John Bolton has spent years imploring the U.S. to go on the attack in cyberspace — a stance that some digital warfare experts caution could set up the nation for a conflict it would be better off avoiding.

President Donald Trump’s incoming national security adviser has made this point in a series of op-eds, speeches and appearances on panels and television, arguing that America should deploy its “muscular cyber capabilities” to strike back against digital adversaries like China, Russia, Iran and North Korea. The point, he said, would be to impose costs “so high that they will simply consign all their cyber warfare plans to their computer memories to gather electronic dust.”


Starting April 9, Bolton won’t have to make these pitches in public. He’ll have Trump’s ear — every single day. And with the president preparing to meet with North Korean leader Kim Jong Un, a trade war looming with China, an expected Russian digital assault on the 2018 midterms, and a deadline nearing to recertify the Iran nuclear deal, Bolton’s cyber hawkishness could have significant ramifications.

While officials and cyber specialists agree with Bolton’s push for a clearly articulated digital strike policy, the government has hesitated to dive headlong into what Bolton calls “a retaliatory cyber campaign,” wary of blowback on American businesses and infrastructure, the lack of global rules for online warfare and the debatable effectiveness of digital strikes in the first place.

Morning Cybersecurity A daily briefing on politics and cybersecurity — weekday mornings, in your inbox. Email Sign Up By signing up you agree to receive email newsletters or alerts from POLITICO. You can unsubscribe at any time. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

“If you’re covered in gasoline, be careful throwing matches,” said Michael Sulmeyer, a former cyber-policy adviser to Obama administration Defense Secretary Ash Carter.

“[Bolton’s] rhetoric here is putting any sense of balance we have here at risk,” added Robert Lee, a former cyber officer in the Air Force and co-founder of cyber firm Dragos Security.

While Bolton hasn’t made clear exactly what type of digital strikes he would like to see, offensive hacks could mean anything from infiltrating a political opponent’s email account to blocking communications, cutting off networks, shutting down a power grid or even physically destroying machinery, as it’s widely believed the U.S. did years ago when its Stuxnet malware destroyed nearly 1,000 Iranian nuclear centrifuges.

But starting a back-and-forth cyberwar with an adversary like Russia could pose huge risks for a nation as open and wired as the United States. Just two weeks ago, federal prosecutors accused Kremlin-linked hackers of penetrating the U.S. electric grid and copying information that could allow them to take control of power plants’ computers — and potentially even shut off the lights.

The U.S. can’t go “too muscular, too early, without recognizing what could go wrong,” said Sulmeyer, who now helms the Cyber Security Project at the Harvard Kennedy School’s Belfer Center.

Bolton has been beating the drum for going on the online offense since shortly after North Korea hacked Sony Pictures Entertainment in late 2014. The North Koreans seized the company’s networks and released embarrassing internal emails in retaliation for its decision to produce “The Interview,” a comedy about assassinating Kim Jong Un.

Bolton, who served in the administrations of both presidents Bush, took issue with then-President Barack Obama’s classification of the incident as “cyber vandalism.” Obama also vowed to respond “proportionally.”

“North Korea's attack on Sony should be seen, at a minimum, as state terrorism, verging on an act of war, not mere vandalism, as Obama opined,” the former diplomat argued in a Pittsburgh Tribune-Review op-ed.

When China infiltrated the Office of Personnel Management in 2015 — pilfering over 20 million security clearance reviews, a historic espionage haul — Bolton admonished Obama for his “cyber silence.”

“Starting now,” he argued in a Los Angeles Times op-ed, “America's cyber response should be disproportionate.”

Obama administration officials publicly contemplated the risk-reward calculus of launching such retaliatory cyberattacks — former Director of National Intelligence James Clapper memorably told Congress, “I think it’s a good idea to at least think about the old saw about people who live in glass houses shouldn’t throw rocks.” But Bolton implored the Obama officials to move aggressively.

“Mere tit-for-tat responses indicate an inability or unwillingness to react more strongly and may simply tempt aggressors into more ambitious operations,” he wrote in the same op-ed.

Bolton has adopted similarly bellicose cyber rhetoric on the cyberattacks that targeted the Democratic Party during the 2016 election, despite initially downplaying Russia’s connection to the hacks.

“We need to create structures of deterrence in cyberspace, as we did with nuclear weapons, to prevent future Russian attacks or attacks by others who threaten our interests,” he said in a February op-ed in The Hill. “One way to do that is to engage in a retaliatory cyber campaign against Russia.”

He forcefully made the same point several days later while speaking on a panel at the Conservative Political Action Conference.

“I’ll tell you this. I think we ought to retaliate for the Russia cyberattacks on our election process,” he said to applause and cheers from the audience. “I think the retaliation should not be proportionate.”

Bolton also argues that the U.S. should train its digital might on nonstate actors, as well. He’s long advocated for the military to go after WikiLeaks’ online infrastructure, most recently after the activist organization published a cache of secret CIA hacking tools.

“U.S. cyber warfare people should use WikiLeaks for target practice,” he said last year on Fox Business. “Take down their capabilities.”

Bolton, who did not comment for this article, arrives in the White House at an opportune moment to implement these ideas.

The Pentagon is in the process of elevating U.S. Cyber Command, its digital warfighting division, to the status of “unified combatant and command,” putting it on par with major divisions like U.S. Europe Command, which oversees military operations throughout the European continent. And this fall, Cyber Command will hit full operational capacity for the first time in its nine-year history.

Bolton also starts amid a heated public debate over how the Trump administration should combat the Russian hackers whom intelligence leaders have said will be back in force during the upcoming election season.

The White House faced criticism after a spate of congressional hearings at which Trump’s own national security leaders conceded that the administration was “probably not doing enough” to stop the Kremlin’s hackers, as National Security Agency Director Adm. Mike Rogers put it during a February gathering.

Rogers, who also helms Cyber Command, told Congress that “nobody’s … directly asked me” how to thwart Moscow’s election meddlers. He also said he hasn’t been tasked with trying to stop the Russian hacks at their point of origin — comments that surprised cyber policy specialists.

Bolton is now in a key position to try and change that.

Experts have reached a consensus that the government needs to offer a public policy for how the U.S. fights back against various types of cyberattacks — from low-level hijacking of Twitter accounts to a hack that turns off the lights. To this point, responses to headline-grabbing hacks have been handled largely ad hoc.

“We need to get to the point where we can articulate our offensive capabilities,” said Frank Cilluffo, a longtime adviser to the government on national security policy and head of The George Washington University’s Center for Cyber and Homeland Security. “I get the sense that’s going to be a tier one priority issue” for Bolton.

However, in the Wild West of cyberspace, offensive attacks can quickly escalate, putting the U.S. economy — not to mention the the hospitals, water systems and electric grid that power day-to-day life — at risk. Without strict international rules to inhibit foreign governments, the U.S. showing a desire to go it alone on digital strikes could open the floodgates, several cyber warfare experts warned.

In the digital world, Cilluffo said, businesses “pay the price for the perceived sins of government.”

When describing their preferred approach to offensive cyberattacks, numerous digital warfare experts used words like “proportional,” “careful” and “thoughtful” — terms that critics do not associate with Trump’s modus operandi.

Cyber specialists — both in and out of government — are also still debating the effectiveness of offensive cyber weapons, both politically and militarily.

Rogers, during his congressional testimony, cautioned that he didn’t want to “over-promise” on how well his cyber warriors could stop Russian hackers in their tracks.

Kenneth Geers, an international cyber policy researcher who has worked for the U.S. Army, NSA and NATO, also questioned whether going after Russia might play into Vladimir Putin’s hands.

“You risk exacerbating already vexed relations between East and West, and that might be exactly what Putin wants to consolidate his base at home,” said Geers, who helped strategize the Pentagon’s response plan during Russia’s 2007 cyber assault on its neighbor Estonia.

Lee, the former Army cyber official, was more blunt.

Hacking back against America’s digital adversaries “is completely ineffective,” he said, arguing that it does nothing to bolster the country’s network security. “There is no aspect of hacking back that is useful for defense. None whatsoever.”

“The only aspect of hack back is going to be conflict,” he added.

After leaving government, Carter was candid in his assessment of how fruitless the military’s cyber weapons can sometimes be, highlighting the nascent offensive digital fight against the Islamic State in Iraq and Syria.

“I was largely disappointed in Cyber Command’s effectiveness against ISIS,” the former defense secretary wrote in a report published in October. “It never really produced any effective cyber weapons or techniques.”

Still, many military officials and cyber experts believe ongoing investments and training will help smooth out many issues of effectiveness. Bolton has recommended that the U.S. “substantially increase” its “resources for cyber warfare, both offensive and defensive.”

And Bolton has indicated he feels he has a like-minded president.

When asked during his Fox Business interview whether the government would ever actually launch digital strikes on WikiLeaks, Bolton simply said: “I hope so. It’s a different president now.”