Why it’s time for the US to go on offense in cyberspace
The U.S. is stepping into a new cyber era, and it comes not a moment too soon.
With the Trump administration’s sweeping $1 billion cyber initiative in the “Big Beautiful Bill” and growing congressional momentum under the 2026 National Defense Authorization Act (NDAA) to strengthen cyber deterrence, we’re seeing a shift in posture that many in the security community have long anticipated, although often debated: a decisive pivot toward more robust offensive cyber operations.
While many may disagree with the decision to “go on offense,” we need to recognize the changing threat landscape and the failure of our previous restrained approach. The U.S. has the most advanced cyber capabilities in the world. Yet for the past two decades, our posture has been dominated by defense, deterrence-by-denial, and diplomatic restraint. This strategy has not yielded peace or dissuaded our adversaries. On the contrary, it has only served to embolden them.
With geopolitical tensions now at a boiling point and adversaries escalating both the scale and ambition of their cyber campaigns, it is time to remove the handcuffs. This doesn’t mean acting recklessly, but it does mean meeting our adversaries on the same battlefield so that we can use our unmatched capabilities to hold them at risk.
The strategic landscape has changed
The cyber threat environment in 2025 is fundamentally different from what it was even five years ago. Operations like China’s Volt Typhoon and Russia’s relentless campaigns against Ukraine’s infrastructure illustrate a broader shift: our adversaries are no longer limiting themselves to espionage or IP theft. They are actively preparing for conflict.
Volt Typhoon, in particular, marks a strategic evolution as Chinese state actors are actively prepositioning in U.S. critical infrastructure not for surveillance, but for disruption. Salt Typhoon’s operations, targeting civilian infrastructure with apparent tolerance for detection, suggest a loosening of China’s risk calculus. Meanwhile, Russia’s destructive malware targeting industrial control system (ICS) environments, and Iran’s growing reliance on cyber proxies, show how aggressive and emboldened our rivals have become.
Offensive capabilities are a military imperative
The proposed $1 billion investment isn’t about launching retaliatory attacks. It’s about building the infrastructure, tools, and talent needed to make cyber a fully integrated and reliable component of U.S. military and intelligence operations.
While the U.S. possesses world-class cyber capabilities, current policies have kept these tools locked behind layers of classification, bureaucracy, and operational disconnect. As a result, offensive cyber operations have been limited to highly targeted missions. While they’re often executed with surgical precision, they usually lack the speed, adaptability, or scale demonstrated by our adversaries.
When a U.S. technique is exposed, it can take months to retool and mount another operation. In contrast, our adversaries rely on publicly known vulnerabilities, social engineering, and agile teams that can quickly weaponize newly disclosed exploits.
Zero-days are among our most valuable (and expensive) cyber assets. But having the exploit isn’t enough. Effective use requires real-time intelligence, targeting infrastructure, trained operators, and a legal framework that enables rapid deployment.
This new investment represents a serious effort to evolve our approach. It will enable the Department of Defense, U.S. Cyber Command, and the intelligence community to proactively shape the digital battlefield, both independently and in coordination with conventional military operations.
Adversaries respond to force, not diplomacy
Over the past 15 years, we’ve watched top adversaries China and Russia test, prod, and exploit our most sensitive networks, from government systems to critical infrastructure companies, often with minimal consequence. We’ve also sustained numerous damaging attacks, from the massive OPM and Equifax breaches to SolarWinds, NotPetya and Colonial Pipeline. The list goes on and on.
In all of these cases, we’ve responded, at best, with indictments, sanctions, or strongly worded statements. In the meantime, our adversaries have only grown bolder and more sophisticated. Their actions suggest one conclusion: they don’t believe we’ll strike back.
This lack of proportional response is viewed as weakness, not restraint. Deterrence only works when the adversary believes you will act. That belief is fading. But a more muscular cyber posture, backed by operational capacity and political will, can restore it.
Ransomware is now a national security threat
The line between criminal and nation-state activity is becoming blurred amid rising geopolitical tensions. Ransomware, once seen as a law enforcement issue, now poses one of the most serious threats to national infrastructure.
We’ve already seen its disruptive power in attacks on Colonial Pipeline, JBS Foods, Mondelez International, and United Natural Foods Inc. However, as damaging as those were, they pale in comparison to what a determined adversary — especially one that is backed by a state — could accomplish.
Essential services like electricity, water, health care, and transportation are increasingly vulnerable. Many ransomware groups operate in jurisdictions that ignore or even support their activities. U.S. adversaries are now integrating these actors into broader state-aligned campaigns, using them as asymmetric tools of disruption.
The weaponization of ransomware and other destructive malware like “wipers” is a clear and present danger. Countering it requires more than law enforcement.
While the Department of Homeland Security and the FBI play vital roles in tracking threats, they lack the global reach and strategic authority of the military. Offensive cyber capabilities are needed to disrupt operations, dismantle infrastructure, and impose real costs.
There are risks with doing nothing, too
Critics of these operations rightly point out there are plenty of risks: escalation, unintended consequences, and blowback. Yes, these risks are real. Any use of cyber capabilities, especially against state-linked infrastructure, must be carefully weighed, governed by rules of engagement, and aligned with broader geopolitical strategy.
Historically, cyber has not had clear rules for what constitutes “crossing the line,” though the general assumption has been that loss of life or large-scale disruptions to critical infrastructure would qualify.
But inaction has its own risks. If we continue playing defense while our adversaries go on offense, we are signaling that they can operate with impunity. This is not de-escalation; it’s appeasement. And it will only invite more aggression.
On the other hand, offensive action may at times be the most effective path to de-escalation, by showing that the U.S. is both willing and able to impose real costs.
It’s time for real deterrence
Cyber deterrence has long been an elusive concept. Unlike nuclear deterrence, which relies on mutually assured destruction, cyber deterrence is far more ambiguous. The lack of clear red lines, uncertain attribution, and the diverse range of actors all complicate strategy.
But these are not reasons to avoid building deterrence. This is why it’s even more important to build smarter, more flexible capabilities that combine intelligence, cyber offense, and traditional diplomacy to manage escalation while signaling resolve.
The shift we’re seeing now, both from Congress and the administration, is a necessary first step. However, in order to be effective, it must be followed by clear doctrine, strong oversight, and close coordination between military, intelligence, and homeland security stakeholders.
Offensive cyber operations are not a silver bullet, but they are an essential tool of statecraft in the modern world.
Dave Kennedy is the founder of TrustedSec and Binary Defense.
