I have heard, seen, and had to correct enough misconceptions about "impose cost" that it warranted a quick blog.
Misconception 1: Raising cost is synonymous with imposing cost.
An easy way to think about "impose cost" versus "raising cost" is that "imposing cost" does "raise cost" but "raising cost" does not inherently mean "imposing cost." This is because "imposing cost" is coercive and/or punitive in nature. Putting your cookie jar in a higher spot in the house may raise costs for your kid to steal cookies from it. Taking away your child's video game after you catch them eating your cookies is imposing cost.
Actions you take to harden your environment raise costs for adversaries; they do not impose cost on adversaries. Arresting and imprisoning an adversary is an example of imposing cost. Seizing or destroying an adversary's resources are examples of imposing cost.
A very similar phrase and concept used by law enforcement is "impose risk and consequences."
Misconception 2: Costs are inherently monetary.
As in life and business, costs are not limited to quantifiable currency. While increasing costs or imposing costs can pertain to money, it is not limited to money, and it should not be discussed as if it is. Especially in the context of "raising costs," the cost is usually level of effort of humans. Sweat equity. Cognitive load. "Cost" in cost imposition is not exactly synonymous with "consequence" but it is certainly closer than framing it strictly as monetary.
Misconception 3: Cost imposition requires complete and immediate depletion of adversary resources to be effective.
While cost imposition often targets the resources of adversaries for reduction or elimination, it need not result in immediate and complete attrition to be effective. In the short term, cost imposition may slow an adversary's operational tempo, which creates time and space for other efforts to proceed, whether those be national diplomatic efforts, or organizational hardening. Forcing adversaries to spend resources reacting instead of enjoying complete freedom to act is inherently valuable.
Adversaries have finite resources; however, the asymmetries of offensive cyberspace operations can leave defenders feeling like there is no way to completely deplete the adversary's ability to develop and deploy offensive tools and infrastructure. Cost imposition need not solely deplete the raw technical capabilities of an adversary to break their will.
Misconception 4: Cyber problems should mean cyber solutions.
Actions in cyberspace have consequences in meatspace; actions in meatspace have consequences in cyberspace. I believe these are truths. Likewise, the range of options to counteract adversaries who act in cyberspace are not limited to actions taken in or through cyberspace. When people discuss what to do about malicious cyberspace activity, they should not be limiting the range of options to those which can be performed in or through cyberspace. Arbitrarily limiting the range of options to those that can be actioned in cyberspace is a failure to understand the problem, and a failure of the imagination.
Misconception 5: Actions taken in cyberspace cannot be deterred.
When you are discussing deterrence, it is important to be specific about exactly what actions taken by what actors you are attempting to deter. Deterring all malignant cyber activity is a lofty goal, but it lacks the specificity to be practical.
You do not "deter cyber." You deter a person or group of people from performing a specific action by creating risk the target finds unacceptable. In many cases when dealing with actors who perform malignant activities in cyberspace, there is no perception of unacceptable risk. Thus, adversaries are not deterred.
The nuance is what it takes to create unacceptable risk for adversaries. We are limited by the actions we are willing and able to perform in order to create the conditions of unacceptable risk. Our limits include our ethical, legal, and moral systems but also include our own capabilities and tolerance for risk. To achieve credible deterrence, we should have:
Specific act we are trying to deter.
Specific actors we are trying to deter.
Specific consequences that are unacceptable for the adversary, but are also
Consequences we are both willing and able to impose.
One through three are actually not that challenging to work out. The fourth criteria is where most of the hangups happen. It is unnecessary to get into specifics within this blog, but whether for ethical, moral, legal, our own capabilities, or our own tolerance for risk, we have not created unacceptable risk for adversaries across the spectrum of operations. For example, the United States does not deter cyberattacks by criminals (ransomware) against hospitals and critical infrastructure originating from the borders of states such as the Russian Federation.
Misconception 6: Cost imposition must be first party against the hackers themselves.
Adversaries do not exist in a vacuum. The world is a network of networks, and not just computer networks. The United States may choose not to directly impose cost on an adversary and instead use other instruments to inspire others to act whether wittingly or unwittingly in the interests of the United States. This can range from suit and tie diplomacy to more controversial covert action and anything in between.
Misconception 7: Cost imposition is the whole strategy and supplants other security efforts.
One of the most egregious non-counterpoint counterpoints people make when diminishing "impose cost" is the idea that it is offered as replacement that promises to eliminate the need for entities to engage in timeless security practices, summarized as "hardening." As examples of hardening, think of any non-adversary centric security efforts such as improving software quality, patching, network segmentation, multi-factor authentication, detection, etc. This warrants a stern response in that we should expect security and intelligence professionals to be mature enough to avoid silver bullet thinking.
It is a false choice to suggest an "either or" scenario; it's clearly an "and and what else" scenario. The entities most commonly associated with executing cost imposition aren't going to come properly configure your firewall for you. You still need to do that. That should go without saying.
Opmerkingen