Venable launches Cyber Operations Policy Coalition on industry liability
Collective defense sounds operational until the lawyers ask who authorized the act and who absorbs the legal risk.
TL;DR
NextGov reports Venable’s Center for Cybersecurity Policy and Law launched the Cyber Operations Policy Coalition this week to develop frameworks for collective cyber defense. The audience is industry, government lawyers and companies that own the networks cyber operations run through. The useful admission from the launch was plain: deeper coordination depends on authority, liability and rules for what companies may do in a crisis.
Venable’s new Cyber Operations Policy Coalition matters because it treats legal authority as the bottleneck. NextGov reports that the group, housed in Venable’s Center for Cybersecurity Policy and Law, wants to develop policy frameworks for “collective cyber defense” with industry, government, legal experts, academia and civil society at the table. Capability is the easy half. The harder question is what companies may do when federal cyber missions run through privately owned networks.
Katie Sutton, assistant secretary of defense for cyber policy, said at the launch event that government has defined authorities and industry has authorities because it “run[s] this domain.” Tonya Ugoretz, now at PwC and formerly at the FBI and the Office of the Director of National Intelligence, said the model cannot depend on asking permission for every operational step. That is the liability boundary: what a provider may do, under whose authority, and with whose risk.
The line remains politically delicate. National Cyber Director Sean Cairncross said in March he was “not talking about” companies engaging in cyber offensive campaigns, while saying private-sector capability should inform government responses (https://www.nextgov.com/cybersecurity/2026/03/national-cyber-director-doesnt-envision-industry-doing-offensive-hacking/412176/). At the launch, Matt Springer, deputy assistant director of the Cybersecurity and Infrastructure Security Agency’s Joint Cyber Defense Collaborative, described scenario planning that could include “potential cyber offensive options” theoretically taken by partners, and called the area dicey. The ambiguity is the point. Officials can reject private offensive campaigns and still build crisis plans that reach the companies seeing and routing the traffic.
For contractors, cloud providers and critical-infrastructure operators, the Monday problem is documentation before heroics. If a public-private cyber mission asks for action beyond ordinary monitoring or information sharing, counsel will want the authority, indemnity, reporting path and customer impact worked out before the incident clock starts. The coalition earns its keep only if it produces that boring language.
Published ·Deep Fathom