Cyber Risk Manipulation: A Powerful Tool for U.S. Offensive Operations

The second Trump administration taking office initiated a renewed conversation about the utility of cyber deterrence as a policy to secure U.S. critical systems from cyberattacks. In 2016, then-candidate Trump stated “as a deterrent against attacks on our critical resources the United States must possess…the unquestioned capacity to launch crippling cyber counter attacks.” In December 2024, the incoming administration’s pick for National Security Advisor, announced the Trump Administration would seek to deter People’s Republic of China (PRC) attacks through sustained offensive operations, with Republican Congressional leaders expressing support. The Trump administration has also hired a group of well-known offensive cyber experts to fill senior positions in the National Security Council. Cyber deterrence will clearly be a priority for the second Trump Administration. 

However, cyber deterrence is a contested topic, with a debate between two main schools of thought. The first dictates cyber operations can be used for coercive purposes only in certain types of attacks, and that a more stable strategy would rely on the United States making cyberattacks more difficult for adversaries through persistent engagement. The second school notes that offensive cyber operations can be used for coercion but should be a part of an integrated strategy that utilizes all diplomatic, economic, and military tools. While these perspectives have dominated the policy conversation around cyber deterrence, they neglect a key lesson learned from the Cold War: the role of psychology in effective deterrence. Specifically, applying Thomas Schelling’s “manipulation of risk” theory would inject heightened uncertainty into how the United States imposes costs for cyberattacks and thereby increases risks for malicious actors targeting the United States. This concept can most effectively be applied to cyber command-and-control by delegating Department of Defense authority to launch offensive cyber operations and force a higher risk calculus upon U.S. adversaries. 

Applying the Manipulation of Risk to Cyber Command-and-Control

Thomas Schelling’s 1966 Arms and Influence introduced the idea of the manipulation of risk as crucial to a state’s deterrence strategy. This concept explores how risk can amplify deterrent powers, as uncertainty drives a higher cost calculus when a nation is unsure of how a country will respond to its actions. Risk manipulation leverages uncertainty as a tactic—using the Clausewitzian idea of leaving something to chance to deter adversaries. Without this element of uncertainty, states may set red lines and trip wires, whereby competitors can anticipate responses. Strategic uncertainty of how one state will respond gives leaders room to manipulate risk to improve deterrence. 

Manipulating risk in cyberspace could be achieved through a more delegated command-and-control structure, which would increase retaliation risk for adversaries considering cyberattacks against the United States. Under such a policy, the Department of Defense would be more empowered to direct and manage certain offensive cyber operations without interagency or White House approval. Administrations have oscillated on how much offensive autonomy to give the Department of Defense since 2012 when President Obama indicated offensive cyber operations need to be approved through an interagency process. The first Trump Administration changed course, affording the Department of Defense more liberty to engage in certain cyber actions below the use of force without interagency approval. The Biden Administration then created additional policies to ensure the State Department and White House figured into the decision-making process before launching these operations. As the recent high-level intrusions by the PRC on U.S. critical infrastructure demonstrate, the status quo is not working, and introducing the manipulation of risk in cyberspace can drive heightened uncertainty and amplified risk calculus to deter adversaries. The current administration should ensure the Department of Defense has sufficient authority to launch offensive cyber operations below the use of force without protracted approval processes. The expansion of the Department of Defense authorities to carry out offensive cyber operations increases ambiguity by removing interagency roadblocks. For example, under the Trump Administration’s previous policy that allowed for more delegative cyber command-and-control, the Defense Department infiltrated Russia’s power grid with malware without informing the President. This delegative command-and-control authority allowed the Defense Department to act offensively, creating a more uncertain risk calculus for Russia.

Risk manipulation forces an adversary to face the possibility it might unintentionally cross the threshold into crisis. By allowing agencies to conduct offensive cyber decision-making, the United States opens up some risk of unintended disaster: the Department could launch operations that an adversary finds unacceptable, escalating a conflict further. But this uncertainty also creates deterrence power, forcing adversaries to reckon with the question of whether the United States is likely to respond to cyberattacks with operations of their own.

Cyber Escalation and Risk Manipulation in Cyberspace

Policymakers might argue that increasing command authority for the Department of Defense is too risky. There are concerns from the U.S. State Department about harm to diplomatic relationships if infrastructure belonging to allies and partners is used in these attacks, and there is a general fear in the U.S. government of cyber escalation. Historically, leaders have been reluctant to impose significant costs on adversaries using cyber means. In 2011, the Obama Administration considered cyberattacks on Libya to disable the government’s air-defense system. U.S. leaders eventually wavered, out of fear it would set a precedent for Russia and China to launch similar offensive attacks. In response to Russian information attacks on U.S. democracy during the 2016 election, the Obama Administration applied diplomatic and economic sanctions, in a move that many officials at the time said was an inadequate response. In 2018, then-Director of the National Security Agency and Commander of U.S. Cyber Command Mike Rogers stated Russia has not “paid a price … sufficient to get them to change their behavior.” Reporting suggests that the Administration rejected offensive cyber operations against Russia in response to the 2016 election interference. Aligned with the U.S. government’s risk aversion strategy to cyberspace, leaders instead focus on preventive action, increasing resilience and consequence management.

U.S. policymakers’ risk aversion puts the logic of cyber escalation theory into practice: policymakers believe that intentions can be misread in cyberspace and actions can be escalatory. However, cyberattacks have never escalated a conflict into the kinetic domain. Even seemingly escalatory attacks, such as Russia’s targeting of the Ukrainian power grid in 2015 and 2016, were met with limited responses. More often, states have used the cyber domain to avoid kinetic war. Offensive cyber actions “can act as a less costly alternative to conflict because they are ambiguous, rarely break things, and don’t kill people.” Cyber has even been used to de-escalate. In 2019, the Trump Administration directed a cyberattack against Iran instead of a conventional air strike. While the United States might fear the potential for cyber operations to escalate conflict, history demonstrates the opposite effect and presents them as uniquely beneficial tools of statecraft. 

If offensive cyber operations do not lead to major escalation, then policies that increase the chance of U.S. retaliation involve only moderate risk. According to Schelling, this moderate risk indicates that heightened cyber command-and-control authorities for the Department of Defense will function as a powerful deterrent. Specifically, Schelling asserts risk manipulation is most effective when there is the threat of a moderate disaster, as a state cannot credibility threaten mutual destruction. It is not credible for a state to threaten mutual destruction because the risk of a state committing suicide lacks sincerity. Given the ability for cyber to deescalate and operate as a less costly alternative to traditional tools of state power, further delegating cyber command-and-control to the Department of Defense introduces a moderate level of disaster, instead of mutual destruction. 

This is also why U.S. policymakers should expand authorities for Department of Defense action only below the use of force. Actions taken at the level of armed conflict cannot be decided exclusively by the Department of Defense, and Schelling would assert that this would weaken deterrence capability. For example, the U.S. could not credibly threaten it would retaliate by taking down a state’s power grid, as this could lead to attacks against vulnerable U.S. critical infrastructure. This risk manipulation creates a threat of mutual destruction. Instead, the United States should defer to the Department of Defense for offensive cyber operations below the use of force to create more risk around punishment and drive future uncertainty. 

Given the lessons learned from nuclear deterrence and risk manipulation, the United States should pursue a more delegative command-and-control strategy for the Department of Defense to launch offensive cyber actions below the use of force. Secretary Hegseth recently directed U.S. Cyber Command to fast-track a plan to revamp the organization and the deliverable should include how it can implement risk manipulation to further deter U.S. adversaries in cyberspace. Understanding the psychological impact of risk will be especially important to ensure successful deterrence policies amid increasingly aggressive cyberattacks from around the world. 

Views expressed are the author’s own and do not represent the views of GSSR, Georgetown University, or any other entity. Image Credit: USAF