Cost Imposition Is the Point: Understanding U.S. Cyber Operations and the Strategy Behind Achieving Effects
The muddled discourse about cybersecurity continues to limit the ability of practitioners and scholars to have a constructive discussion about the core elements of strategy.
Published by The Lawfare Institute
in Cooperation With
Editor's note: This article is part of a series of short articles by analysts involved in the Cyberspace Solarium Commission, among others, highlighting and commenting upon aspects of the commission's findings and conclusion.
The muddled discourse about cybersecurity in Washington, D.C., and in policy communities continues to limit the ability of practitioners and scholars to have a constructive discussion about the core elements of strategy. Too many make grand pronouncements about how things should work with little attention to evidence, methodologies, evaluations of assumptions, or examinations of outcomes. There is a strong disconnect between how our theories work in the real world and how some observers think we construct a strategic paradigm. The Cyberspace Solarium Commission intends to push the conversation forward by designing a strategy for national security that works, can be implemented and is based on accurate assumptions.
Cost imposition is at the core of the commission’s report. The phrase “impose costs” is used 27 times in the report. Any strategy must have means and an end, and the layered cyber deterrence strategy the commission is advocating seeks to impose costs on our adversaries through military and normative means to achieve an end: stability, especially below the threshold of armed conflict. Associated with this, the report also supports a declaratory policy to signal to the opposition what moves are not allowed and what operations are being conducted to counter operations before they disrupt the lives of Americans.
Imposing costs depends on marshaling capabilities and capacity to meet the objective. To that end, a critical part of the cost-imposition strategy entails a reorganization of domestic government structures, a reevaluation of the Cyber Mission Force (CMF) and a realignment of our normative strategy to shape adversary operations.
As the report clearly states, “[T]his strategy must combine non-military instruments of power with defensive mechanisms to secure critical infrastructure—backed by a credible capability and capacity to impose costs through cyber and non-cyber military operations at a time and place of the nation’s choosing—both to shape competition beneath the level of armed conflict and to win in armed conflict.” The imposition of costs is at the core of a revitalized national strategy for cyberspace.
The challenge is how to evaluate the effectiveness of operations. It is incumbent on the Department of Defense and others operating in cyberspace to conduct cyber posture reviews that not only detail the strength and needs of the CMF but also evaluate past operations and delineate their successes and failures. Having an external coordinator for cybersecurity located within the National Security Council is critical to control the process and to ensure that the definition of success is not set solely by the organization launching operations. There must be an independent and clear assessment of operations.
There is little clarity about how the United States will impose costs. Some observers think the imposition of costs is a causal mechanism that is an outcome of operations. As Fischerkeller and Harknett note, “[C]ost imposition is best understood as an effect resulting from the causal mechanism associated directly with a strategy of persistent engagement.”
Instead, the Cyber Solarium Commission makes it clear that cost imposition is really a process of convincing the opposition that there will be more costs than benefits to their operations. It is a means to achieve an end, not an end in itself. Cost imposition is at the core of cyber strategy, an element often missed in prior strategy discussions.
Persistent engagement as a strategy is to be discarded and replaced with the defend forward concept that is but one element of layered cyber deterrence. As defined by Erica Borghard for the Cyberspace Solarium Commission, defend forward “entails the proactive observing, pursuing, and countering of adversary operations and imposing costs in day-to-day competition to disrupt and defeat ongoing malicious adversary cyber campaigns, deter future campaigns, and reinforce favorable international norms of behavior, using all instruments of national power.”
Persistent engagement fails to meet the needs of the United States because it lacks a clear view of how to impose costs, fails to integrate a defensive layer in the conception of operations, and is not cognizant of the importance of entanglement strategies. More critically, persistent engagement assumes that cyber operations are persistent and ongoing when, in reality, operations occur in cycles according to diplomatic and military crises. Our task is not persistent, and neither is our enemy. The goal is to impose costs, when needed, to achieve a desired end.
The causal mechanisms that can make the imposition of costs effective are credibility, capability and the perceptions of the opposition as they witness operations launched against their operations. There needs to be a clear strategy about how the opposition will receive and perceive operations. This is almost more important than the operation itself. Shaping the discourse around an operation is a critical element of success and is not just an outgrowth of constant operations. Imposing costs is more than a byproduct of a process. It is a process to be carefully managed to achieve effective ends.
Cost imposition is how you coerce the opposition. The goal is either to compel the enemy to change behaviors or to stop them dead in their tracks by deterring operations in the future. Cost imposition is a critical element of our national strategy and not simply an artifact of a process—it is the process.