What is at stake is whether the United States will formally enlist private, civilian hackers to do the painstaking, persistent work of gaining access to foreign computer systems while remaining under the operational control of US Cyber Command — a shift the Senate Armed Services Committee has put into its annual defense policy bill as a pilot program.
What the provision would allow
The Senate Armed Services Committee’s proposal would authorize a pilot program to assess the feasibility of conducting cyber operations limited to gaining access to systems using civilian contractors who operate on their own infrastructure, but who remain under the operational direction and authority of US Cyber Command. The provision is embedded in the committee’s annual defense policy bill; it must still survive reconciliation with the House and be signed by the president before becoming law. Breaking Defense reported that nine experts spoke about the measure.
What the measure does not authorize — and why that matters
The provision explicitly stops short of permitting contractors to carry out “effects” — actions such as denying, degrading, disrupting, destroying, or manipulating targeted systems — which the story states are not currently permitted under US law without changes in department policy and additional congressional action. Experts told Breaking Defense that gaining access is technically an operation but that cyber effects are typically viewed as offensive and as acts of war. As Herbert Lin, senior research scholar at the Center for International Security and Cooperation at Stanford University, put it, “Cyber Command clearly can’t do all of that. So the question is, how do you do it? And this seems to be a way.”
Legal exposure, escalation risks, and norms
Opinions diverge on whether the access-only approach is legally benign or provocatively risky. Kurt Sanger, formerly CYBERCOM’s deputy general counsel, described surreptitious access as more akin to a “minor trespass” than a kinetic escalation, noting that contractors “won’t be connected to anything traditionally considered a provocative activity.” By contrast, Gary Brown, a professor at National Defense University and formerly the first senior legal counsel for CYBERCOM, warned that conducting cyber operations from contractor-owned infrastructure could make those companies legitimate military targets and warned that the move could “muddy” long-standing US efforts to protect civilian infrastructure under international norms.
Breaking Defense also reported concerns that deputizing civilians could invite reprisals against civilian infrastructure or otherwise “nibble away” at normative protections. A former military cyber commander (speaking on condition of anonymity) questioned the oversight model, stressing the program will require significant human — not AI — attention and raising counterintelligence concerns about private-sector employees conducting operations on systems they own.
Private-sector scaling, speed, and innovation
Proponents argue the pilot would tap a private-sector advantage the US needs to match adversary capacity. Some experts told Breaking Defense that China holds a 10:1 cyber personnel advantage relative to the US, a gap the provision could help address by expanding the pool of operators and increasing the number of targets that can be held at risk. Charlie Moore, distinguished visiting professor at Vanderbilt University and former deputy commander of CYBERCOM, said the proposal signals a move “towards a much closer relationship with the private sector” and called for shifting from partnerships to “true teammates.”
Moore argued contractors on their own infrastructure can “unlock innovation at the speed of relevance” because tools can be used immediately without lengthy acquisition processes. Several former military cyber commanders told Breaking Defense that contractors maintaining persistent access would free military personnel to concentrate on effects and the “mastery” of cyber war.
How CYBERCOM, contractor firms, and nation-states are positioned
- CYBERCOM and the Department of Defense: The pilot would keep operations under US Cyber Command’s operational direction and authority, preserving direct government control even while using contractor-owned infrastructure. Oversight, legal constraints on effects, and the need for human attention were flagged as central implementation challenges.
- Contractor firms and security teams: Firms would gain opportunities to apply proprietary tools and maintain persistent footholds, accelerating innovation and operational scale. But they also face potential legal exposure and the risk of being viewed as legitimate military targets, per Gary Brown’s warning.
- China and other nation-states: Experts told Breaking Defense that Russia and, to a lesser extent, China already leverage private-sector actors implicitly to advance state objectives. The provision is positioned as a way to narrow a manpower imbalance and hold more targets at risk, but some warned it could be perceived as offensive and prompt escalation or reprisals.
The provision’s introduction is consequential even if its passage is uncertain. It reprioritizes how the US might scale persistent access in cyberspace, wrestling with trade-offs between operational reach and legal, normative, and security risks. The next concrete steps are legislative: the Senate and House must reconcile their versions of the National Defense Authorization Act and the president must sign the final bill before this pilot can move forward.
