Four NSA Directors Address American Offensive Cyber Power
Not all chips pose equal national security risk, directors said. They also urged more precise export controls
SAN FRANCISCO, March 24, 2026 — Four directors of the National Security Agency gathered Tuesday to assess the state of American cyber warfare, from a 2008 classified network breach that triggered the creation of U.S. Cyber Command to the age of autonomous AI agents.
At the RSA Conference, the world's largest cybersecurity gathering, they said the United States had not achieved deterrence in cyberspace and debated over whether legislation was the right tool to confront its most serious threats.
The cyber command’s origins
In October 2008, a five-person team investigating suspicious activity on a Defense Department network found 1,500 pieces of Russian malware on a classified system. The breach was contained and patched within 42 hours, said General Keith Alexander, the longest-serving NSA director and founding commander of the cyber command under Presidents George W. Bush and Barack Obama.
"No one else in the world could have done that," Alexander said.
Secretary of Defense Robert Gates called him the following Monday, Alexander said, and directed him to establish a four-star command merging NSA's intelligence authorities under Title 50, the section of U.S. law governing intelligence activities, with military operational authority under Title 10, the section governing Defense Department operations.
The foundational debate at the time was whether the U.S. needed offensive capability at all, Alexander said. For deterrence, he said, there was no alternative.
"We live in a big glass house," Alexander said. "You need the offensive capability."
Building the doctrine
Operationalizing what Alexander had built fell to Mike Rogers, who served as NSA director and Cyber Command commander from 2014 to 2018 under Presidents Obama and Trump. The decisive test came in late 2016, when the secretary of defense gave him 30 days to prove what Cyber Command could do against ISIS, the Islamic State militant group that had seized large portions of Iraq and Syria. Rogers said the operation became the template for integrating cyber effects with conventional military operations.
Rogers said the early years raised hard questions about precision. Could cyber operations be contained without spilling into civilian infrastructure or compromising intelligence sources?
"Can you execute cyber fires in a way that doesn't impact the kinetic world or the intelligence world?" Rogers said.
Those questions still remained unresolved when Paul Nakasone took command in 2018, leading the NSA and Cyber Command through 2024. He said the U.S. still lacked the policies and authorities needed for offensive cyber operations at scale.
The first six months were spent learning how to fight, the next six building partnerships, and the final six dismantling adversary infrastructure ahead of the midterm elections, he said. "We didn't have the policies and authorities necessary."
The mission had expanded well beyond cyber operations in isolation, said Tim Haugh, NSA director and Cyber Command commander from 2024 to 2025. Generative AI, he said, had introduced new challenges the intelligence community was still working to address.
Several of the directors argued those challenges pointed to a more fundamental problem: The U.S. had never concretely defined deterrence in cyberspace to begin with.
The deterrence gap
The U.S. had failed to achieve deterrence in cyberspace, Rogers argued. Without a federal data privacy framework or any major cyber legislation, the government cannot set enforceable standards or integrate the private sector into a coherent national strategy.
"We are so numb to this," Rogers said. "We're starting to accept this as the price of living in the digital age."
Moderator Ted Schlein, chairman at venture capital firm Ballistic Ventures, pointed to deeper structural lapses: More than a year without a confirmed CISA director, rising ransomware frequency, and a potential brain drain from federal agencies.
Alexander added the SolarWinds attack as a cautionary example - a 2020 supply chain compromise that silently infiltrated thousands of federal and commercial networks before anyone sounded the alarm.
Congress versus the Executive Branch
Rogers and Nakasone disagreed on whether legislation was the right tool for defining when a cyberattack warranted a U.S. response.
Rogers argued Congress should establish a baseline framework, setting thresholds around damage costs, repair time, and loss of life that would trigger an official response. Without those markers, the country had no clear standard for when to act.
Nakasone pushed back. The president and National Security Council needed room to maneuver, he said, and codifying specific red lines, predetermined boundaries that once crossed would commit the U.S. to a response, would hand adversaries a roadmap for how far they could push without consequence. When asked where the threshold for a military response to a cyberattack lies, he responded “whatever the President says it is."
Alexander steered toward a middle ground. Companies that detected intrusions should be required to share what they found with CISA, he said, the kind of early warning that might have contained SolarWinds before it spread across thousands of networks. Legislation didn't have to solve everything, but it had to create a structure.
"The one thing worse than no legislation is bad legislation," he said. "But we need a framework."
China, chips, and economic warfare
Turning to China, Alexander said the most overlooked threat was not a direct cyberattack but an economic one. China did not need to fire a weapon. A naval blockade of Taiwan cutting off semiconductor supply would be enough to paralyze the American economy, he said, and the country was not prepared for it.
"Our nation would crumble," Alexander said. "We're not ready."
U.S. chip export controls needed more precision, Rogers argued. Treating all semiconductors identically made no strategic sense given the wide variation in military relevance across chip categories.
The U.S. should not be exporting its most advanced chips to adversaries under any circumstances, Nakasone added.
The AI accountability gap
Haugh said the introduction of AI agents into critical systems was raising accountability questions no existing framework had resolved. Frameworks must be set for organizations to know what requires protecting, who is responsible, and what happens when an AI system acts without a human in the loop.
Member discussion