Trump and others want to ramp up cyber offense, but there’s plenty of doubt about the idea
In recent months, incoming Trump administration national security adviser Mike Waltz and some lawmakers have suggested that in response to Chinese cyber breaches, the United States needs to prioritize taking more aggressive offensive actions in cyberspace rather than emphasizing defense.
It’s been said before. And it’s easier said than done.
Experts that spoke with reporters for this story note several multifaceted questions regarding enhanced offensive operations, including what form they would take and if it’s an appropriate response to the recent rash of intrusions. Offensive operations are technically complex — unlike in Hollywood, where they’re as easy as pushing an “enter” button — and potentially introduce new risks for the attackers.
Furthermore, those calling for more cyber offense might not be aware of the scope of current secret U.S. operations, itself a conundrum: If the country doesn’t take credit publicly, how would adversaries know it struck back and therefore deter present or future attackers?
In the end, it might not dissuade other nations if the United States gets more aggressive in cyberspace, said Herb Lin, a senior research scholar for cyber policy and security at Stanford’s Center for International Security and Cooperation.
“What I’m trying to understand in all this is people who say we should go on the offensive more. It sounds good in practice, [but] what are you going to do?” he said. “I haven’t seen a plausible scenario that actually gets them the outcome they want.”
Waltz hasn’t detailed exactly in interviews what he means when he says the United States needs to “start going on offense and start imposing … higher costs and consequences” in response to data theft, espionage and most worrisomely, Chinese hackers, known as Volt Typhoon, that the U.S. government has said are prepositioning themselves to attack U.S. critical infrastructure in the event of conflict over Taiwan. But in an interview with the Daily Wire, he said the United States didn’t respond to Soviet nuclear stockpiling by building better missile defenses — instead, it stockpiled its own nukes.
And in an interview with Breitbart, he got a little more specific. “I believe personally you can do that by demonstrating if you’re putting cyber time bombs in our ports and grid that we can do it to you too so let’s both not — mutually assured destruction — and take the temperature down on this a bit.”
At a hearing last month about another Chinese Salt Typhoon hacker group’s massive espionage-oriented hack of telecommunications carriers, several lawmakers on both sides of the aisle pressed witnesses on the topic of offense. “Why aren’t we going on offense, and doesn’t that help?” asked Sen. Dan Sullivan, R-Alaska, saying it’s a repeated line of questioning from lawmakers at classified briefings, too, and other key lawmakers have echoed those calls.
Current national security adviser Jake Sullivan said on Friday that the United States has “taken steps in response to Salt Typhoon” to “make it harder for China to actually be able to execute this” but didn’t elaborate further.
Advocates for increased offensive measures need to clarify what precisely they want to do, experts said. Past, publicly revealed U.S. cyber operations include Stuxnet, which targeted Iranian centrifuges in a joint effort with Israel, and others aimed at would-be election meddlers from Russia and Iran. Lin said other options include getting into adversary nations’ systems — like Volt Typhoon is said to have done in the United States — to prepare for future attacks, or leaking embarrassing information about enemies, although that’s less about new offensives and more about capitalizing on existing intelligence.
Lin and Erica Lonergan, an assistant professor at Columbia University’s School of International and Public Affairs, said there’s been some blurring in the public discussion about the nature of espionage, like the kind that Salt Typhoon has conducted with its telecom breaches, and whether going on offense is the right response. The United States, after all, uses cyber for espionage, too.
“We risk conflating different types of threats, and also like not being clear about what we mean by offense,” Lonergan said. “Applying a deterrence model to espionage questions is a bit of a mismatch.”
The first Trump administration did loosen the rules on the Defense Department conducting offensive cyber operations. Congress in recent years also has helped pave the way to lift certain hurdles that existed in the past to help demystify legal barriers and speed up operations.
Charles Moore, the former deputy commander and director of operations at Cyber Command, said a move toward “cyber campaigning” would be “the most important step” that DOD and Cybercom could do to increase the scale and strengthen the impact of their operations.
“Instead of conducting specific, one-off operations, campaigning represents a persistent series of operations geared towards accomplishing clear strategic objectives,” Moore said. “This approach is more impactful than ad hoc operations but requires support from the other departments and agencies in order for Cyber Command to operate at the speed, and have the freedom of maneuver necessary for it to be accomplished effectively.”
Still, the reality is that offensive cyber operations are “slow and grinding, and take a lot of time,” according to Emerson Brooking, director of strategy and resident senior fellow at the Digital Forensic Research Lab of the Atlantic Council Technology Programs, and one of the authors of the 2023 DOD cyber strategy.
They require gaining access to adversaries’ networks — not always an easy task — as well as mapping those networks to understand where the intended targets or desired information exists, and then figuring out how to degrade or destroy those portions of the network without causing more widespread harm. Experts note that offensive operations also risk the discovery of cyber tools used for other purposes — such as U.S. espionage — that could render them useless.
Much U.S. policymaking on cyber deterrence over the years has emphasized responding to cyberattacks in a variety of ways, from economic sanctions to legal action. Experts believe that’s the right emphasis. Offensive operations can be a part of that, they say.
That’s because researchers say there’s little evidence that any cyberattacks have effectively caused anyone to change their behavior. But some of the outer limits haven’t been tested, and it’s not clear when cyber offense might prompt retaliation against the United States.
“The question for this administration is going to be, how do we send the right messages and create the right deterrent without causing an escalation?” said Kurt Sanger, Cyber Command’s former deputy general counsel. “There’s some line out there that you cross it, and it will lead China and Russia to escalate, but it probably has not been properly explored yet.”
That doesn’t mean the United States isn’t conducting offensive operations right now. But experts say it’s a tool that’s currently less effective than other means of sending signals to adversaries about what kind of behavior they want. The historically clandestine nature of offensive cyber operations runs counter to, for example, the airstrikes the Trump administration ordered against Syria in 2017 in response to their use of chemical weapons.
The missiles were meant to send a clear, public message. As Cybercom has grown to stand on its own from an offshoot of the intelligence-rooted nature of cyber, it has sought “louder” tools — akin to physical attacks — where the target knew it was from the U.S. military.
“Maybe the new administration will decide it’s time to do something a little louder, or even if the tool is the same, to accompany it with a statement that [says], ‘hey, we did that,’ for example,” said Gary Brown, Cybercom’s first senior legal counsel and now a professor at Texas A&M’s Bush School of Government & Public Service.
However, some experts doubt that any steps taken by a new administration would be effective, partly due to the fundamental nature of international conflict.
“It’s hard to shape the behavior of adversaries in competition just in general, and especially in cyberspace,” Lonergan said.
Or, as Lin put it, when discussing a range of more aggressive U.S. cyber operation options: “Let’s imagine we could do all of that. What good would it do?”
