The Case for Cyber Pressure Against Venezuela

“This Venezuelan government system has been encrypted and locked. To receive the decryption key, remit the required one billion dollars to the United States Treasury Department and comply with the other 12 demands from the U.S., issued in the letter from Secretary of State Marco Rubio to acting President Delcy Rodriguez on June 1, 2026.”

Though perhaps slightly over the top, such a scenario is not impossible in the coming year. Surprisingly, it might also be a better idea than more traditional military alternatives.

Like it or not (and legal or not), President Trump has now attacked Venezuela and committed to “running” the country for years, promising future military strikes if the Venezuelan government responds insufficiently to demands by the United States. But the U.S. cannot continue to back up such threats indefinitely.

A cyber pressure campaign could prove more effective and humane than continuing traditional military attacks. And, while it is notoriously difficult to use cyber for effective coercion, perhaps in the past there has been too ephemeral a connection between limited, precise political demands and the effects cyber commands can reasonably deliver. 

Any such campaign would, of course, suffer from the same quandaries as the original attack on Venezuela: a questionable “familiar but flawed” legality, a dubious “might makes right” attitude, commercial motivation, and uncertain planning about what happens next. Still, Venezuela may offer a unique opportunity for a new kind of cyber operation.

The Upside to Cyber

Already, U.S. cyber command has been involved in Venezuela in “a cyber operation [that] cut power to large parts of Caracas,” but cyber power might also go further than just a support to brute force. 

Cyber capabilities might present a unique lever for the U.S. military pressure on the Rodriguez administration should it balk at further U.S. demands. A simple ransomware-style campaign against Venezuelan government systems, as theorized at the beginning of this article, is just one possibility for the U.S. to operate in the cyber gray zone between armed conflict and peace. 

Cyber operations could serially disrupt other high-value targets or even critical infrastructure (if military and legal assessments find that the civilian impact is not disproportionate). A follow-up disruption on the electrical grid might be straightforward, as might disruptions of the Venezuelan oil behemoth Petróleos de Venezuela Sociedad Anónima (PDVSA), port facilities used in oil logistics, or telecommunications. 

A cyber pressure campaign could also be sustained, possibly longer than a traditional one. To “run” Venezuela for years would otherwise demand an expensive, over-the-horizon military presence in the Caribbean or even an invasion, a far less preferable option on political, strategic, legal, and humanitarian grounds. Cyber pressure would be far less deadly than additional rounds of traditional military attack and less likely to foster opposition in the region or in Congress. 

Nonlethal, reversible, plausibly deniable, and affordable: Cyber offers a lot. 

Overcoming Drawbacks to Cyber Coercion

Some academics, such as Erica Lonergan and Shawn Lonergan, have argued that cyber has generally been of little use for coercion: Once a capability is revealed, the vulnerability can be patched. Cyber effects are also uncertain, they note, and lack the coercive heft of traditional violence. Others have highlighted that because most cyber operations are covert, they lack the “do this, or else” clarity to make effective coercive threats.

However, these are not iron laws of cyber conflict. They are constraints that cyber commands can work around and matter less in the current crisis. A corollary to these academic findings is that in some circumstances where those limitations can be overcome, cyber may present a useful, limited coercive power. 

First, even against run-of-the-mill attackers, cyber defense and incident response are expensive and require discipline to ensure vulnerabilities are patched and that every trace of an intruder is eradicated. Organizations with world-class cybersecurity only manage to patch 50 percent of critical flaws within three weeks, and just two percent of companies that suffer data breaches can fully recover in fewer than 50 days. 

Simplifying the issue for would-be U.S. cyber coercers, Venezuela is far from world class. The International Telecommunications Union lists it in the second lowest tier, and the National Cyber Security Index, run out of Estonia, ranks Venezuela at 107 globally, below Chad and the Republic of the Congo. Venezuela might hope to rely on cybersecurity assistance from Russia (such as Kaspersky Labs), but the Rodriguez regime would not likely recover fully in less than 100 days, which only 24 percent of organizations achieve on average.

Nor would the U.S. need to rely on exquisite vulnerabilities. Most of the worst incidents have come from known vulnerabilities. Just in the last few years, major companies such as Jaguar-Land Rover, MGM Resorts, and tech companies including Snowflake and Microsoft have been successfully attacked by essentially teenagers and young adults using known vulnerabilities.

All of this should leave U.S. cyber operators, who are far better than teenagers, ample opportunity to lurk undetected and potentially restrike. If Venezuela somehow repelled an initial attack and patched its defenses, there may still be more than enough other vulnerable (and legal) targets for the U.S. to continue its cyber campaign for some time.

There is an unfortunate example close to home. The United States has been aware of Russian and Chinese implantation of malware into the electrical grid since 2009; knowledge of these vulnerabilities helped temper calls in the White House for a more muscular cyber response to Russian election interference in 2016. Despite this foreknowledge, the government is still concerned and issues alerts about the threat to the grid. Perhaps the specific vulnerabilities from 17 years ago are different, but the threat remains the same.

There may even be a positive advantage to striking a repeat target. According to the Ukrainian government, Russian cyber threat actors prioritized “exploiting organizations that have been compromised in the past” in 2023, as their familiarity with the target’s networks, defense, and responses gave them “substantial advantage.” 

Second, it can be helpful to think of a cyber campaign less as coercion, a big use of capabilities to force a major, one-off decision, and more as a pressure campaign to keep Caracas hewing to a more reasonable set of the United States’s preferences. Even if cyber cannot force a major policy change, it might still influence a series of small- and medium-sized decisions. Such a campaign would simply extend cyber operations as a useful part of an intelligence contest or as secret statecraft and not create any new kind of cyberwarfare.

Cyber coercion—of any kind and against any target—is least likely to be successful if the attackers are unclear about the concessions they want or if their demands are misaligned with the relatively limited outcomes that cyber operations can deliver.

Caracas would not suddenly hold free and fair elections simply because government networks or critical services are down. The chavistas have already survived and sacrificed far more than a sustained cyber campaign could inflict, including “the single largest economic collapse outside of war in at least 45 years.” Nor would Taiwan decide to reunite with the People’s Republic of China because of cyber coercion. These decisions are too existential to achieve through cyber means.

However, cyber campaigns might seek more reasonable goals, such as pressuring Venezuela to pay Trump’s demands for petroleum worth $1.8 billion and reimbursing $3 billion worth of nationalized oil assets. There may be a few examples of cyber operations driving geopolitical coercion, but thousands of examples happen every year of ransomware attacks that deliver successful financial coercion. 

Besides forcing payment, other reasonable demands potentially enforceable through cyber coercion include chivvying the Venezuelan government to release political prisoners or to cease making threats against Guyana and other neighbors. Temporary cyber disruptions might be a good match to shift preferences on such bite-sized, nonexistential demands.

Ransomware, even if it cannot coerce a company to change its basic strategy, has proved exceptionally successful at forcing targets to cough up cash. Only a few years ago, 85 percent of all companies affected by ransomware paid up (though this has since decreased to 23 percent). 

Having helped create the original U.S. military cyber command in 1998 and with 15 years’ worth of articles advising caution on offensive cyber operations, it is uncomfortable to advocate for a military ransomware campaign to shake down another sovereign state. However, I prefer it to the alternative of lethal strikes or a repeat of an Iraq-style invasion. Policy analysts must accept the policymakers they have and the decisions already made.

Moreover, should Venezuela balk, the military still lurks offshore to reinforce the threat. This ultimate resort was not in play during other times that cyber was used to influence states, such as the unsuccessful Russia-linked ransomware demands against Costa Rica. 

The close tie between precise and limited political demands, the design of a cyber campaign, and the lingering threat of traditional strikes may be an important missing element in past academic research on cyber coercion. 

Unfortunately, adversaries of the United States could learn this lesson as well. The People’s Republic of China could never use cyber coercion to entice Taiwan to rejoin the mainland, but it might convince small nations to cease backing Taiwan, such as by keeping Taiwan out of international organizations.

Conclusion

Trump has already reportedly called off another strike on Venezuela, pleased at its cooperation, “especially as it pertains to rebuilding, in a much bigger, better, and more modern form, their oil and gas infrastructure.” 

This echoes 2019, when Trump called off a strike against the Islamic Revolutionary Guard Corps, concerned about the potential casualty number, but allowed a companion cyber strike to continue. That strike was, as the Lonergans have highlighted, not coercion but accommodative signaling that the United States was willing to let the matter drop. 

Trump may make the same call again with Venezuela, calling off military strikes but giving the greenlight to cyber, not as signaling but as coercion. Doing so may, if tied closely to reasonable political demands, lead to successful pressure and no more casualties, on either side.