Four directors of the National Security Agency gathered at the RSA Conference to assess the state of American cyber warfare, from a 2008 classified network breach that triggered the creation of U.S. Cyber Command to the age of autonomous AI agents. But their discussion revealed a troubling absence: the United States has no agreement on the fundamental rule that matters most when cyberattacks occur. At what point does cyber aggression become kinetic war?
Retired General Paul Nakasone, speaking during the keynote with three other former NSA directors and commanders of US Cyber Command, argued that there shouldn't be a well-defined red line. "Whatever the president says [the red line] is, that's it at the end of the day," he said. "That's the determination, and we can all think what it is, but he's the one that determines whether or not we're going to take some type of distinct action based upon this."
This position gives the sitting president enormous power to define not only response, but the threshold itself. That matters intensely given who currently occupies the office.
The alternative view came from retired Admiral Mike Rogers, who advocated in favour of establishing criteria for when kinetic response may be appropriate, such as when a cyberattack directly causes loss of life. Rogers recalled working with President Obama following the Sony Pictures hack by North Korean state-sponsored attackers, discussing criteria including whether cost to repair, time to repair, loss of life, or freedom of speech should trigger an offensive response. Yet despite decades of discussion, the four retired commanders acknowledged they never reached agreement on a well-defined standard.
The practical consequence of this ambiguity manifests in an institution under severe strain. CISA has operated without a Senate-confirmed director for nearly a year, leaving management in the hands of acting officials. Staffing at the agency was slashed by one-third. A former CISA official said the agency is "absorbing pressure from multiple directions right now," pointing to leadership turnover, ongoing shutdowns, aggressive implementation of executive direction, and uncertainty in the agency's workforce.
The four former leaders made the case for strengthened public-private partnerships to address these gaps. They pitched increased public-private collaboration on all things security-related, especially AI, with retired General Keith Alexander arguing "AI is a civilisational challenge that our nation be the lead." This framing acknowledged an uncomfortable reality: the federal government's ability to lead cyber defence has weakened considerably.
The keynote happened midway through a conference notably absent of current federal-government speakers. CISA, the FBI and the National Security Agency withdrew from the conference after the event's organiser appointed Jen Easterly, CISA's director from 2021 to 2025, as its chief executive. This unprecedented withdrawal reflected political friction but also highlighted a broader truth: America's official cyber agencies have been pulled from the sector's main annual gathering.
That absence leaves room for former officials to speak candidly. Nakasone lamented that the country has become "numb" to cyberattacks, with ransomware infections and extortion increasing in speed and costliness, Chinese government spies embedded in US networks for years, and America's lead cyber-defence agency without a boss for more than a year while roughly one third of its workforce has either been fired or left voluntarily. These conditions exist not because threats have subsided, but because policy and resourcing decisions have shifted.
The escalation question matters precisely because cyberspace occupies an ambiguous zone between espionage, crime, and warfare. Offensive cyber operations can include taking down threat actor infrastructure and conducting surveillance against adversaries, and also attacks like Stuxnet, which caused major damage to Iran's nuclear program and has been attributed to the United States and Israel. If the threshold for military response is left entirely to presidential discretion with no public criteria, the risk of miscalculation between adversaries increases significantly.
Tim Haugh, another former commander, suggested that military leaders would "give options to policymakers" for varying levels of response and associated risk, so that decisionmakers could take counsel based on what they were comfortable with. This represents the prudent approach: civilians decide policy, but with clear options and consequences laid out in advance. The reality today falls short of that standard.
The absence of a confirmed CISA director is not merely administrative friction. The lack of a Senate-confirmed CISA director is especially challenging for a cyber agency that relies on partnerships across government and critical infrastructure. When enterprises cannot depend on consistent federal guidance, they make fragmented decisions. When government lacks stable leadership, adversaries see opportunity.