{"id":155335,"date":"2026-06-24T06:30:23","date_gmt":"2026-06-24T14:30:23","guid":{"rendered":"https:\/\/xira.com\/p\/2026\/06\/24\/senate-armed-services-committee-advances-provision-to-allow-contractor-cyber-operations\/"},"modified":"2026-06-24T06:30:23","modified_gmt":"2026-06-24T14:30:23","slug":"senate-armed-services-committee-advances-provision-to-allow-contractor-cyber-operations","status":"publish","type":"post","link":"https:\/\/xira.com\/p\/2026\/06\/24\/senate-armed-services-committee-advances-provision-to-allow-contractor-cyber-operations\/","title":{"rendered":"Senate Armed Services Committee Advances Provision To Allow Contractor Cyber Operations"},"content":{"rendered":"<p>The post <a href=\"https:\/\/breakingdefense.com\/2026\/06\/sasc-advances-provision-to-allow-contractor-cyber-operations\/\" rel=\"nofollow noopener\" target=\"_blank\">Senate Armed Services Committee Advances Provision To Allow Contractor Cyber Operations<\/a> appeared first on <a href=\"https:\/\/abovethelaw.com\/\" rel=\"nofollow noopener\" target=\"_blank\">Above the Law<\/a>.<\/p>\n<p>WASHINGTON \u2014 Tucked in the Senate Armed Services Committee\u2019s annual defense policy bill is a provision to partner the US government with civilian hackerswho experts and former military officials say could helpthe US tip the scales against China\u2019s far deeper bench of cyber operators.<\/p>\n<p>The committee seeks to authorize a pilot program that would assess the feasibility of conducting cyber operations limited to gaining access tosystems <mark class=\"has-inline-color has-black-color\">using civilian contractors with their own infrastructure<\/mark>, but still under the operational direction and authority of US Cyber Command. It\u2019s not clear the provision will become law, as the Senate and House must reconcile their versions of the National Defense Authorization Act before passing each chamber and receiving the president\u2019s signature.<\/p>\n<p>But the fact that this is being introduced is significant, according to nine experts who spoke with Breaking Defense. Some experts raised concerns that deputizing civilian hackers could trigger reprisals against civilian infrastructure and flout international norms; others see the provision as a chance to expand the US government\u2019s cyber ranks and lean on America\u2019s private sector advantage over China.<\/p>\n<p>\u201cI am hopeful this is indicative that inside the Department of War, but also up on Capitol Hill, people understand that we need to move towards a much closer relationship with the private sector,\u201d Charlie Moore, distinguished visiting professor at Vanderbilt University and former deputy commander of CYBERCOM, told Breaking Defense in an interview. \u201cWe have to move beyond what we typically call partnerships and into becoming true teammates. The only way we\u2019re going to scale to meet the qualitative and quantitative capabilities that we need against the likes of China is through close teamwork with the private sector.\u201d<\/p>\n<p>Some experts have raised alarm bells that <a href=\"https:\/\/breakingdefense.com\/2026\/05\/in-cyber-race-against-china-cybercom-bets-on-quality-over-quantity\/\" rel=\"nofollow noopener\" target=\"_blank\">China holds a 10:1 cyber personnel advantage<\/a> relative to the US,where military cyber operators are in short supply. The Senate Armed Services Committee\u2019s proposalcould help even the playing field.<\/p>\n<p>Russian, and to a lesser extent, Chinese actors implicitly deploy their private sector actors to conduct illicit cyber activity on behalf of the state as a means to achieve strategic objectives with some level of deniability.<\/p>\n<p>Cyber operations are incredibly time consuming. In order to hit a target in the cyber domain, unlike dropping a bomb in the physical realm, operators need to gain access \u2014 which can take months to years \u2014 maintain that access, map the network and plan a tool for the effect. That foothold in a targeted system must then be covertly maintained until the order is given to attack, which could come years later or not at all.<\/p>\n<p>\u201cThe solution to that problem is let\u2019s just penetrate everything that the president might want to attack, and that\u2019s a big deal because that\u2019s a lot of targets,\u201d Herbert Lin, senior research scholar at the Center for International Security and Cooperationat Stanford University, told Breaking Defense. \u201cCyber Command clearly can\u2019t do all of that. So the question is, how do you do it? And this seems to be a way.\u201d<\/p>\n<p>The Senate provision follows discussions over the years to have industry take a more direct role in cyber operations. Those include \u201chack-back\u201d proposals to allow companies to go after hackers who steal their materials, and repurposing a clause of the US Constitution once used to issue \u201cLetters of Marque and Reprisal\u201d to privateers attacking enemy vessels to instead<a href=\"https:\/\/cyberscoop.com\/google-cybersecurity-disruption-unit-active-defense-hack-back\/\" rel=\"nofollow noopener\" target=\"_blank\">deputize companies to conduct cyber operations<\/a> on behalf of the government.<\/p>\n<p>The benefit of the latest Senate provision is it allows the US government to retain direct control of operations, according to Moore.<\/p>\n<p>\u201cThese are cyber operations conducted under direct oversight and control of Title 10 operators,\u201d he said.<\/p>\n<p>The provision stops short of greenlighting contractors to conduct \u201ceffects,\u201dwhich are not currently permitted under US law and would require department policy changes and congressional action.<\/p>\n<p>While gaining access is technically considered an operation, a few experts whospoke to Breaking Defense noted that cyber effects \u2014 denying, degrading, disrupting, destroying, or manipulating targeted systems \u2014 are typically considered offensive, an act of war, and must be conducted by a government entity.<\/p>\n<p>However, just the act of gaining access could be perceived by some foreign countries as an offensive action.<\/p>\n<p>\u201cIt\u2019s analogous to [saying], \u2018let\u2019s have the North Koreans dig a tunnel under the DMZ into South Korea,\u2019 but they don\u2019t send any troops in, they just dig a hole. Now, nobody believes they\u2019re going to send people with flowers, but they haven\u2019t done anything,\u201d Lin said. \u201cDoes that count as an attack? It certainly counts as unfriendly, but is it an attack? As I say, that\u2019s for lawyers to decide.\u201d<\/p>\n<p>Kurt Sanger, formerly CYBERCOM\u2019s deputy general counsel, doesn\u2019t see this paradigm as particularly controversial. Surreptitiously accessing foreign networks, he said, is akin to unlocking a door one is not authorized to open. That could be considered a minor trespass rather than a burglary.<\/p>\n<p>\u201cIt\u2019s not the same as intel gathering because you\u2019ve taken a step towards having a cyber effect,\u201d Sanger added. \u201cBut given the nature of the effects most US cyber operations cause, contractors won\u2019t be connected to anything traditionally considered a provocative activity, and certainly [this]isn\u2019t the type of kinetic activity that has led to escalation.\u201d<\/p>\n<p>Some experts equated these operations to the contractor-owned and -operated surveillance flights the US military already outsources to contractors who gather intelligence but don\u2019t conduct effects. <\/p>\n<p>The activities could still open industry up to some level of liability. While defense contractors have long been subject to cyber intrusions \u2014 such as the <a href=\"https:\/\/thediplomat.com\/2015\/01\/new-snowden-documents-reveal-chinese-behind-f-35-hack\/\" rel=\"nofollow noopener\" target=\"_blank\">Chinese purporting to have stolen the specs for the F-35 from Lockheed Martin\u2019s network<\/a> \u2014 conducting cyber operations on their own infrastructure as opposed to government systems could make them legitimate military targets, a<mark class=\"has-inline-color has-black-color\">ccording to Gary Brown, a professor at National Defense University and formerly the first senior legal counsel for CYBERCOM<\/mark>.<\/p>\n<p>A former military cyber commander who also spoke on condition of anonymity questioned what the oversight for this Senate provision would look like, noting it will require significant human \u2014 not AI \u2014 attention, and it must strike a balance between proper oversight and not stifling the pilot effort with micromanagement. The commander also raised possible counterintelligence concerns regarding the risk of private sector employees <mark class=\"has-inline-color has-black-color\">conducting government-sanctioned cyber operations on their own infrastructure and the possibility of exposing tradecraft.<\/mark><\/p>\n<p><mark class=\"has-inline-color has-black-color\">There is also the issue of international norms. Brown pointed to how the US has sought to maintain certain normative behaviors in cyberspace over the years, including by carving out protections for civilian infrastructure. He worried the Senate provision could \u201cmuddy\u201d those waters and \u201cnibble away\u201d at that system, possibly opening the door to more regular attacks on civilian infrastructure.<\/mark><\/p>\n<p>Several experts who spoke to Breaking Defense said the Senate provision could help scale US cyber capabilities against the likes of China, noting it\u2019s the only way the government can keep upto the level of manpower China employs in this space. Leveraging private industry would immediately increase the number of targets that can be held at risk by US agents, another <mark class=\"has-inline-color has-black-color\">former military cyber official said<\/mark>.<\/p>\n<p>As a manmade domain, cyber is unique in that it requires persistent attention and maintenance of a target to ensure access remainseven as patches and fixes are rolled out. With contractors doing that day-to-day work, military personnel are free to focus on effects and the \u201c<a href=\"https:\/\/breakingdefense.com\/2026\/05\/in-cyber-race-against-china-cybercom-bets-on-quality-over-quantity\/\" rel=\"nofollow noopener\" target=\"_blank\">mastery<\/a>\u201d of cyber war, according to two former military cyber commanders.<\/p>\n<p>Moreover, allowing the contracting community a more direct role in cyber operations fosters greater innovation and faster development of capabilities,experts said. <\/p>\n<p>\u201cBeing on their own infrastructure, contractor-own[ed] and contractor-operated, immediately unlocks innovation at the speed of relevance. Because if I have a really cool tool or suite of tools that can help me perform a mission, I can utilize it right away. I don\u2019t have to go through a lengthy requirements and acquisitions process,\u201d Moore said. \u201cThat is how we fully capitalize on one of the most important advantages we have over the likes of China.\u00a0We unlock and fully utilize the innovative solutions created by great American companies.\u201d<\/p>\n<p>Moore noted he hopes this evolves to eventually allow the contacting community to conduct effects operations as well, though still under the direct oversight and control of CYBERCOM, a much more complicated endeavor from a legal and policy perspective.<\/p>\n<p>Several sources indicated that industry is, in fact, looking to do effects, standing ready for when the time might come.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The post Senate Armed Services Committee Advances Provision To Allow Contractor Cyber Operations appeared first on Above the Law. WASHINGTON \u2014 Tucked in the Senate Armed Services Committee\u2019s annual defense policy bill is a provision to partner the US government with civilian hackerswho experts and former military officials say could helpthe US tip the scales [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":155336,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[16],"tags":[],"class_list":["post-155335","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-above_the_law"],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/xira.com\/p\/wp-content\/uploads\/2026\/06\/GettyImages-1247541105-scaled-e1782153851428-wbWhaZ.jpg?fit=2560%2C1442&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/posts\/155335","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/comments?post=155335"}],"version-history":[{"count":0,"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/posts\/155335\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/media\/155336"}],"wp:attachment":[{"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/media?parent=155335"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/categories?post=155335"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/tags?post=155335"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}