OPINION — “As we’ve said from the beginning, and in every statement, these highly effective strikes are specifically intended to be ‘lethal, kinetic strikes.’ The declared intent is to stop lethal drugs, destroy narco-boats, and kill the narco-terrorists who are poisoning the American people. Every trafficker we kill is affiliated with a Designated Terrorist Organization.”

That was part of a message from Defense Secretary Pete Hegseth last Friday evening on the social platform X, commenting on an earlier Washington Post story that alleged Hegseth had verbally ordered defense officials to “kill everybody” traveling on a narco-trafficking boat September 2. That was the first of 21 boats struck and sunk since then by U.S. military units – actions which have killed 83 people.

According to last week’s Post story, that first September 2, missile strike hit a so-called narco-trafficking boat carrying 11 passengers, but left two survivors clinging to the wreckage. The Post story then reported for the first time that a second strike was ordered by Adm. Frank "Mitch" Bradley, who was at the time, head of Special Operations Command and was the commander in charge of the operation.

In his Friday message, apparently referring to The Post article, Hegseth wrote, “As usual, the fake news is delivering more fabricated, inflammatory, and derogatory reporting to discredit our incredible warriors fighting to protect the homeland.”

Hegseth went on to write that the attacks have been “lawful under both U.S. and international law, with all actions in compliance with the law of armed conflict,” positions already being criticized and questioned before last week’s Post story.

On Sunday, President Trump on Air Force One said, “He [Hegseth] said he did not say that [the order “kill everybody”], and I believe him, 100 percent.”

Yesterday, White House Press Secretary Karoline Leavitt, said “Secretary Hegseth authorized Adm. Bradley to conduct these kinetic strikes,” and that “Adm. Bradley worked well within his authority and the law to ensure the boat was destroyed and the threat to the United States of America was eliminated.”

A good question is who was in the room when Adm. Bradley gave that order?

What national security news are you missing today? Get full access to your own national security daily brief by upgrading to Subscriber+Member status.

The second strike issue has also put a spotlight on President Trump’s threat policy toward Venezuela and its leader, Nicolas Maduro.

I describe it as a threat policy because Trump’s been unclear whether he just wants Maduro out, or plans for the U.S. to take over Venezuela and install a new government in Caracas.

Since August, a possible U.S. invasion force has been built up in the Caribbean, and over the past weeks Marine, Navy and Air Force elements have carried out well-publicized military exercises. Trump last week threatened to attack Venezuelan land-based drug facilities, and he disclosed on Sunday, that he had spoken to Maduro.

Press reports claim Trump offered free passage if Maduro left Venezuela, but indications are that the latter did not accept the offer. A Trump-led White House meeting on Venezuela was scheduled for 5 p.m. yesterday with the President’s top national security aides.

Let’s pause for a moment.

President Trump has not yet explained his strategy, or the specific purpose or plan, for the built-up U.S. Caribbean military forces. He has talked about stopping drugs from entering the U.S., often claiming – with no proof – that each narco-boat destroyed saves 25,000 American lives.

It’s no real war on drugs in the U.S. since it has no domestic element, and even the foreign side is flawed as illustrated by Trump’s surprise pardon offer last Friday to former-Honduran President Juan Orlando Hernández.

Based ironically on an investigation begun during Trump’s first administration, Hernandez was convicted and sentenced last year to 45 years in prison. Prosecutors described him as a “violent, multi-ton drug trafficker” who allegedly abused his political connections for personal and political gain and at least twice “helped arrange murders of drug trafficking rivals.”

Nominations for outstanding leaders in national security and intelligence are now open for the 2026 Cipher Brief Honors Dinner. Find out more here.

Meanwhile, up to now Congress has yet to hold a public hearing focused on the Caribbean buildup or the Venezuelan situation. However, this second-strike killing of the two September 2 survivors has brought new attention and concern to the legal questioning of the Trump administration’s killing of narco-traffickers.

Harvard Law School Professor Jack Goldsmith last Friday pointed out in his Executive Functions platform that the Defense Department’s own Law of War Manual says, “it is also prohibited to conduct hostilities on the basis that there shall be no survivors, or to threaten the adversary with the denial of quarter. This rule is based on both humanitarian and military considerations. This rule also applies during non-international armed conflict.”

Last Friday, Sens. Roger Wicker (R-Miss.) and Jack Reed (D-R.I.), chairman and ranking Democrat on the Senate Armed Services Committee, released a joint statement saying their committee “is aware of recent news reports and the Department of Defense’s initial response regarding follow-on strikes on suspected narcotics vessels in the SOUTHCOM area of responsibility.”

As a result, the two Senators said, “The Committee has directed inquiries to the Department and we will be conducting vigorous oversight to determine the facts related to these circumstances.”

Their notice comes on top of a letter sent November 24, to Attorney General Pam Bondi and Hegseth by Democratic Senators on the Armed Services Committee, seeking “expeditious declassification and public release of the Department of Justice Office of Legal Counsel’s [OLC] written opinion, dated September 5, 2025, concerning the domestic and international legal basis for recent military strikes of certain vessels near South America and the Caribbean, with appropriate redactions necessary to protect military personnel and sensitive intelligence matters.”

The 13 Senators pointed out, “Few decisions are more consequential for a democracy than the use of lethal force,” and noted as precedent that “after the United States carried out military strikes in Libya in 2011, and in Syria in 2018, the Department of Justice released the applicable OLC opinion justifying each operation.”

On Saturday, the House Armed Services Chairman and ranking Democrat. Reps. Mike Rogers (R-Ala.) and Adam Smith (D-Wash.), issued their own statement saying their committee is “committed to providing rigorous oversight of the Department of Defense’s military operations in the Caribbean,” and “we take seriously the reports of follow-on strikes on boats alleged to be ferrying narcotics in the SOUTHCOM region and are taking bipartisan action to gather a full accounting of the operation in question.”

With both Republican-chaired committees on record opening inquiries into the narco-boat attacks, and President Trump threatening new land attacks on Venezuela, it is not clear what happens next.

Are you Subscribed to The Cipher Brief’s Digital Channel on YouTube? There is no better place to get clear perspectives from deeply experienced national security experts.

What Trump has done is put out statements on Truth Social such as the one last Saturday, “To all Airlines, Pilots, Drug Dealers, and Human Traffickers.” They are to “please consider THE AIRSPACE ABOVE AND SURROUNDING VENEZUELA TO BE CLOSED IN ITS ENTIRETY.” Most international commercial flights had been cancelled more than 10 days ago after the November 21, U.S. Federal Aviation Administration warning of the risks of flying over Venezuelan airspace,

What is all this Trump messaging supposed to mean? And is this a way a serious U.S. President should be conducting foreign policy?

As I and others have pointed out, there has been unease indicated within the Defense Department since these unprovoked killings began. In mid-October, SOUTHCOM Commander Adm. Alvin Holsey announced his early retirement on December 12 – little more than a year after he assumed the position. Holsey has yet to disclose his reasoning, but the New York Times reported that he had raised internal concerns about the attacks on the boats.

In November, NBC reported that a senior SOUTHCOM Judge Advocate General in August, before the strikes began, had raised whether they would be legal, and that he was later sidelined.

We also have had President Trump’s social media outbursts beginning November 20, against Sen. Mark Kelly (D-Ariz.) and five other Members of Congress, each of whom had served in the military or CIA, for their video reminding military personnel that they “can refuse illegal orders.” Trump at various times called what they had done “Seditious Behavior” that was “punishable by death.”

Hegseth, last Tuesday in a memo to the Navy Secretary John Phelan, described Kelly’s participation in the video as “Potentially Unlawful Conduct,” and asked for it to be reviewed for “consideration and disposition as you deem appropriate.” As a retired Navy officer, Kelly could be ordered back on active duty and face a court martial trial. But Hegseth, having apparently left it up to Phelan and the Navy to carry out, made it highly unlikely that anything more than an inquiry will ever take place.

While all these activities are taking place today, I want to also record a bit of history surrounding Operation Southern Spear, which Secretary Hegseth announced November 13, “as a new, formal military and surveillance campaign,” with a goal “to remove ‘narco-terrorists’ from the Western Hemisphere and secure the U.S. homeland from illicit drugs.”

In fact, Operation Southern Spear had its roots in the Biden administration and was officially announced by the U.S. Navy 4th Fleet on January 28, 2025, as “a heterogeneous mix of Robotic and Autonomous Systems to support the detection and monitoring of illicit trafficking while learning lessons for other theaters.” In a press release, the 4th Fleet said the operation was an evolution of the Navy’s previous operation dubbed Windward Stack, begun in 2023. It added, the results of Operation Southern Spear “will help determine combinations of unmanned vehicles and manned forces needed to provide coordinated maritime domain awareness and conduct counternarcotics operations.”

In a July 2, 2025, announcement, the Navy said SOUTHCOM and 4th Fleet have launched Operation Southern Spear which “will involve un-crewed surface vessels that can stay at sea for extended periods, small robotic interceptor boats, and vertical take-off and landing un-crewed air systems. These will combine with manned forces to help provide coordinated maritime domain awareness and conduct counternarcotics operations.”

I doubt that the originators of Operation Southern Spear foresaw it as a human killing program.

The Cipher Brief is committed to publishing a range of perspectives on national security issues submitted by deeply experienced national security professionals.

Opinions expressed are those of the author and do not represent the views or opinions of The Cipher Brief.

Have a perspective to share based on your experience in the national security field? Send it to Editor@thecipherbrief.com for publication consideration.

Read more expert-driven national security insights, perspective and analysis in The Cipher Brief

Scary stories come in all forms. For system administrators, late night outages and network attacks can cause nightmares.

It's been a year since my last big distributed denial-of-service (DDoS) attack. I had been holding off about blogging about this for a few reasons. First, I wanted to make sure it was over. Second, I didn't want to tip off the attackers about what I learned about them. (I had been quietly telling other people about the attack details. It's even helped some other victims of the same attack.) And finally, I wanted to see if they would come back and trigger any of my traps. (Nope!)

The First Wave

On Wednesday, 23-Oct-2024 at 3pm local time (21:00 GMT), my servers came under a massive distributed denial of service attack.

My servers are physically located in a machine room, about 20 feet away from my office. When my servers come under any kind of load, their fans rev up. Even though they are a room away, I can hear the fans pick up. (It sounds like a jet engine.) When the attack started, I heard two servers ramp up.

My first thought was that one of my customers was probably analyzing videos. That always causes a higher load, but it usually lasts a minute. When the sound continued, I checked the servers themselves. None of the virtual machines had any high-load processes running. In fact, the loads were all hovering around 0.1 (virtually no use). It took me a few moments to find the cause: my server was rejecting a huge number of packets. It was definitely a DDoS attack.

I don't know the exact volume of the attack. My servers were logging a sustained 300Mbps and over 150,000 packets per second. (The logging and packet rejections were enough to cause the fans to ramp up.) However, I'm sure the volume was more than that -- because the upstream router was failing. I later learned that it was even larger: the upstream router to the upstream router was failing. The 300Mbps was just the fraction that was getting through to me. The attacker wasn't just knocking my service offline; they took down a good portion of Northern Colorado. (I grabbed some sample packet captures for later analysis.)

I first confirmed that my servers had not been compromised. (Whew!) Then I called my ISP. They had already noticed since the attack was taking down a few hundred businesses that used the same router.

My ISP did the right thing: they issued a black-hole for my impacted IP address. This droped the traffic long before it reached my server or even the impacted routers.

The First Mitigation

Since the attackers were only going after one IP address, my ISP and I thought I could get away with changing my DNS and moving my impacted services to a different address. On that single IP address, I had a handful of services.

• I first moved FotoForensics. No problem. Usually DNS records are cached for a few hours. Long before any of this happened, I had configured my DNS to only cache for 5 minutes (the minimum time). Five minutes after changing my DNS record, the service came back up and users were able to access it.


• I then moved some of my minor services. Again, after 5 minutes, they were back up and running.


• I could have moved all of my services at once, but I wanted to know which one was being attacked. The last service I moved was this blog. After 5 minutes, the DDoS returned, hitting the new address.

This told me a couple of things:

1. The attack started at precisely 3:00pm and it lasted exactly 12 hours. This appeared to be a schedule attack.


2. They were explicitly targeting my blog and Hacker Factor web service. (Why? What did I do this time? Or maybe, what did I write recently?)


3. They were repeatedly checking DNS to see if I moved. They knew this was a logical step and they were watching for it. That's a level of sophistication that your typical script kiddie doesn't think about. Moreover, it appeared to be an automated check. (Automated? I might be able to use that for a counter attack.)

Looking over the network logs, I saw the packets that were doing the attack:

• It was a flood over UDP. With UDP, you can just shoot out packets (including with fake sender IP addresses) and overwhelm the recipient. This attack varied from targeting port 123/udp (network time protocol) and 699/udp (an unknown port). Neither of these existed on my server. It wasn't about taking down my servers; it was about taking down the routers that lead to my servers.


• Every UDP packet has a time-to-live (TTL) value that gets decremented with each router hop. The TTL values from the attack packets didn't match the sender's address in the UDP packets. That tells me that the sender IP addresses were forged. I run a bunch of honeypots that benchmark attacks year round. The packet TTLs and timings were consistent with traffic coming from Europe and Asia. I then tracked the attack to AS4134 (China).


• They were only attacking over IPv4, not IPv6. That's typical for most bulletproof hosting providers. (These are the types of companies with high bandwidth and no concerns about their customers causing massive network attacks.)


• When the network address was blocked (black hole), the DDoS stopped shortly afterwards. When my DNS changed, the attack restarted. This tells me that they were monitoring my address in order to see when it went down.


• After I changed IP address, I noticed something. Buried in the logs was a single IP address at a university (not in China). It was continually polling to see if my server was up. Blocking that one IP address caused the DDoS against the new IP address to turn off. The attackers appeared to be using this as a way to decide when to disable the attack. (Finding this needle in the 150,000 packets-per-second haystack was the hard part.)

All of this tells me the how, but not the who or why.

Who and Why?

I turned the IP addresses, packet captures, and logs over to some of my, uh, friends. I do not know the details of their methods, but they are very effective.

• They tracked the bulk of the DDoS attack to servers often associated with attacks from North Korea.


• They found that the university system was in a specific university lab. The lab members mostly had Korean names. We suspect that either (A) at least one of the students was North Korean posing a South Korean, or (B) one of the students had downloaded or clicked something that allowed North Korea to compromise the system.

Then I looked back at my blog. Eight days before the attack, I had blogged about C2PA and used AI-generated pictures of North Korea's leader, Kim Jong Un, as my example. Here's the opening of the blog:

There's nothing worse than a depressed, drunk man who has his finger on the nuclear button.

It appears that this was enough to upset the North Korean government and make me a target for a massive network attack.

Hiding For Safety

Since I'm not taking down my blog, I decided to take additional steps in case the DDoS started up again.

There are some online services that provide DDoS protection. I looked into them and decided to switch to CloudFlare. What they provide:

• Domain fronting. When you connect to hackerfactor.com or fotoforensics.com, you actually connect to one of CloudFlare's servers. They forward the request back to my services. If there is a network attack, then it will hit CloudFlare and not me.


• DDoS protection. I kind of felt bad for setting up CloudFlare for an attack. However, this is one of the things they explicitly offer: DDoS protection, even at the free account level.


• Content caching. By default, they will cache web content. This way, if a hundred people all ask for my blog, I only have to provide it once to CloudFlare. This cuts down on the network volume.


• Filtering rules. Even at the free tier, you can create filtering rules to stop bots, AI-scrapers, block bullet-proof hosting providers, etc. (I'm using their paid tier for some of my domains because I wanted more filter options.)

Setting up an account and moving my main domains took hours -- not days or months.

The downside of using CloudFlare is that I like to monitor my network attacks. Since CloudFlare gets these attacks instead of me, I don't have that insight. However, I still run some honeypots outside of CloudFlare so I still have baseline attack metrics.

The Second Wave

Even though my servers had been hit by a massive attack, I decided to slowly move them to the new service. (I'd rather be slow and cautious and get everything right, than to rush it and make a different problem.)

On 28-Oct-2024 (five days after the first attack) at almost exactly 1:00 AM, the attack started again. Although I had moved my servers behind CloudFlare, they appeared to be directly attacking my previously-known location.

Unfortunately, they guessed correctly. Even though CloudFlare was protecting me from incoming attacks, CloudFlare was forwarding valid requests back to my servers. And my servers were still at the old IP addresses. By attacking the old addresses, the DDoS managed to take down my service again.

I called my ISP's emergency 24/7 support number to report the problem, but nobody answered so I left a message. I repeatedly called back every 30-60 minutes until I was able to reach a person -- at 7:20am. (I spoke to the head of my ISP's IT department. They will make sure the 24/7 support will actually be manned next time.) They issued another IP address black hole to stop the attack, and it stopped 20 minutes later.

At this point, I decided to switch around network addresses and bridge in a second ISP. If one ISP goes down, the other one should kick in.

The Third Wave

On 30-Oct-2024, the third wave happened. This one was kind of funny. While my servers were dual homed and on different IP addresses, I still had some equipment using the old addresses. I was working late at night and heard the server fans start up again...

It took me a moment to check all of my diagnostics and determine that, yes, it was the DDoS again. It only took a minute for me to look up the ISP's 24/7 support number. However, as I picked up the phone, I heard the fans rev down. (Odd.) A few seconds later, a different server began revving up. After a minute, it spun down and a third server revved up.

That's when I realized what the attacker was doing. I had a sequential block of IP addresses. They were DDoS'ing one address and checking if my server went offline. After a minute, they moved the DDoS to the next IP address, then the next one. Here's the problems they were facing:

• I had moved my main services to different addresses. This meant that the attacker couldn't find me.


• My services were behind CloudFlare and they cache content. Even if the attacker did find me, their polling to see if I was down would see cached content and think I was still up.

Later that day, CloudFlare posted about a massive DDoS that they had prevented.

Cloudflare
@cloudflare@noc.social

We recently thwarted a massive UDP Flood attack from 8-9K IPs targeting ~50 IP addresses of a Magic Transit customer. This was part of a larger campaign we covered in our Q3 2024 report. Check out the full details here: https://blog.cloudflare.com/ddos-threa...

5.6 terabits per second. Wow. When I wrote to CloudFlare asking if this was related to me, I received no reply. I'm certainly not saying that "this was due to me", but I kind of suspect that this might have been due to me. (Huge thanks to CloudFlare for offering free DDoS protection!)

Keep in mind, CloudFlare says that they can handle 296 terabits per second, so 5.4Tbps isn't going to negatively impact them. But I can totally understand why my (now former) ISP couldn't handle the volume.

Tricks, Treats, and Terabits

I did lay out a couple of detectors and devised a few ways to automatically redirect this attack toward other targets. However, it hasn't resurfaced in a year. (I really wanted to redirect North Korea's high-volume DDoS attack against Russian targets. Now that I've had time to prepare a proper response, I'm sure I can do the redirection with no impact to my local network. I mean, they watch my DNS, so I'd just need to change my DNS to point to Russia. I wonder if this redirected attack would cause an international incident?)

Halloween stories usually end when the monster is vanquished. The lights come back on, the hero breathes a sigh of relief. But for system administrators, the monsters don't die; they adapt. They change IPs, morph signatures, and wait for a moment of weakness.

Some people fear ghosts or ghouls. I fear the faint whine of server fans spinning up in the middle of the night. A sound that means something, somewhere, has found me again. The next time the servers ramps up, it might not be an innocent workload. It might be the North Korea bot army.

DEEP DIVE — U.S. military forces this week carried out yet another strike on a vessel in Caribbean waters off Venezuela, marking the sixth such lethal operation since September. For the first time, two survivors were rescued and taken into U.S. custody aboard a navy ship.

President Trump also confirmed that he has authorized covert CIA operations inside Venezuela, dramatically broadening the theater of confrontation. Meanwhile, Venezuelan President Nicolás Maduro appealed to the U.N. Security Council, demanding the body denounce the strikes as violations of sovereign rights — a motion the U.S. is poised to veto.

These actions are the latest installments in a mounting campaign the U.S. launched in early September, signaling a shift from isolated interdictions into sustained military pressure.

On September 2, U.S. forces struck a vessel in international waters, killing 11 people, and claimed that it belonged to the Tren de Aragua gang and was laden with narcotics. Just over a week later, Washington unveiled an extensive naval deployment comprised of eight warships, a submarine and thousands of troops and launched a second attack against another alleged smuggling vessel, sending a clear message that the operation is systematic rather than episodic.

Then, in early October, the administration formally alerted Congress that the United States was in “armed conflict” with regional drug cartels, and promptly followed with another strike off Venezuela’s coast, killing four.

What began as maritime interdictions has evolved into a strategic escalation — combining naval power, aerial presence, covert action, and legal redefinition of cartels — in what appears to be an intensifying, long-term confrontation.

Ryan Berg, director of the Americas Program at the Center for Strategic and International Studies, tells The Cipher Brief the strikes “represent a paradigm shift in how the United States conducts counternarcotics.”

“Previously, the United States would board and search vessels and make arrests. Driving much of this paradigm shift is the foreign terrorist designations on more than a dozen organizations,” he continued. “The administration wants to send the message that this is not just a rhetorical shift, but that this is a shift with meaning. We deal with terrorists differently than we deal with criminals.”

From Quiet Waters to Strategic Theater

For decades, the Caribbean was viewed in Washington as a quiet, if troubled, backyard, important for migration and commerce, but hardly central to global competition. That calculation has changed. Today, the region is framed as a frontline of American power, where the U.S. confronts a convergence of transnational threats — from drug trafficking and irregular migration to external influence from China, Russia, and Iran — that unfold just off its own shores.

Michael Shifter, adjunct professor at Georgetown University and former president of the Inter-American Dialogue, tells The Cipher Brief that the strikes “will have a critical impact on the Caribbean security situation.”

“For the first time since the Panama invasion in 1989, the U.S. has carried out combat operations against assets allegedly connected to a Latin American government,” he noted. “That the strikes were conducted without regard to international law has unnerved other regional governments and made them wonder if they might be the next target.”

For much of the post-Cold War era, the Caribbean was not a primary theater for U.S. grand strategy. Policymakers often focused on the Middle East, Asia, and Europe, leaving the islands and waterways between Florida and South America to languish in relative neglect. The U.S. presence was episodic and reactive — providing disaster relief after hurricanes, conducting occasional counternarcotics patrols, and offering modest development aid.

But adversaries were not idle. China deepened infrastructure investments, secured port access, and trained regional military officers in its academies. Russia provided defense diplomacy, intelligence cooperation, and symbolic shows of force. Iran, though less prominent, found opportunity through Venezuela and proxy networks. These activities chipped away at U.S. primacy, testing whether Washington’s absence created a strategic vacuum.

“The presence of the expanded array of U.S. surveillance assets, cruisers, destroyers, amphibious ships, F-35 fighters, and other forces, in conjunction with the demonstrated use of force and reported planning for strikes inside Venezuela, are visibly driving panicked reactions by the Maduro regime,” Evan Ellis, research professor of Latin American studies at the U.S. Army War College Strategic Studies Institute, tells The Cipher Brief. “This demonstrates that the U.S. is willing to go beyond traditional law enforcement interception protocols to use lethal force against suspected drug boats.”

A Renewed U.S. Deterrent Strategy

The Trump administration has reframed narcotics networks as “narco terrorists,” a label that blurs the line between law enforcement and national defense. This allows for military strikes against what once would have been considered criminal targets. The Venezuelan boat destroyed on September 2 is the most vivid example yet, and it sparked immediate backlash from governments in Caracas, Bogotá, and across the Caribbean.

Venezuela condemned the strike as a violation of sovereignty, with Nicolás Maduro mobilizing civilian militias and promising to defend territorial waters. Colombia’s President Gustavo Petro went further, calling for international investigations into U.S. officials for what he termed unlawful killings. Fishermen in Trinidad and Tobago expressed concern about being caught in the crossfire, as expanded naval patrols threatened their livelihoods and heightened the risks to civilian vessels.

From Washington’s perspective, these costs are tolerable compared to the benefits of deterrence. Deploying advanced assets — such as F-35 fighters to Puerto Rico — signals that the U.S. views the region as strategically vital. The administration is also seeking to highlight the deterrent value of its strikes, suggesting they could disrupt smuggling operations and complicate adversaries’ strategic planning.

Still, questions loom about legality and proportionality.

“Unilateral U.S. military operations in Latin America have a long and often unhappy history,” Shifter said. “They remain extremely sensitive and touch a nerve in the region.”

Need a daily dose of reality on national and global security issues? Subscriber to The Cipher Brief’s Nightcap newsletter, delivering expert insights on today’s events – right to your inbox. Sign up for free today.

The Policy Evolution: From Reactive to Strategic

The idea of a sustained U.S. Caribbean policy, however, is not new. The 2020 U.S. Strategy for Engagement in the Caribbean outlined plans for expanded diplomacy, development, and security cooperation. Yet progress was limited by competing priorities and budget shortfalls.

What has changed in 2025 is the scale and framing of U.S. involvement. Rather than treating the Caribbean as an ancillary focus of counternarcotics or disaster relief, the Trump administration now casts it as a frontline of national defense. The deployment of warships and high-tech aircraft, the aggressive legal redefinition of cartels, and the diplomatic outreach led by Secretary of State Marco Rubio all point to an institutional pivot.

Congress is also being drawn into the mix. The reintroduced Caribbean Basin Security Initiative Authorization Act would allocate $88 million annually through 2029 for security cooperation. The measure reflects recognition that sustained resources, not episodic funding, are necessary to compete with external powers.

Risks, Imperatives, and What Comes Next

The road ahead carries both promise and peril. On the opportunity side, elevating the Caribbean to a strategic priority acknowledges geographic fact: the region sits on America’s doorstep, with busy sea lanes and chokepoints that have often been overlooked in U.S. defense planning. A credible deterrent posture, paired with investments in governance and development, could help steady fragile environments and blunt the appeal of rival powers.

Yet the risks of escalation are considerable. Misidentifying a civilian vessel, overreaching in the use of force, or neglecting consultation with regional partners could provoke backlash that undermines U.S. legitimacy.

“It is doubtful that the U.S. strikes will be effective in stopping the flow of narcotics,” Shifter cautioned. “Traffickers will adapt, alter their routes and try to minimize risks. Retaliation by criminal groups cannot be ruled out.”

Ellis warned of another danger: the aftermath of regime change in Venezuela.

“The biggest risks of such an operation would be whether Maduro could be captured alive. The other risk is that, in the absence of a more enduring U.S. force, the legitimate government of Edmundo González would not be able to establish order and control over the military,” he pointed out. “A post-Maduro Venezuela could degenerate into a free-for-all between criminal factions, guerrilla groups, sindicatos, and pranes — with Cuban and Russian elements fueling instability.”

Berg, by contrast, argued that regional cooperation has been robust.

“What has been great to see is the regional support for the United States’ deployment. Jamaica, Trinidad and Tobago, and Guyana have been vocally supportive,” he said. “The Dominican Republic, Ecuador, Peru, Paraguay, and Argentina have all declared the Tren de Aragua to be a foreign terrorist organization in the last month. Countries in the region appear open to a different approach, and some are even synchronizing their approaches with the United States on counternarcotics.”

The strike that killed 11 people was both a tactical hit on a trafficking network and a symbolic declaration of intent. What follows will decide whether this marks the start of a durable doctrine — or an overreach that produces more instability than it resolves.

“More consistent presence in the region will be key to ensuring that the United States can secure its interests,” Berg added.

Are you Subscribed to The Cipher Brief’s Digital Channel on YouTube? There is no better place to get clear perspectives from deeply experienced national security experts.

Read more expert-driven national security insights, perspective and analysis in The Cipher Brief

because National Security is Everyone’s Business.

DEEP DIVE — U.S. military forces this week carried out yet another strike on a vessel in Caribbean waters off Venezuela, marking the sixth such lethal operation since September. For the first time, two survivors were rescued and taken into U.S. custody aboard a navy ship.

President Trump also confirmed that he has authorized covert CIA operations inside Venezuela, dramatically broadening the theater of confrontation. Meanwhile, Venezuelan President Nicolás Maduro appealed to the U.N. Security Council, demanding the body denounce the strikes as violations of sovereign rights — a motion the U.S. is poised to veto.

These actions are the latest installments in a mounting campaign the U.S. launched in early September, signaling a shift from isolated interdictions into sustained military pressure.

On September 2, U.S. forces struck a vessel in international waters, killing 11 people, and claimed that it belonged to the Tren de Aragua gang and was laden with narcotics. Just over a week later, Washington unveiled an extensive naval deployment comprised of eight warships, a submarine and thousands of troops and launched a second attack against another alleged smuggling vessel, sending a clear message that the operation is systematic rather than episodic.

Then, in early October, the administration formally alerted Congress that the United States was in “armed conflict” with regional drug cartels, and promptly followed with another strike off Venezuela’s coast, killing four.

What began as maritime interdictions has evolved into a strategic escalation — combining naval power, aerial presence, covert action, and legal redefinition of cartels — in what appears to be an intensifying, long-term confrontation.

Ryan Berg, director of the Americas Program at the Center for Strategic and International Studies, tells The Cipher Brief the strikes “represent a paradigm shift in how the United States conducts counternarcotics.”

“Previously, the United States would board and search vessels and make arrests. Driving much of this paradigm shift is the foreign terrorist designations on more than a dozen organizations,” he continued. “The administration wants to send the message that this is not just a rhetorical shift, but that this is a shift with meaning. We deal with terrorists differently than we deal with criminals.”

From Quiet Waters to Strategic Theater

For decades, the Caribbean was viewed in Washington as a quiet, if troubled, backyard, important for migration and commerce, but hardly central to global competition. That calculation has changed. Today, the region is framed as a frontline of American power, where the U.S. confronts a convergence of transnational threats — from drug trafficking and irregular migration to external influence from China, Russia, and Iran — that unfold just off its own shores.

Michael Shifter, adjunct professor at Georgetown University and former president of the Inter-American Dialogue, tells The Cipher Brief that the strikes “will have a critical impact on the Caribbean security situation.”

“For the first time since the Panama invasion in 1989, the U.S. has carried out combat operations against assets allegedly connected to a Latin American government,” he noted. “That the strikes were conducted without regard to international law has unnerved other regional governments and made them wonder if they might be the next target.”

For much of the post-Cold War era, the Caribbean was not a primary theater for U.S. grand strategy. Policymakers often focused on the Middle East, Asia, and Europe, leaving the islands and waterways between Florida and South America to languish in relative neglect. The U.S. presence was episodic and reactive — providing disaster relief after hurricanes, conducting occasional counternarcotics patrols, and offering modest development aid.

But adversaries were not idle. China deepened infrastructure investments, secured port access, and trained regional military officers in its academies. Russia provided defense diplomacy, intelligence cooperation, and symbolic shows of force. Iran, though less prominent, found opportunity through Venezuela and proxy networks. These activities chipped away at U.S. primacy, testing whether Washington’s absence created a strategic vacuum.

“The presence of the expanded array of U.S. surveillance assets, cruisers, destroyers, amphibious ships, F-35 fighters, and other forces, in conjunction with the demonstrated use of force and reported planning for strikes inside Venezuela, are visibly driving panicked reactions by the Maduro regime,” Evan Ellis, research professor of Latin American studies at the U.S. Army War College Strategic Studies Institute, tells The Cipher Brief. “This demonstrates that the U.S. is willing to go beyond traditional law enforcement interception protocols to use lethal force against suspected drug boats.”

A Renewed U.S. Deterrent Strategy

The Trump administration has reframed narcotics networks as “narco terrorists,” a label that blurs the line between law enforcement and national defense. This allows for military strikes against what once would have been considered criminal targets. The Venezuelan boat destroyed on September 2 is the most vivid example yet, and it sparked immediate backlash from governments in Caracas, Bogotá, and across the Caribbean.

Venezuela condemned the strike as a violation of sovereignty, with Nicolás Maduro mobilizing civilian militias and promising to defend territorial waters. Colombia’s President Gustavo Petro went further, calling for international investigations into U.S. officials for what he termed unlawful killings. Fishermen in Trinidad and Tobago expressed concern about being caught in the crossfire, as expanded naval patrols threatened their livelihoods and heightened the risks to civilian vessels.

From Washington’s perspective, these costs are tolerable compared to the benefits of deterrence. Deploying advanced assets — such as F-35 fighters to Puerto Rico — signals that the U.S. views the region as strategically vital. The administration is also seeking to highlight the deterrent value of its strikes, suggesting they could disrupt smuggling operations and complicate adversaries’ strategic planning.

Still, questions loom about legality and proportionality.

“Unilateral U.S. military operations in Latin America have a long and often unhappy history,” Shifter said. “They remain extremely sensitive and touch a nerve in the region.”

Need a daily dose of reality on national and global security issues? Subscriber to The Cipher Brief’s Nightcap newsletter, delivering expert insights on today’s events – right to your inbox. Sign up for free today.

The Policy Evolution: From Reactive to Strategic

The idea of a sustained U.S. Caribbean policy, however, is not new. The 2020 U.S. Strategy for Engagement in the Caribbean outlined plans for expanded diplomacy, development, and security cooperation. Yet progress was limited by competing priorities and budget shortfalls.

What has changed in 2025 is the scale and framing of U.S. involvement. Rather than treating the Caribbean as an ancillary focus of counternarcotics or disaster relief, the Trump administration now casts it as a frontline of national defense. The deployment of warships and high-tech aircraft, the aggressive legal redefinition of cartels, and the diplomatic outreach led by Secretary of State Marco Rubio all point to an institutional pivot.

Congress is also being drawn into the mix. The reintroduced Caribbean Basin Security Initiative Authorization Act would allocate $88 million annually through 2029 for security cooperation. The measure reflects recognition that sustained resources, not episodic funding, are necessary to compete with external powers.

Risks, Imperatives, and What Comes Next

The road ahead carries both promise and peril. On the opportunity side, elevating the Caribbean to a strategic priority acknowledges geographic fact: the region sits on America’s doorstep, with busy sea lanes and chokepoints that have often been overlooked in U.S. defense planning. A credible deterrent posture, paired with investments in governance and development, could help steady fragile environments and blunt the appeal of rival powers.

Yet the risks of escalation are considerable. Misidentifying a civilian vessel, overreaching in the use of force, or neglecting consultation with regional partners could provoke backlash that undermines U.S. legitimacy.

“It is doubtful that the U.S. strikes will be effective in stopping the flow of narcotics,” Shifter cautioned. “Traffickers will adapt, alter their routes and try to minimize risks. Retaliation by criminal groups cannot be ruled out.”

Ellis warned of another danger: the aftermath of regime change in Venezuela.

“The biggest risks of such an operation would be whether Maduro could be captured alive. The other risk is that, in the absence of a more enduring U.S. force, the legitimate government of Edmundo González would not be able to establish order and control over the military,” he pointed out. “A post-Maduro Venezuela could degenerate into a free-for-all between criminal factions, guerrilla groups, sindicatos, and pranes — with Cuban and Russian elements fueling instability.”

Berg, by contrast, argued that regional cooperation has been robust.

“What has been great to see is the regional support for the United States’ deployment. Jamaica, Trinidad and Tobago, and Guyana have been vocally supportive,” he said. “The Dominican Republic, Ecuador, Peru, Paraguay, and Argentina have all declared the Tren de Aragua to be a foreign terrorist organization in the last month. Countries in the region appear open to a different approach, and some are even synchronizing their approaches with the United States on counternarcotics.”

The strike that killed 11 people was both a tactical hit on a trafficking network and a symbolic declaration of intent. What follows will decide whether this marks the start of a durable doctrine — or an overreach that produces more instability than it resolves.

“More consistent presence in the region will be key to ensuring that the United States can secure its interests,” Berg added.

Are you Subscribed to The Cipher Brief’s Digital Channel on YouTube? There is no better place to get clear perspectives from deeply experienced national security experts.

Read more expert-driven national security insights, perspective and analysis in The Cipher Brief

because National Security is Everyone’s Business.