Published by The Lawfare Institute
in Cooperation With
The term “cost imposition” is deeply ingrained in U.S. nuclear and conventional strategic theory and in policy discussions of strategy. As we discuss it here, the notion refers to efforts to achieve security that influence the actions adversaries might take by threatening to or actually imposing costs on them. This term is central to the conceptualization and application of coercive strategies intending to produce security by influencing the strategic decision calculus of an opponent during times of crisis and armed conflict, and the threat—or actual imposition—of costs has become the principal causal mechanism to deter or compel behavior to achieve U.S. strategic ends. Given its centrality in U.S. strategic practice and discourse, it is not surprising that policymakers default to the concept of cost imposition when discussing approaches to the cyber strategic environment. We argue, however, that policymakers should use the term cautiously, if at all.
Cost imposition is integral to strategies of coercion, yet recent cyber strategic guidance concludes that those strategies have failed to secure U.S. national interests in a reemergent, great-power cyber strategic competition short of armed conflict. Within the operational reality of cyber strategic competition, the focus on traditional cost imposition leads to confusion within the U.S. government and between its allies and partners. To reduce or eliminate this confusion, we propose that cost imposition should be reconceptualized to align with the realities of cyber strategic competition. Although the threat or actual imposition of costs is the key causal mechanism of coercion strategies in the cyber strategic space of armed conflict, in the cyber competitive space short of armed conflict, cost imposition is best understood as an effect resulting from the causal mechanism associated directly with a strategy of persistent engagement.
Scoping the “Traditional” Conception
The phrase “impose costs” has its roots in coercion theory and strategies applied to crises and armed conflict. The success of coercive strategies in producing security is premised on threatening or imposing costs on adversaries with the principal objective of influencing their strategic calculus to attack or cease attacking (deterrence and compellence, respectfully). We’ve argued that coercion theory and strategies align well with the cyber strategic space of crises and armed conflict—an argument supported by the empirical record and noted in U.S. strategic guidance. Therefore, we also argue that a conception of imposing costs in and through this cyber strategic space should be consistent with how it has been traditionally conceived for those instances. That is, in the context of crisis management and war, cost imposition is the central causal mechanism through which to influence an adversary’s strategic decision calculus to not attack or to cease attacking.
We’ve also argued, however, that coercion theory and associated strategies are not well aligned with the cyber strategic competitive space short of armed conflict, a perspective also supported by the empirical record and U.S. strategic guidance. Others have made related arguments noting that cyber operations to date have not been primarily coercive in intent nor action. If coercion is not the dominant dynamic in cyber strategic competition, policymakers and researchers should question continuing to cite the central causal mechanism of coercion (cost imposition) in discussions of security strategy for the competitive space. To advance greater clarity in strategic thought in the field, cost imposition should be uncoupled from coercion theory and reconceptualized to align with the realities of cyber operations and campaigns short of armed conflict.
Reconceptualizing Cost Imposition in Cyber Strategic Competition
As noted, theories and strategies of coercion focus on the goal of influencing the strategic decision calculus of opponents by signaling to them the consequences of proceeding. Strategic approaches of deterrence and compellence embrace cost imposition as the central mechanism for influencing that decision calculus. The fundamental problem with applying this conceptualization of cost imposition to the cyber strategic environment is both structural and strategic. First, cyberspace's core structural feature of interconnectedness—and the resulting condition of constant contact—combines with the nature of the technology itself to produce a structural imperative to act persistently—states do not have a choice but to act if they want to secure their national interests in, through and from cyberspace. Ceding the initiative to act (i.e., operational restraint) ensures that one is always playing catch-up. Second, a strategic incentive also exists for states to act persistently short of armed conflict because strategic gains can be realized through operations and campaigns that minimize the risk—and justification—of armed attack responses. Together, the structural imperative and strategic incentive lead to a critical prescriptive and planning assumption: In, through and from cyberspace, adversaries will act persistently short of armed conflict.
Thus, the planning assumption intended to produce security in crises and warfighting—that an adversary’s strategic decision calculus to act can be influenced through threats of, or actual, cost imposition—is precluded where there is both a structural imperative and a strategic incentive to act persistently. Consequently, cost imposition as conceptualized in coercion theory and practice provides us with little analytic or prescriptive purchase in the cyber competitive space.
We argue that “cost imposition” should, instead, be understood in the competitive space as an effect of the strategy of persistent engagement’s causal mechanism (i.e., seizing the initiative in setting the conditions for security—and insecurity—in the cyber strategic environment). Specifically, cost imposition effects derive from the continuous activities, operations and campaigns composing a strategy of persistent engagement that aim to set the conditions for security in the United States’s favor by exploiting adversary cyberspace vulnerabilities and reducing the potential for exploitation of its own. Cost imposition effects resulting from this continuous, conditions-setting effort manifest as constraints on adversary cyber behavior across the dimensions of how, when, for what duration, against what national interests and toward what gains they are directed. Therefore, cost imposition should be understood as a result or consequence of a persistent engagement strategy. Persistent engagement proponents often speak of reducing adversaries’ confidence in their cyber capabilities; causing friction in adversaries’ political, military or intelligence organizations; and shifting adversary focus and efforts to the defense in cyberspace. These are examples of cost imposition effects that may result from an adversary’s realization that security conditions have shifted. Not all persistent engagement activities, operations and campaigns will result in cost imposition effects. When such efforts shift conditions without an adversary’s awareness, for example, the result is better understood as an effect of benefit gained by the United States, rather than an effect of costs imposed on the opponent.
Distinct from coercion theory, cost imposition in cyber competition is a derived effect of persistent engagement’s causal mechanism—not the mechanism itself—because security is produced not by prospective threats to impose costs but rather through seizing the initiative in exploiting cyberspace’s underlying condition of vulnerability with the aim of changing the reality on the “ground” in ways that favor U.S. security. The three operational concepts of a strategy of persistent engagement—anticipatory resilience, defend forward and contest—serve this very purpose. To wit, U.S. Cyber Command’s 2018 Command Vision describes persistent engagement as operating globally and continuously—shaping the battlespace to create operational advantage for the U.S. while denying the same to its adversaries. More recently, Gen. Paul Nakasone, commander of Cyber Command, argued that the operational purpose of the “defend forward” concept is “to limit the cyber terrain over which the enemy can gain influence or control.”
An intentionally visible manifestation of this approach is Cyber Command’s practice of uploading malware samples to the VirusTotal website that are discovered through persistent engagement’s routine operations and campaigns. Cyber Command describes this activity as “an enduring and ongoing information sharing effort, and it is not focused on any particular adversary.” Stated differently, it is a continuous activity (initiative-seeking) centered on shifting the condition of security through simultaneously enabling the cyber community to improve defenses, while undermining the effectiveness of malware likely populating cyber arsenals across the globe. Information security company threat analysts have noted that although such global uploads may not immediately render the malware totally ineffective, “it is likely to at least cause the attacker to adapt.” This observation is illustrative of the ways adversaries can respond to cost imposition effects derived from changing the conditions of security in cyberspace. In this example, an attacker seeking to regain initiative and set new conditions must devote additional energy and resources toward developing a new malware variant. The broader point of this example is that security is produced by taking the initiative in changing the conditions of security through global sharing, which blunts or mitigates the effects of known malware, not through seeking to change the strategic decision calculus of the attacker. This practice by Cyber Command—uniquely supported by a strategic approach of persistent engagement—relates, through a shared objective of remediation and mitigation, to earlier and ongoing efforts by various coalitions of nonprofits, the public sector, private industry, academia and law enforcement agencies including, for example, the DNS Changer Working Group and the Conficker Working Group. Taken together, these efforts represent a step toward a “Whole of Nation+” approach to cybersecurity that leverages the unique capabilities of a diverse set of actors. Critically, all this activity has to be seen through a persistent engagement lens— not as reactive patching, but institutionalizing pathways through which anticipatory resilience can be achieved.
Based on open source reporting, Cyber Command’s effort to defend the 2018 U.S. midterm elections can be understood similarly. Reportedly, Cyber Command took an initiative to exploit vulnerabilities in the cyber infrastructure of the Internet Research Agency (IRA) in Russia. This campaign changed the conditions of security in favor of the United States in this space, resulting in an initial effect of a benefit gained. The United States could have opted to covertly persist in this infrastructure, in a limited intelligence gain posture, to learn about IRA capabilities or intentions and feed that information back to improve U.S. cyber defenses (and perhaps it did so for a period). Instead, it chose to make its presence known. When Russia became aware of a change in security conditions, cost imposition effects created organizational friction within the IRA, and Russia shifted focus and efforts toward defense, both of which served a U.S. objective of taking Russia’s focus off of cyber-enabled information operations directed at U.S. elections. Once aware of a U.S. presence, IRA operators likely and hastily sought to reexamine security practices, discern where else the United States might be in IRA infrastructure, and determine what information or capabilities the United States might have ascertained or exfiltrated by leveraging its exploitation. As in the previous example, the broader point is that security was produced through following persistent engagement’s prescription to seize the initiative in setting the conditions of security—here through exploiting vulnerabilities—and not through seeking to change the strategic decision calculus of the attacker. This was not a traditional coercive signaling moment. Rather, any IRA plans to launch cyber-enabled disinformation were thrown off balance as Cyber Command captured the initiative in setting security conditions. Cost imposition effects against Russia derived from this initiative should be understood for what they were—a result or consequence of seizing the initiative away from Russia in setting those conditions.
Managing Expectations and Measuring Effectiveness
How does this reconceptualization have analytic utility? Coercion strategies and their central causal mechanism of cost imposition focus policymakers and analysts alike on identifying thresholds, ensuring effective signaling and assessing the effect on the strategic decision calculus of an adversary. If coercive strategies are not aligned with the cyber competitive space, as U.S. strategic guidance and scholars have argued, adopting the same foci in that space will lead to misaligned efforts, unrealistic expectations and illogical measures of effectiveness. Regarding the latter, a core challenge of measuring the effectiveness of coercion strategies in the conventional strategic environment has been cited by many—namely, a dearth of empirical data on an adversary’s intentions. Assessing the effectiveness of a persistent engagement strategy brings different challenges but—interestingly—challenges that may be overcome due to an abundance of empirical data. This abundance is an empirical consequence of accepting the planning assumption that states will act persistently in, through and from cyberspace short of armed conflict. The challenge, then, becomes synthesizing numerous sources of threat data gathered by both the private sector and the government, to measure, for example:
- Whether an adversary’s presence on U.S. critical infrastructure is fleeting or enduring, but not if adversaries have been coerced away from having a presence at all.
- Whether adversaries are constrained or not in the set of U.S. national interests they can engage in, through and from cyberspace, but not if adversaries have been coerced against targeting any interests at all.
- Whether the effects adversaries generate in, through and from cyberspace are inconsequential rather than being independently or cumulatively strategic, but not if adversaries are coerced to not generate any effects at all.
This latter measure, whether cyber campaigns cumulatively produce a shift in the relative balance of national sources of power, is a key strategic focus of a persistent engagement strategy. To be sure, these examples represent a different mindset than expectations associated with the “traditional” conception of cost imposition, but it is one far more tightly aligned with realities of the cyber strategic competitive space and the strategic approach of persistent engagement and, therefore, should be seen as an advancement in our understanding of cyberspace strategic competition.
If the U.S. is able to shift the balance of initiative in its favor in setting the security conditions under which the cyber strategic competition is played, adversaries will find themselves primarily playing catch-up and will have to take into account—or anticipate—U.S. efforts. This is not because the United States will have imposed or threatened to impose costs in the “traditional” sense—rather, cost imposition effects on adversaries would derive from U.S. efforts to set the conditions of security in cyberspace.
Thomas Kuhn argued that when there is a paradigm shift in a scientific discipline, scientists see familiar objects in a different light and come to understand unfamiliar ones as well. This can take some time, however, so consensus on a new paradigm tends not to be achieved quickly or broadly. We’ve argued elsewhere that the advent of the cyber strategic environment necessitates a cyber strategy paradigm shift to account for new strategic realities—specifically, away from deterrence to persistent engagement in the cyber competitive space short of armed conflict. Consistent with Kuhn’s arguments, we also recommend the term “cost imposition” be seen not as a causal mechanism for coercion strategies but as an effect derived from the causal mechanism of a strategy of persistent engagement. We think this reconceptualization postures the notion of cost imposition to be more relevant in strategic discussions of this space; reduces the potential for policymaker and warfighter misunderstandings—better aligning expectations; and, hopefully, hastens the advancement of strategic thought and consensus.