{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreibrtmtodl7xtuc3nwhef6w3amrl6ya2ikeuwjimmmiccz24rq3hvq",
    "uri": "at://did:plc:mg5ozsljpp6t5b4lvwys4t72/app.bsky.feed.post/3mhu2yeqwbqo2"
  },
  "coverImage": {
    "$type": "blob",
    "ref": {
      "$link": "bafkreidb5qi2cjnf357bb2spsvz34ork5c2pljhjiy7ttxa4puz5kc2wlu"
    },
    "mimeType": "image/png",
    "size": 1467536
  },
  "description": "Not all chips pose equal national security risk, directors said. They also urged more precise export controls",
  "path": "/four-nsa-directors-address-american-offensive-cyber-power/",
  "publishedAt": "2026-03-25T02:43:41.000Z",
  "site": "https://broadbandbreakfast.com",
  "tags": [
    "Learn more about the Broadband Community...",
    "Start Your Broadband Journey Here"
  ],
  "textContent": "SAN FRANCISCO, March 24, 2026 — Four directors of the National Security Agency gathered Tuesday to assess the state of American cyber warfare, from a 2008 classified network breach that triggered the creation of U.S. Cyber Command to the age of autonomous AI agents.\n\nAt the RSA Conference, the world's largest cybersecurity gathering, they said the United States had not achieved deterrence in cyberspace and debated over whether legislation was the right tool to confront its most serious threats.\n\n### _The cyber command’s origins_\n\nIn October 2008, a five-person team investigating suspicious activity on a Defense Department network found 1,500 pieces of Russian malware on a classified system. The breach was contained and patched within 42 hours, said General **Keith Alexander** , the longest-serving NSA director and founding commander of the cyber command under Presidents **George W. Bush** and **Barack Obama**.\n\nLearn more about the Broadband Community...\n\n\n                            Start Your Broadband Journey Here\n                        \n\n\"No one else in the world could have done that,\" Alexander said.\n\nSecretary of Defense **Robert Gates** called him the following Monday, Alexander said, and directed him to establish a four-star command merging NSA's intelligence authorities under Title 50, the section of U.S. law governing intelligence activities, with military operational authority under Title 10, the section governing Defense Department operations.\n\nThe foundational debate at the time was whether the U.S. needed offensive capability at all, Alexander said. For deterrence, he said, there was no alternative.\n\n\"We live in a big glass house,\" Alexander said. \"You need the offensive capability.\"\n\n### _Building the doctrine_\n\nOperationalizing what Alexander had built fell to **Mike Rogers** , who served as NSA director and Cyber Command commander from 2014 to 2018 under Presidents Obama and Trump. The decisive test came in late 2016, when the secretary of defense gave him 30 days to prove what Cyber Command could do against ISIS, the Islamic State militant group that had seized large portions of Iraq and Syria. Rogers said the operation became the template for integrating cyber effects with conventional military operations.\n\nRogers said the early years raised hard questions about precision. Could cyber operations be contained without spilling into civilian infrastructure or compromising intelligence sources?\n\n\"Can you execute cyber fires in a way that doesn't impact the kinetic world or the intelligence world?\" Rogers said.\n\nThose questions still remained unresolved when **Paul Nakasone** took command in 2018, leading the NSA and Cyber Command through 2024. He said the U.S. still lacked the policies and authorities needed for offensive cyber operations at scale.\n\nThe first six months were spent learning how to fight, the next six building partnerships, and the final six dismantling adversary infrastructure ahead of the midterm elections, he said. \"We didn't have the policies and authorities necessary.\"\n\nThe mission had expanded well beyond cyber operations in isolation, said **Tim Haugh** , NSA director and Cyber Command commander from 2024 to 2025. Generative AI, he said, had introduced new challenges the intelligence community was still working to address.\n\nSeveral of the directors argued those challenges pointed to a more fundamental problem: The U.S. had never concretely defined deterrence in cyberspace to begin with.\n\n### _The deterrence gap_\n\nThe U.S. had failed to achieve deterrence in cyberspace, Rogers argued. Without a federal data privacy framework or any major cyber legislation, the government cannot set enforceable standards or integrate the private sector into a coherent national strategy.\n\n\"We are so numb to this,\" Rogers said. \"We're starting to accept this as the price of living in the digital age.\"\n\nModerator **Ted Schlein** , chairman at venture capital firm Ballistic Ventures, pointed to deeper structural lapses: More than a year without a confirmed CISA director, rising ransomware frequency, and a potential brain drain from federal agencies.\n\nAlexander added the SolarWinds attack as a cautionary example - a 2020 supply chain compromise that silently infiltrated thousands of federal and commercial networks before anyone sounded the alarm.\n\n### _Congress versus the Executive Branch_\n\nRogers and Nakasone disagreed on whether legislation was the right tool for defining when a cyberattack warranted a U.S. response.\n\nRogers argued Congress should establish a baseline framework, setting thresholds around damage costs, repair time, and loss of life that would trigger an official response. Without those markers, the country had no clear standard for when to act.\n\nNakasone pushed back. The president and National Security Council needed room to maneuver, he said, and codifying specific red lines, predetermined boundaries that once crossed would commit the U.S. to a response, would hand adversaries a roadmap for how far they could push without consequence. When asked where the threshold for a military response to a cyberattack lies, he responded “whatever the President says it is.\"\n\nAlexander steered toward a middle ground. Companies that detected intrusions should be required to share what they found with CISA, he said, the kind of early warning that might have contained SolarWinds before it spread across thousands of networks. Legislation didn't have to solve everything, but it had to create a structure.\n\n\"The one thing worse than no legislation is bad legislation,\" he said. \"But we need a framework.\"\n\n### _China, chips, and economic warfare_\n\nTurning to China, Alexander said the most overlooked threat was not a direct cyberattack but an economic one. China did not need to fire a weapon. A naval blockade of Taiwan cutting off semiconductor supply would be enough to paralyze the American economy, he said, and the country was not prepared for it.\n\n\"Our nation would crumble,\" Alexander said. \"We're not ready.\"\n\nU.S. chip export controls needed more precision, Rogers argued. Treating all semiconductors identically made no strategic sense given the wide variation in military relevance across chip categories.\n\nThe U.S. should not be exporting its most advanced chips to adversaries under any circumstances, Nakasone added.\n\n### _The AI accountability gap_\n\nHaugh said the introduction of AI agents into critical systems was raising accountability questions no existing framework had resolved. Frameworks must be set for organizations to know what requires protecting, who is responsible, and what happens when an AI system acts without a human in the loop.",
  "title": "Four NSA Directors Address American Offensive Cyber Power",
  "updatedAt": "2026-07-08T21:57:47.614Z"
}