved whether the US government still cares about cyber, and what the so-called "red line" is where a cyberattack may be met with kinetic military force (something the Obama administration reserved the right to do back in 2011).
The Red Line of Offensive Cyber
During the discussion, Schlein asked about how government officials determine where the red line is for cyberattacks that reach a certain level of severity.Nakasone put it bluntly. "Whatever the president says [the red line] is, that's it at the end of the day," he said. "That's the determination, and we can all think what it is, but he's the one that determines whether or not we're going to take some type of distinct action based upon this."
Rogers added to this, saying that, when working with President Obama, the former commander advocated in favor of establishing criteria for when kinetic response may be appropriate, such as when a cyberattack directly causes loss of life.
Speaking to the broader topic of responding to adversaries, Haugh said that what all commanders would do in these cases is to "give options to our policymakers" for varying levels of response and the associated risk, so that others can take that counsel based on what decisionmakers may be comfortable with.
Alexander said that, as a commander, "you need to give the president and the National Security Council flexibility to respond." What you don't want, he said, is to have hard rules that leave no room for flexibility or context, because there may be situations where the president decides that, for example, launching missiles as a response to a cyberattack isn't the best course of action, even if that attack fits a certain criteria. To that end, Alexander argued against having legislation that codifies such policies into laws, because "you don't want Congress legislating something that they don't really understand."
Does the US Still Care About Cyber?
At one point, Schlein asked, "Does this country care that much about cyber?" It's a question worth asking in the wake of CISA facing massive layoffs (like other federal agencies) and the Cyber Safety Review Board getting effectively shuttered shortly after Trump's inauguration.At this year's RSAC Conference, the US government had effectively zero official presence compared to a fairly prominent one in previous years. Agencies abruptly pulled out of the show as former CISA Director Jen Easterly was hired as RSAC CEO back in January.
There were some different approaches to this question. Alexander was more diplomatic, saying, "I think the key players in cyber continue to do what they need to do and train, get ready and do their operation. … My experience is they're out there working just as hard as they ever were and they're progressing."
Rogers was more directly critical of the current administration.
"I see a private sector that is very network owners that are very energized and focused. I see a government that's unwilling to expend political capital to really drive fundamental change in cyber," he said. "And it's a reflection of the fact that, politically, we are so divided and as a society, we are so divided. Think about it, we're the largest economy in the world. We don't have a single federal data privacy framework. We don't have a single major piece of cyber legislation, and compare that with the rest of the Five Eyes as examples."
Rogers said the situation "frustrates the hell out of me personally," adding that there's a notable lack of cooperation between the government and the cybersecurity industry. "We need political leadership synchronized with the private sector to get where we need to go," he said. "And neither can do it by themselves. It just isn't there."