And the third is the classified National Security Presidential Memorandum 13, which makes it easier for the military to launch offensive cyberoperations by largely eliminating a lengthy interagency approval process put in place by the Obama administration.

The idea of using offensive cyberattacks for defensive purposes is not a new one — discussions about the potential risks and rewards of “hacking back,” especially in the private sector, go back more than five years. But for the American government to embrace this strategy is a sharp change from the cautious, defense-oriented approach of the past decade.

President Barack Obama was notably restrained in his authorization of offensive cyber missions. When deciding whether to use the Stuxnet worm to compromise uranium enrichment facilities in Iran in 2010 (his administration’s most famous use of offensive cyber capabilities), he reportedly expressed repeated concerns about the precedent it would set for other countries. The Obama administration’s forbearance and careful decision-making around cyberattack authorization aligns with the 2015 Department of Defense cyber strategy, which identified controlling the escalation of cyber conflicts as a key strategic goal. That goal is conspicuously absent from the Department of Defense’s new strategy.

The Trump administration’s shift to an offensive approach is designed to escalate cyber conflicts, and that escalation could be dangerous. Not only will it detract resources and attention from the more pressing issues of defense and risk management, but it will also encourage the government to act recklessly in directing cyberattacks at targets before they can be certain of who those targets are and what they are doing.

One of the advantages of the slow, unwieldy approval processes put into place by previous administrations is that they gave the government ample time to ascertain who was behind a cyberattack. That is not always easy to do: Many adversaries route cyberattacks through compromised third-party machines in other countries, such as university computer systems. Rushing to retaliate may make it more likely that the United States will lash out at the wrong target, which may invite new attacks rather than deter them.