New Washington initiative targets legal frameworks for collective cyber defence

A new policy coalition has been launched in Washington to develop frameworks governing collaboration between government agencies and private companies on cyber operations, amid growing concerns that unresolved legal questions are limiting deeper cooperation.

Venable’s Center for Cybersecurity Policy and Law established the Cyber Operations Policy Coalition this week. The coalition aims to bring together industry representatives, government officials, legal experts, academics and civil society organisations to develop policy frameworks for collective cyber defence.

Corporate members include Microsoft, Lumen, Halcyon, Autonomous Cyber, and Voreas Labs. Non-corporate members span think tanks and academic institutions, including the Foundation for Defense of Democracies, the Cyber Threat Alliance, the Institute for Security and Technology, McCrary Institute for Cyber and Critical Infrastructure Security, and American University’s Tech, Law, and Security Program. The International Committee of the Red Cross and the Stimson Center participate as observers.

The coalition is coordinated by Stacy O’Mara and advised by a panel that includes former NSA Cybersecurity Director Rob Joyce, former CISA official Bryan Ware, and former Representative Jim Langevin.

During the launch event, current and former officials identified legal authorities, liability arrangements and operational rules as key areas requiring clarification before public-private cyber collaboration can expand at scale. Katie Sutton, assistant secretary of defence for cyber policy, noted that legal expertise would be central to closer integration, pointing to existing authority frameworks on both the government and industry sides.

Tonya Ugoretz, head of PwC’s Cyber & Risk Innovation Institute, highlighted the need for clearer liability frameworks to enable cyber operations without requiring case-by-case authorisation.

The initiative reflects the structure of the cyber domain, where much of the internet and critical infrastructure is privately owned, making companies both potential targets of cyberattacks and key partners in cyber defence efforts.

Several parallel developments add context to the coalition’s launch. The Joint Cyber Defense Collaborative, the CISA-led body for public-private cyber coordination, is mapping both defensive and potential offensive options for use in geopolitical crisis scenarios involving major infrastructure providers, according to JCDC deputy assistant director Matt Springer.

The US military has also more openly discussed offensive cyber operations in recent months, while Congress is considering a proposal for a dedicated cyber service branch.

The emergence of increasingly capable AI systems with cybersecurity applications has further expanded the range of technical, operational and legal questions facing policymakers.

Why does it matter?

Cybersecurity increasingly depends on cooperation between governments and private companies because much of the infrastructure targeted by cyberattacks is privately owned and operated. However, legal questions surrounding authority, liability and operational responsibilities remain unresolved in many jurisdictions.

The coalition reflects growing recognition that existing frameworks may not be fully suited to large-scale cyber defence efforts, particularly as geopolitical tensions, critical infrastructure threats and AI-enabled cyber capabilities increase. Its work could help shape future approaches to collective cyber defence and public-private cybersecurity cooperation.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!