cyber incidents, what crosses the "red line" and justifies a kinetic military response?
That was a central question posed to four former National Security Agency (NSA) directors and US Cyber Command leaders, who evaluated the US government's current cybersecurity strategy during a keynote panel at the RSAC 2026 Conference in San Francisco on Tuesday.
The keynote, titled "Inside Offensive Cyber: Lessons from Four NSA Directors," featured Tim Haugh, Paul Nakasone, Mike Rogers, and Keith Alexander. Alexander was appointed by former President Barack Obama to establish and lead the US Cyber Command. He was succeeded in the post by Rogers, Nakasone, and Haugh, respectively.
The panel followed the release of President Donald Trump's cyber strategy earlier this month, which prioritized offensive capabilities and deterrence. In a military context, offensive cyber operations cover a range of activities. This can include disrupting threat actor infrastructure and conducting surveillance against adversaries, tactics the US has frequently been accused of using against nations such as China. It also encompasses incidents like Stuxnet, which caused significant physical disruption to Iran's nuclear program and has been attributed to the US and Israel, though neither government has formally confirmed involvement.
The 50-minute discussion, moderated by venture capitalist Ted Schlein, covered how the US approach to active cyber operations has evolved from a highly classified concept to a publicly acknowledged strategy. The panelists discussed how the NSA formed the foundation for US military cyber capabilities, the increasing role of the private sector in national defense, and the premise that active capabilities are required to protect the country.
Alexander noted that early detractors of the US moving into offensive cyber operations argued against the Internet becoming a domain for international conflict. "It already is," he said. "Because it is, we have to be the best at it, because our nation is the most digitized nation in the world."
While the panelists generally supported the use of active cyber operations, two of the primary focal points of the discussion were the definition of the "red line" where a cyber incident might prompt kinetic military force—a response the Obama administration formally reserved the right to use in 2011—and whether the current federal government is adequately prioritizing cybersecurity.
Determining thresholds for response
During the panel, Schlein asked how government officials determine the exact threshold for cyber incidents that reach a critical level of severity.
Nakasone approached the question directly. "Whatever the president says [the red line] is, that's it " he said. "That's the determination, and we can all think what it is, but he's the one that determines whether or not we're going to take some type of distinct action based upon this."
Rogers expanded on this process, noting that during his time working with President Obama, he advocated for establishing specific criteria for when a kinetic response might be appropriate, such as when a cyber incident directly causes a loss of human life.
Addressing the operational mechanics of responding to adversarial actions, Haugh explained that commanders aim to "give options to our policymakers." This involves presenting varying levels of response and their associated risks, allowing decision-makers to select a course of action they are comfortable authorizing.
Alexander emphasized that commanders "need to give the president and the National Security Council flexibility to respond." He argued against rigid rules that eliminate context, noting there may be scenarios where the president decides that launching a physical military response to a cyber incident is not the most strategic course of action, even if the incident meets predefined criteria. Consequently, Alexander advised against Congress codifying these response policies into law, stating, "you don't want Congress legislating something that they don't really understand."
Government involvement and industry collaboration
Schlein later asked the panel, "Does this country care that much about cyber?"
The question arrives amid significant structural changes in the federal government. The Cybersecurity and Infrastructure Security Agency (CISA) has recently faced massive layoffs and forced reassignments, and the Cyber Safety Review Board was effectively shuttered shortly after Trump's inauguration. At this year's RSAC Conference, the US government had effectively zero official presence, a sharp contrast to previous years. Federal agencies abruptly pulled out of the event following the hiring of former CISA Director Jen Easterly as RSAC CEO in January.
The panelists offered varying perspectives on the current state of federal cybersecurity prioritization. Alexander took a diplomatic stance on the workforce, stating, "I think the key players in cyber continue to do what they need to do and train, get ready and do their operation. … My experience is they're out there working just as hard as they ever were and they're progressing."
Rogers offered a more direct critique of the current administration's approach to cybersecurity policy.
"I see a private sector that is very network owners that are very energized and focused. I see a government that's unwilling to expend political capital to really drive fundamental change in cyber," Rogers said. "And it's a reflection of the fact that, politically, we are so divided and as a society, we are so divided. Think about it, we're the largest economy in the world. We don't have a single federal data privacy framework. We don't have a single major piece of cyber legislation, and compare that with the rest of the Five Eyes as examples."
Rogers noted that the current environment "frustrates the hell out of me personally," pointing to a distinct lack of cooperation between the federal government and the commercial cybersecurity industry. "We need political leadership synchronized with the private sector to get where we need to go," he said. "And neither can do it by themselves. It just isn't there."