US Congress Directs Pentagon to Explore Cost Imposition on State-Backed Hackers
The US House of Representatives has passed a fiscal year 2026 defense bill that includes a provision directing the Pentagon to develop options for imposing costs on government-backed hackers who target defense-critical infrastructure in cyberspace. Section 1543 of the bill requires the Under Secretary of Defense for Policy and the Chairman of the Joint Chiefs of Staff to study how military capabilities can increase adversary costs and reduce incentives to attack.
The study must evaluate offensive cyber operations individually and in combination with non-cyber measures, and develop methods for selectively disclosing or concealing capabilities. The Pentagon’s mission is to assess adversary capabilities and intentions, identify targets where cost imposition would have an impact, prioritize targets, inventory relevant Department of Defense capabilities and investments, and collaborate with other agencies, allies, industry, and academia.
Pentagon’s Exploration of Bitcoin’s Military Power
Although the policy does not explicitly mention Bitcoin, it formalizes a cost imposition framework that is consistent with Jason Lowery’s SoftWar thesis, which portrays proof-of-work as a performance projection system in cyberspace. The document avoids explicitly naming Bitcoin, opting instead for broader language about “proof-of-work” and cost imposition in cyberspace.
This omission may be intentional, as vagueness in the terminology would limit outsiders’ inferences about capabilities, goals, or operational intentions. The caution also fits with Lowery’s own story, as he has previously deleted posts and retracted public framing, and SoftWar itself underwent an official security review last October.
Cybersecurity Agencies Link BRICKSTORM Backdoor to VMware Compromise
According to Reuters, US and Canadian authorities warned that PRC-affiliated operators were using a custom Go-based BRICKSTORM backdoor against VMware vSphere, vCenter, and ESXi to create persistent access for lateral movement and potential sabotage. The War Department’s malware analysis and CISA report suggest the craft is consistent with pre-positioning that could be activated for disruption.
Section 1543 aims to develop options for imposing costs on this behavior, including options that combine offensive cyber operations with non-cyber tools. SoftWar’s lens transforms legal language into system design decisions, and if the goal is to increase the attacker’s operational cost, a right-sized adaptive proof-of-work becomes a possible control at high-risk interfaces.
Implementing Cost Imposition Framework
The study must examine legal and policy authorities for tailored response options, including measures against pre-positioning in critical networks. The amendment defines the imposition of costs as actions that have sufficient economic, diplomatic, informational, or military consequences to change the behavior of the adversary.
Section 1545 requires the Mission Assurance Coordination Board to report annually on cyber risks and mitigations in defense-critical infrastructure, creating an oversight channel where cost imposition would be most severe. Section 1093 critical infrastructure tabletop exercises address energy, water, traffic control, and incident response, the civilian dependencies that underpin defense missions.
Tracking Progress and Metrics
For practitioners, Section 1543 creates a near-term modeling agenda that combines teaching and engineering. One approach is to quantify the attacker’s cost per action across authentication, management, and service endpoints when applying adaptive proof-of-work.
Another is to measure the half-life of adversary persistence following public burnings and synchronized sanctions or export controls, using dwell time windows as a proxy for increased operational costs. A third is to track the doctrine’s traction by counting official uses of “impose costs” or “cost imposition” in Defense Department and CISA findings once the study is underway.
| Metric | What it captures | Where to apply | SoftWar connection |
|---|---|---|---|
| Attacker cost per 1,000 blocked actions | Additional costs for performing login/API/admin actions as part of a proof of work | Remote administration, password resets, bulk API, anomalous RPC | Price abuse, so that automation loses cost advantages |
| Persistence half-life after public burning | Time from consultation to clearance and conversion | Virtualization control planes, identity providers, OT gateways | Measures the capital and time costs imposed on the opponent |
| Political Traction Index | Frequency of costs imposition language in official editions | DoD, CISA, ONCD emissions and pilot projects | Signals the institutional adoption of the cost design |
Conclusion and Future Directions
The most common point of criticism against Proof-of-Work is the energy consumption. However, the systems considered here are not global puzzles distributed across every endpoint. The design space consists of right-sizing and adjusting proof-of-work at critical bottlenecks where a negative attacker ROI results in outsized defensive advantages.
A pilot project that applies dynamic proof-of-work stamps to high-risk actions in defense-critical infrastructure dependencies would test economical DDoS defense and abuse-resistant management. Any movement may be tracked using the above metrics and reported via the MACB channel specified in Section 1545.
For more information, visit https://cryptoslate.com/has-congress-quietly-forced-the-department-of-war-to-use-bitcoin-to-bankrupt-chinese-hackers/
