The most remarkable thing about Russia’s meddling in our democracy is that President Trump has done nothing about it. There are plenty of steps that he could have taken. There are people, including some working just steps away from the Oval Office who could have—and may have—advised him what to do. But Trump chose inaction.

According to Monday’s New York Times, the State Department was allotted $120 million in the past two years to counter Russia’s “information warfare” against the West, but not a dime has been spent, in part because the office that runs such programs has no Russian speakers or computer experts, but mainly because Secretary of State Rex Tillerson has imposed a hiring freeze.

This State Department program, which was funded in the final months of the Obama administration but never activated, is hardly the only available approach. The White House cyber policy chief, Rob Joyce, was, before taking this job, director of Tailored Access Operations—the elite corps of hackers inside the National Security Agency. In other words, if Trump were inclined to pre-empt, counter, or respond to Russia’s cyber operations against us, his own special adviser on the topic could—probably off the top of his head—prepare a menu of options and write the directives on who should do what. But Trump is not so inclined.

We know this from Senate testimony last week by Adm. Mike Rogers, the outgoing NSA director and Cyber Command chief. Asked whether Trump had directed him to respond to the Russian threat, Rogers replied, “I’ve never been given any specific direction to take additional steps outside my authority. I have taken the steps within my authority, you know, trying to be a good, proactive commander.”

This was a very carefully worded response, so it’s worth parsing. It’s important to note that, by U.S. law, the president must authorize all cyber-offensive operations that might result in death or destruction of property. These operations range from hacking into the emails of ISIS fighters, so that Special Forces or drone pilots can track and kill them, to the U.S.–Israeli Stuxnet program that wrecked much of Iran’s uranium-enrichment program in 2010.

When Rogers said he has “taken the steps within my authority,” he meant the NSA has been hacking Russians’ communications in order to gather intelligence on what they’re doing and perhaps to prepare a counterattack, should the president order one. But by saying he has “never” received “specific direction to take additional steps outside my authority,” he meant Trump has never told him to go the next step—and Trump is the only one who could tell him to do so.

Rogers added, clearly frustrated by this passivity, “I believe that President Putin has clearly come to the conclusion that there’s little price to pay and that therefore, ‘I can continue this activity.’ ”

We still don’t know just why President Trump declines to investigate, much less respond to, Russia’s cyberattacks on our democracy.

What sorts of things could Trump do? Richard Clarke, the cyber and counterterrorism chief for Presidents Clinton and (briefly) George W. Bush, recently said he would “fry” the computers of the Russians—especially those close to Putin—who launched the attacks. The proposal raised eyebrows because, in his 2010 book, Cyber War, Clarke warned against strategies relying on cyber-offensive operations, noting that they could spark retaliatory strikes, which would hurt us more because the United States is more dependent on computer networks—and, therefore, more vulnerable to cyberattacks—than other countries.

I asked Clarke whether he’s changed his mind on the broad point in the past decade. He said he hasn’t, but added, “I really don’t think shutting down Putin’s chef”—the nickname of Yevgeny Prigozhin, identified as the main backer of Russia’s “troll factory” in Robert Mueller’s recent indictment—“is going to set off a cyberwar.”

A possible parallel is the Shamoon virus, which Iranian computer scientists created in 2012 as a response to a U.S. cyberattack on Iran’s oil ministry (which itself was a follow-up to Stuxnet). Shamoon wiped out every hard drive in every work station at Saudi Aramco, the joint U.S.–Saudi Arabian oil company—about 30,000 hard drives, in all—and planted on every one of its computer monitors the image of a burning American flag. The Iranians didn’t aim the malware at Aramco’s oil-drilling business, but the message was clear: They could aim it that way if they wanted to.

But let’s say that destroying Prigozhin’s computers is deemed excessive. Chris Wysopal, CTO of Veracode, a leading cybersecurity company, offers a more moderate option—slowing the computers down. “We could make the computers suffer hard-drive failures, keeping the operators so busy they couldn’t do much else,” Wysopal told me. “This is easy to do, and it would send a message: We can get to you, just like you can get to us, and we can step this up several notches”—for instance, fry the computers, as Clarke suggests—“if you don’t stop.”

This is the challenge posed by any sort of attack (cyber or otherwise): how to respond in a way that stops the conflict. How to damage the adversary badly enough to keep him from attacking again but not badly enough to incite a spiraling escalation. Another way of stating the dilemma: how to damage the enemy’s interests, and threaten to damage them more, without threatening his vital interests and thus provoking a counterattack.

Presidents have faced the dilemma before. During NATO’s 1997 war against Serbia , which also involved a secret “information-warfare” campaign against Serbian President Slobodan Milošević, the CIA, NSA, and other intelligence agencies traced the financial holdings of Milošević and his cronies. President Clinton decided to threaten these cronies’ assets—a covert operation that played a big role in ending their support for the Serbian regime—but not to go after Milosevic’s own money. The concern was that doing so could spur a backlash and destabilize global financial markets. Ever since, Western leaders have abided by that distinction.

And so, Western intelligence agencies know where Putin stores his money, but they won’t threaten to steal it or to manipulate his investments. But Western leaders could mount an information-warfare campaign to reveal, to the Russian people and the rest of the world, just how much money Putin has (news reports have estimated it might amount to $200 billion), where he got it, and how much his cronies—ministers, regional governors, and various business partners—have skimmed from the public till.

Of course, this would be awkward for the United States to reveal at the moment, as Putin’s spies could retaliate with spreadsheets exposing the Trump Organization’s far-flung holdings. We still don’t know just why President Trump declines to investigate, much less respond to, Russia’s cyberattacks on our democracy—why he refrains from uttering a single critical word about Putin or Russia, even as he trashes allied leaders, American lawmakers, and his own intelligence and law enforcement agencies. But fear of such backlash might explain a good part of his reticence.

This, then, is the root problem of why, as Adm. Rogers put it, “we have not opted to engage in some of the same behaviors that we are seeing” from Russia. It’s not that the State Department or some other federal agency lacks the money or the manpower. It’s that the president lacks the desire.