What ‘proactive cyber’ means: Despite the more aggressive language, this shift toward private-sector involvement doesn’t envision vigilante-style payback by aggrieved organizations. It instead embraces a more systematic effort to interfere with adversaries earlier in the attack chain using authorities and capabilities that already exist.”To be clear, this is not hacking back,” Joyce said. “This is the legal and ethical use of intelligence to protect our own platforms.”In practice, that approach combines civil litigation, coordinated takedowns, public exposure of tools, and product hardening. The goal is to impose cost and friction across the ecosystem rather than to stop individual intrusions.”Our goal is to shift the economics of the entire ecosystem, to make cyber threat operations so costly, so difficult, so risky, that it is no longer a viable path for any adversary,” Joyce said.Hultquist underscores that this kind of disruption has real but limited effects. “We’re looking for operations that will have a longer-lasting effect on adversaries, or we can repeat at such a tempo that we can actually maintain the effect,” he says.That dynamic is central to how proactive cyber is now being framed. Disruption is not a permanent solution; it is a way to degrade adversary capability and buy time.Gerstell offers a practical boundary for where that activity becomes more controversial. “If you’re doing something only on your own network, it sounds defensive,” he says. “If you’re doing something on somebody else’s network, it sounds offensive.”
Why the private sector is central: The shift toward proactive cyber is rooted in who controls the terrain. “The private sector operates the very infrastructure that adversaries abuse,” Joyce said.At the same time, the scale of cyber threats exceeds what the government can handle alone.”There’s no world in which the government can do all the things,” Cynthia Kaiser, former FBI cyber deputy director and now SVP at Halcyon, tells CSO. “When I was at the FBI, there was no world in which you could do all the things.”That has led to a push for deeper operational integration between government and industry, combining private-sector visibility and speed with public-sector authority.Adam Maruyama, former CTO and DoD and NSA analyst and counterterrorism expert, says the shift toward more proactive action is necessary but lacks clear rules. Acting earlier in the attack chain, he notes, raises questions about how those operations should be conducted across jurisdictions and how they should be coordinated with allies.”Once you start acting outside your own network, you’re immediately dealing with questions of jurisdiction and coordination,” Maruyama tells CSO. “Those aren’t fully worked out.”Without that clarity, more assertive disruption efforts risk creating friction even among partners, particularly when infrastructure sits outside US control.National Cyber Director Sean Cairncross framed the goal as correcting an imbalance. “The risk calculus on our adversary side in this space doesn’t seem to be calibrated correctly,” he said at the McCrary Institute Cyber Summit in March.But Cairncross drew a clear boundary around private-sector action. “I am not talking about private sector industry or companies engaging in a cyber offensive campaign,” he said. “That’s not what we’re talking about.”
The fault lines: How far is too far: Agreement on the need to act earlier does not extend to agreement on how far those actions should go.Kaiser sees a practical path in focusing on criminal actors, where legal authorities are clearer, and escalation risks are lower. “I think the least risky way in which industry can help on this front is with criminal actors,” she says, pointing to infrastructure takedowns and recovery of stolen funds.She also argues that legal frameworks may need to evolve. “The primary thing I’d like to see is re-looking at the laws as they exist now and seeing if there are ways in which industry can help more with taking down infrastructure and clawing back stolen funds,” she says.Others are more cautious. Maruyama points to the complexity of globally distributed infrastructure. “What if their infrastructure is hosted not in North Korea, but in France “¦ or a semi-allied country like Malaysia?” he asks.Hultquist reinforces caution from an operational standpoint, but stresses the importance of effectiveness in targeting. That is one reason why Joyce said in her keynote that whatever tactic Google uses against adversaries, it intends for them to “stay burned.” He says, “We are committed to operations that have lasting effects.”
Who can do this: Even if those tensions are resolved, the ability to carry out proactive disruption is concentrated among a small number of actors.”This is something that Google can do [and that] Microsoft has done and can do,” Gerstell says. “A medium-sized company probably can’t.”The requirements include not just technical capability but legal authority, operational scale, and control over infrastructure. Large platform providers can act within environments they own and can absorb the risks associated with disruption. Most enterprises cannot.Even among organizations that could act, willingness varies. “Some of them could do it, but don’t want to,” Gerstell says.
What should CISOs do?: For enterprise security leaders, the shift toward proactive cyber does not expand their mandate to take on offensive or disruption roles. Instead, reinforcing core cybersecurity fundamentals remains the priority.”The basic blocking and tackling is still critical,” Gerstell says.Kaiser frames the enterprise role as participation rather than initiative. “What more can we all do?” she asks, particularly in supporting takedowns and recovery efforts where industry can act “more quickly and nimbly than the government can.”That participation requires operational readiness: the ability to share telemetry quickly, preserve evidence, and respond in real-time when providers or law enforcement act against adversary infrastructure.For CISOs, that means upstream disruption does not reduce the need for internal resilience. Even as governments and large cybersecurity providers increase pressure on attackers, enterprises should expect continued activity, often from the same actors operating in slightly different ways.At the same time, the legal limits remain clear. Acting outside an organization’s own environment introduces risks that most enterprises are not equipped to manage. The practical role for CISOs is not to become more aggressive, but to operate effectively in a system where others increasingly handle disruption.
Who can do this: Even if those tensions are resolved, the ability to carry out proactive disruption is concentrated among a small number of actors.”This is something that Google can do [and that] Microsoft has done and can do,” Gerstell says. “A medium-sized company probably can’t.”The requirements include not just technical capability but legal authority, operational scale, and control over infrastructure. Large platform providers can act within environments they own and can absorb the risks associated with disruption. Most enterprises cannot.Even among organizations that could act, willingness varies. “Some of them could do it, but don’t want to,” Gerstell says.
What should CISOs do?: For enterprise security leaders, the shift toward proactive cyber does not expand their mandate to take on offensive or disruption roles. Instead, reinforcing core cybersecurity fundamentals remains the priority.”The basic blocking and tackling is still critical,” Gerstell says.Kaiser frames the enterprise role as participation rather than initiative. “What more can we all do?” she asks, particularly in supporting takedowns and recovery efforts where industry can act “more quickly and nimbly than the government can.”That participation requires operational readiness: the ability to share telemetry quickly, preserve evidence, and respond in real-time when providers or law enforcement act against adversary infrastructure.For CISOs, that means upstream disruption does not reduce the need for internal resilience. Even as governments and large cybersecurity providers increase pressure on attackers, enterprises should expect continued activity, often from the same actors operating in slightly different ways.At the same time, the legal limits remain clear. Acting outside an organization’s own environment introduces risks that most enterprises are not equipped to manage. The practical role for CISOs is not to become more aggressive, but to operate effectively in a system where others increasingly handle disruption.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4154228/the-rise-of-proactive-cyber-why-defense-is-no-longer-enough.html
