Read: How to run a Russian hacking ring

At times, it’s seemed like every week this year has brought fresh news of Putin acting as the skunk at the global internet party. This fall also saw a new report from the security firm FireEye that concluded that the code used to attack a Saudi petrochemical plant came from a state-owned institute in Moscow.

Moreover, it’s also become more clear that the “global cybercrime problem” is actually primarily a “Russia problem,” as Putin’s corrupt government and intelligence services give cover and protection to the world’s largest transnational organized crimes, cybercriminals, schemes, and frauds that cost the West’s consumers millions of dollars. Earlier this year, the Justice Department broke up one cybercrime ring based in Russia whose literal motto was “In fraud we trust.” The Justice Department charged 36 individuals, many of whom live in Russia beyond the law’s reach, and outlined a scheme by which they stole more than a half-billion dollars. It’s hardly the only example from this year; last week, the FBI announced that it had dismantled two other cybercrime rings and charged eight people—seven of them Russian—with running a multimillion-dollar ad-fraud scheme. (Three of those charged were able to be caught overseas in friendly countries that respect the rule of law: Malaysia, Bulgaria, and Estonia.)

Ferreting out cybercriminal and intelligence operations and making them public are two prongs of a three-part strategy to change behavior. In recent years, we’ve gotten really good at the first two parts. In fact, while for years these cases were hidden away inside the government, we now release them routinely. This fall, Deputy Attorney General Rod Rosenstein announced that the Justice Department was changing its approach to election-meddling cases, with the default now to make such cases public as quickly as possible. The change coincided with the criminal complaint against Khusyaynova, detailing that the attacks on our elections are a problem of right now, not just a theoretical issue.

Read: What Putin really wants

As Rosenstein said earlier this year, “Exposing schemes to the public is an important way to neutralize them.” Making public such charges helps us be more resilient and more savvy consumers of online content—Russia’s attacks in 2016 succeeded in part because we weren’t expecting them and because people weren’t skeptical enough about consuming information online. Today, of course, we understand all too well that photos, images, and posts online could be the work of foreign trolls and bots.

While defaulting to public action is a good first step, it is not sufficient. The elusive third part of the strategy is what is most needed: making Russia pay a cost that deters the activity. The United States should move toward automatic retaliatory action, ensuring that in today’s fast-moving information environment a response doesn’t get bogged down in partisan politics or bureaucracy.