One question about a response to Russian hacking is how we will control the risk of escalation without being ineffective. Unplugging a few servers will not end Russian action, but unplugging many servers may lead to broader conflict. When facing an opponent who is nimbler in decision-making, less bound by law, and more willing to take risks, the chance of escalation is greater.

So retaliation probably means a lawful response not involving force and that does not unduly risk escalating the conflict. This response cannot be that old favorite of amateur cyberstrategists, name-and-shame. Vladimir Putin cannot be shamed. He believes his actions are justified against an aggressive U.S. that is implacably hostile to Russia. While some kind of counterattack by Cyber Command is tempting, any retaliation must have political effect, and in Russia, that means going after relationships and money.

It is important to lay down a marker with the Russians. They have gone too far and need to be checked. The U.S. needs to navigate a narrow and difficult path between inaction and escalation. We can start by recognizing that this is cyberconflict, not the kind of cyberconflict we planned for—no cyber Pearl Harbor or cyber 9/11—but a conflict nonetheless. Anything we do should reinforce (or at least not undercut) the long-term goal to create a framework of agreements for stability in cyberspace. The U.S. needs a new strategy for dealing with Russia and its new style of conflict that uses hybrid warfare, including a mix of cyberaction, threats, disinformation, and corruption. It is too late for this administration to define that new Russia strategy, but it can lay the groundwork for it with the actions it takes now. This sounds like a long list of requirements, but none of these are impossible or preclude action.