A new industry coalition led by law firm Venable is seeking to shape one of the most consequential and unsettled debates in cybersecurity policy: what legal authorities, liabilities and responsibilities should govern private-sector participation in government cyber operations.
The Cyber Operations Policy Coalition, launched this week by Venable’s Center for Cybersecurity Policy and Law, aims to serve as a forum bringing together industry, government officials, legal experts, academics and civil society organizations to develop policy frameworks for what participants describe as “collective cyber defense.” According to NextGov/FCW, The effort comes as federal agencies increasingly rely on private companies to help identify, mitigate and potentially respond to sophisticated cyber threats, raising questions about whether existing legal frameworks are equipped for a more operational public-private partnership.
At the coalition’s launch event in Washington, current and former government officials emphasized that legal and policy questions may be the primary obstacle to expanding collaboration between government agencies and private-sector operators.
Katie Sutton, assistant secretary of defense for cyber policy and principal cyber adviser to the defense secretary, said legal expertise will be essential as government and industry become more closely integrated in cyber missions. While government agencies such as U.S. Cyber Command operate under well-established statutory authorities, she noted that private companies also possess authorities stemming from their ownership and operation of digital infrastructure.
“We talk about authorities,” Sutton said, noting that questions surrounding legal authority govern virtually every cyber operation. Industry participants, she added, “run this domain” and therefore possess authorities that could become increasingly important in future cyber defense efforts.
Per NextGov, the discussion reflects a broader shift in cybersecurity policy. Unlike traditional military domains such as land, sea and air, cyberspace is largely owned and operated by private companies. Telecommunications providers, cloud operators, software vendors and critical infrastructure firms often control the networks through which both cyberattacks and defensive responses occur.
Read more: DOJ and FTC Consider New Framework for Competitor Partnerships After Retiring Longstanding Guidance
That reality has complicated traditional legal distinctions between government action and private conduct. As cyber threats from nation-state actors become more sophisticated, federal agencies increasingly depend on industry partners not only to share threat intelligence but also to participate in coordinated defensive activities.
Participants at the launch event highlighted several unresolved legal questions. Among them are the scope of permissible private-sector action during government-directed cyber operations, the allocation of liability when companies act in coordination with federal agencies, and the legal protections available to firms that undertake cyber activities in response to national security threats.
Tonya Ugoretz, who leads PwC’s Cyber & Risk Innovation Institute and previously held senior positions at both the FBI and the Office of the Director of National Intelligence, said policymakers must develop a clearer understanding of liability and legal authorities before deeper operational collaboration can occur.
“We can’t be in a model” where participants must seek permission at every step, Ugoretz said, arguing that scalable public-private cyber operations will require legal foundations that provide greater clarity and predictability.
One area generating particular legal concern involves planning conducted through the Cybersecurity and Infrastructure Security Agency’s Joint Cyber Defense Collaborative. Matt Springer, the JCDC’s deputy assistant director, said the organization is developing contingency plans with major technology providers that include both defensive measures and potential offensive-leaning actions during geopolitical crises.
Such scenarios raise difficult questions about whether private companies could legally participate in activities that move beyond traditional network defense. Springer acknowledged that potential cyber-offensive options involving private-sector partners represent a “dicey area” that will require further policy development.
For corporate counsel and compliance officers, the coalition’s formation signals that cybersecurity is evolving from a technical and operational issue into a central question of national security law. As government agencies seek deeper cooperation from private-sector operators, lawmakers and regulators will face increasing pressure to clarify the legal authorities, liability protections and operational boundaries that govern collective cyber defense.