What do you think?
Rate this book
Cyber Mercenaries: The State, Hackers, and Power
Cyber Mercenaries explores the secretive relationships between states and hackers. As cyberspace has emerged as the new frontier for geopolitics, states have become entrepreneurial in their sponsorship, deployment, and exploitation of hackers as proxies to project power. Such modern-day mercenaries and privateers can impose significant harm undermining global security, stability, and human rights. These state-hacker relationships therefore raise important questions about the control, authority, and use of offensive cyber capabilities. While different countries pursue different models for their proxy relationships, they face the common challenge of balancing the benefits of these relationships with their costs and the potential risks of escalation. This book examines case studies in the United States, Iran, Syria, Russia, and China for the purpose of establishing a framework to better understand and manage the impact and risks of cyber proxies on global politics.
266 pages, Paperback
Published January 18, 2018
29 people are currently reading
335 people want to read
About the author
Tim Maurer
1 book4 followersTim Maurer is Co-director of the Cyber Policy Initiative at the Carnegie Endowment for International Peace. Since 2010, his work has focused on international affairs in the digital age, namely cybersecurity, Internet governance, and human rights online. His previous professional experience includes working with refugees and in humanitarian aid in Rwanda, Paris, Geneva, and New York. He holds a Master's in Public Policy from the Harvard Kennedy School.
More details are available at: www.maurertim.com
More details are available at: www.maurertim.com
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 - 7 of 7 reviews
March 12, 2020
3.8 Stars.
- political science book, rather dry in a good sense (less sensationalist etc)
- USA, Russia, China, Iran/Syria - proxy histories, case-studies
- conceptual framework, diagrams, 2 maps and a few tables
Some quotes:
- Methodology: "Data on proxy actors, in particular, is very limited. […] inductive approach. Closely examining a small number of cases […] Sources included primary and secondary literature […]. The literature-based research was complemented by semi-structured interviews with experts, including hackers […]; government officials in defense, intelligence and Law enforcement communities; employees at cyber threat intelligence companies; and defense contractors, security researchers and computer emergency response officials." (35)
- "It is important to highlight that the definition of cyber proxies used in this book considers unauthorized access a necessary element of an offensive action (apart from a DDoS attack). It therefore excludes actors carrying out information operations that do not include unauthorized access, such as the trolls in St. Petersburg" (67)
- state/state proxy relationships, state/non-state, non-state/state, non-state/non-state relationship (industry-hired hackers vs piracy-sites (35 or 145)); "most relevant in international affairs today is the state/non-state proxy relationship. This […] is the focus of this book." (32 f.)
- "reports about government-supported hackers targeting dissidents [domestically] predated reports about such proxies hitting targets abroad. […] typologies of proxies based on motivation quickly face limitations […]. The same is true for typologies of proxies based on whether their targets are perceived as internal or external threats."(151 f.)
- "There is obviously a spectrum between »acting in the interest of« and »acting on behalf of«" (124)
- "cyber operations are low-cost. […] the Internet is contributing to a diffusion of power from state to non-state actors […], cyber power itself was diffuse from the start." (151)
- "three main types of proxy relationships: (1) delegation, (2) orchestration, and (3) sanctioning (approving or permitting [passive support as opposed to principal and agent]). […] Any state may pursue any of these three relationships or 'mix' them; nonetheless states systematically tend to favor one approach…" (152)
- all countries "have an interest in balancing the benefits of proxy relationships with the cost and increased risk of escalation. In addition, democratic states must ensure proxy relationships are subject to their accountability mechanisms and system of checks and balances."(153)
- terms "cyber-security" (US gov) versus "information security" (Russia, China with focus on content / censorship of 'propaganda' because Soviet Union would have lost due to 'imperialist infowar' (58) not NATO conventional forces) (54 ff.); extraterritorial censorship (Great Cannon DDoS attack on GitHub (63))
- "Ukrainians were much more concerned over the long-term strategic effects of such [Russian confuse/desinform/subvert information] operations than they were about the potential effects of a cyber attack against critical infrastructure" (61), such as the power outage in western Ukraine or the loss of technical capacity to provide connection between the peninsula and the rest of the Ukraine (98)
- yet, "From an international law perspective, information operations, including those targeting civilian populations, are not prohibited as long as the activities do not incite crimes" (66)
- from "computer network operations" to "cyber effects operations" (55)
Some quotes on aspects that I have focused more on:
- Volunteerism
- Private market
- How proxies are controlled
1. VOLUNTEERISM:
- "The 1998 events [anti-China protests in Indonesia] reveal the strong, even foundational role of patriotism in China's hacktivist groups, an attitude that stands in stark contrast to many Western hackers' shared ideology of opposition to governments." (109)
- the Chinese "patriotic hackers were so patriotic that they wanted to help the government improve its cybersecurity. When the government turned down their offer to help, they grew frustrated and started defacing websites of the Chinese government itself to raise more awareness of the existing vulnerabilities" (110); The government tries "keeping those actor's patriotism in check and subsequently frustrated proxies might turn against the government rather than focusing their energy externally." (119)
- "…wave of volunteerism that emerged among the population in Ukraine once the conflict escalated across all sectors. Yet, the interviewees also remarked that the government lacked the capacity to effectively absorb these additional resources - it was unable to mobilize them and amplify the state's power" (41);
"in addition to lacking an overal strategy to mobilize these additional capabilities and provide active support, the Ukrainian government has also been inconsistent in its stance towards passive support" (99):
"Head of the Ukrainian Interior Ministry […] offered facilities and staffing assistence. [Elsewhere] hackers shared hacked data with Ukraine's Security Service, [and] »criminal proceedings were instituted […] and some arrests were made«"(99)
- other than DDoS, leaks and web defacements by nationalist Ukrainian hacker groups: "It is notable that the [Ukraine] conflict does not appear to have politicized and mobilized the most sophisticated non-state actors with cyber capabilities - the cybercriminals - to change their profit-driven behavior to more politically driven action to any significant degree. […] For its part, the Ukrainian government has not had the capacity and strategy in place to mobilize the capabilities provided by volunteers. One explanation for the Ukrainian government's limited ability to mobilize non-state actors is the general poor state of the military."(100)
- "…people deciding to join a DDoS attack voluntarily (as in the case of the German and British hackers who lent their support to the Ukrainian Cyber Forces in 2015)" (134)
- patriotic criminals (102 f.)
- "military and civilian [cyber] attacks are hard to distinguish […] in peacetime, civilians hide the military" (108)
- "In 2001, when Chinese patriotic hacktivists were targeting the United States, the Chinese government eventually decided to intervene and stop the hacktivists' attack […] by using its official media outlets to publish statements […] that while they understood the hackers' »passion,« they discouraged the attacks" (147); "The US government does not condone so-called 'patriotic hacking' on its behalf" (147)
- "Hackers were used to target opponents of the [Iranian] regime" (82); pro-US hacker targeted Wikileaks, Anonymous, LulzSec, Ecuador (Edward Snowden), Syrian Electronic Army, Libya, Jihadis, … (17)
- "the report concluded, »[…] that a single individual is very capable of waging cyber war at a level we previously attributed only to intelligence agencies or crime syndicates«" (17)
- 1979, "group of Iranian students stormed the US embassy […] the Iranian students expressed a desire to be affiliated with their respective governments and to become their agents" (84)
- "Khamenei in a spech »urgend his country's students - whom he called »cyber war agents« - to prepare for battle... 'You are the cyber-war agents and such a war requires Amman-like insight and Malik Ashtar-like resistance. Get yourself ready for such war wholeheartedly.«" (81)
- "pro-Kremlin youth organizations, partly as counterbalance to potential popular uprisings" (59)
2. PRIVATE MARKET:
- "Even as firms shifted from [private] military to security services, the private market for security services grew dramatically, driven by the push for privatization, a general reconceptualization of the role and size of the state, increased economic incentives for outsourcing, and the specific political incentives to use contractors as overt or covert proxies. Demand from the intelligence community grew as well, and the 9/11 terrorist attacks provided an additional catalyst." (72)
- "explosion of small start-up companies in this field. […] Governments around the world are therefore not only working with large companies when it comes to cybersecurity but often also with [cleared] small boutique firms." (75); "…increasing number of US military and intelligence employees […] start their own companies" (80)
- "Singer's description of conventional private military and security companies offering services along the full length of the spear, with the exception of the deadly tip, appears to apply to private cybersecurity contractors as well." (77); eg, Endgame Inc. ids potential targets but doesn't conduct the attack (76)
- "the United States […] cannot wage war without the private military industry." (80)
- hackback-/take-down companies: "Bollywood movie companies hiring an Indian company to launch DDoS attacks on sites hosting pirated movies. […] DDoS-for-hire service from China against a South Korean competitor." (35)
- "the United Arab Emirates paid Hacking Team USD 634,500 for the use of its product [with some zero-days], with which they surveiled over 1,000 people." (79)
- "»SCADA systems are also 'hard to patch', so even old vulnerabilities are actual« (13)
- "the US government has explained at great length that it considers political espionage legitimate (while considering espionage for commerical competitive advantage illegitimate …" (56)
- "North Koreans earn foreign money by developing software in China and perform hacking activities to collect national industrial secrets at the same time." (132)
3. HOW PROXIES ARE CONTROLLED:
- "The three main instruments principals can use bilaterally to minimize the divergence of interest and behavior [»the agency problem«] are (1) screening and selection, (2) monitoring, and (3) punitive measures [financial penalties, exclude contractors from bidding, arrest]. In addition, principals may use multiple agents as an additional instrument, keeping agents weak by introducing competition" (44)
- "discrepancy between the state's projected capacity […] and its de facto capacity and power. […An] ineffective attempt at cracking down on the non-state actor could expose this discrepancy and prove a source of embarrassment." (47)
- "Iranian and Syrian governments are not merely tolerating and providing passive support to hackers operating out of their territories. They are aware of the hackers' activities and […] they are »fail[ing] altogether to take any 'apropriate steps' to protect [the hackers' targets] … or to persuade or to compel [the hackers] to withdraw«" (92)
- an "indication that the Russian government can effectively enforce the law if it so chooses is the fact that malware used by Russian and east European cybercriminals is often designed so that it »purposefully avoids infecting computers if the program detects the potential victim is a native resident.« […] When Russian hackers do target victims in Russia, Moscow's response is swift and harsh [but wouldn't care about frauds restricted to other parts of the world]" (95)
- "the Chinese government […] regularly reined in its hacktivists with public statements calling on them to stop their campaigns." (97)
- "In China these links between state and private are also blurred. […] Huawei and ZTE »aspire to be 'normal' companies but like all Chinese private sector companies have what is in effect a 'shadow board' in the form of a Communist Pary cell which can override management decisions and enforce adherence to national strategic priorities.«" (108)
- "States interested in trying to shape another state's proxy relationship can try to influence these various factors by (1) working to change that state's awareness of the threat posed by these non-state actors; (2) building up that state's capacity to prevent, stop, or punish a non-state actor's malicious activity […]; or (3) exerting coercive power through naming and shaming, sanctions, and military or law enforcement punishment" (138)
- the DIME(LE) model "outlines the various instruments of statecraft - diplomacy, information, military, economy, and (in the expanded version) law enforcment" (139)
- "a state may try to undermine trust between the proxy and the beneficiary by exploiting vulnerabilities in the relationship such as divergent interests and information asymmetries" (141)
- "comprehensive economic sanctions […] viewed as counterproductive, leading to the rise of more targeted sanctions [inviduals rather than entire countries]" (141)
- "»Parties usually overestimate the other party's control over proxies while underestimating their own level of control.«" (142)
- "while some companies claim that they have no control over how their products are used once they are sold […], many companies offer customer service and product updates that require a continuing relationship […It] may therefore be possible for a company to terminate its relationship and product's functionality; […] easier to do this than to take back the sale of conventional tangible goods." (79)
- preventive statements: "»Regardless of the motivation, the NIPC reiterates such activity is illegal and punishable as a felony. The US government does not condone so-called 'patriotic hacking' on its behalf.«" (147)
- "…building a normative regime and taboo of unacceptable practices […] is unlikely in the foreseeable future" (154)
- "A state might also build a relationship to a non-state actor to prevent hacktivists […] or other non-state actors from interfering with government operations by, for example, shutting down a website forum that the government is monitoring for intelligence purposes. The Jester already revealed that »I don't hit the ones that are being actively monitored and infiltrated on the Human Intelligence side. And I herd more people to them by hitting everything else around them, leaving them no place to go except into the arms of the big boys.«" (40)
OTHER:
- "the US government used a fake job interview to trick a suspect, Vasily Gorshkov, into traveling to the United States" (96)
- "more than 80 percent of the industrial control systems in China use foreign technologies, and this use is increasing" (119)
- "Comparing the proxy relationships in existing cyber powers […] requires us to revisit distinctions between private & public spheres that are blurred in countries where prebendalism reigns…" (3)
"prebendalism" = Präbendalismus (Max Weber) = Pfründenwirt. (Pfrund vom lat. praebenda) = Ämter (Staat, Kirche, …), die zugleich einen Anspruch auf die Erträge einer mit dem Amt verbundenen Vermögensmasse gewähren (im Ggs. zu direkter Besoldung bspw.; heute negativer Klang, noch wohl Praxis u.A. in Nigeria)
- political science book, rather dry in a good sense (less sensationalist etc)
- USA, Russia, China, Iran/Syria - proxy histories, case-studies
- conceptual framework, diagrams, 2 maps and a few tables
Some quotes:
- Methodology: "Data on proxy actors, in particular, is very limited. […] inductive approach. Closely examining a small number of cases […] Sources included primary and secondary literature […]. The literature-based research was complemented by semi-structured interviews with experts, including hackers […]; government officials in defense, intelligence and Law enforcement communities; employees at cyber threat intelligence companies; and defense contractors, security researchers and computer emergency response officials." (35)
- "It is important to highlight that the definition of cyber proxies used in this book considers unauthorized access a necessary element of an offensive action (apart from a DDoS attack). It therefore excludes actors carrying out information operations that do not include unauthorized access, such as the trolls in St. Petersburg" (67)
- state/state proxy relationships, state/non-state, non-state/state, non-state/non-state relationship (industry-hired hackers vs piracy-sites (35 or 145)); "most relevant in international affairs today is the state/non-state proxy relationship. This […] is the focus of this book." (32 f.)
- "reports about government-supported hackers targeting dissidents [domestically] predated reports about such proxies hitting targets abroad. […] typologies of proxies based on motivation quickly face limitations […]. The same is true for typologies of proxies based on whether their targets are perceived as internal or external threats."(151 f.)
- "There is obviously a spectrum between »acting in the interest of« and »acting on behalf of«" (124)
- "cyber operations are low-cost. […] the Internet is contributing to a diffusion of power from state to non-state actors […], cyber power itself was diffuse from the start." (151)
- "three main types of proxy relationships: (1) delegation, (2) orchestration, and (3) sanctioning (approving or permitting [passive support as opposed to principal and agent]). […] Any state may pursue any of these three relationships or 'mix' them; nonetheless states systematically tend to favor one approach…" (152)
- all countries "have an interest in balancing the benefits of proxy relationships with the cost and increased risk of escalation. In addition, democratic states must ensure proxy relationships are subject to their accountability mechanisms and system of checks and balances."(153)
- terms "cyber-security" (US gov) versus "information security" (Russia, China with focus on content / censorship of 'propaganda' because Soviet Union would have lost due to 'imperialist infowar' (58) not NATO conventional forces) (54 ff.); extraterritorial censorship (Great Cannon DDoS attack on GitHub (63))
- "Ukrainians were much more concerned over the long-term strategic effects of such [Russian confuse/desinform/subvert information] operations than they were about the potential effects of a cyber attack against critical infrastructure" (61), such as the power outage in western Ukraine or the loss of technical capacity to provide connection between the peninsula and the rest of the Ukraine (98)
- yet, "From an international law perspective, information operations, including those targeting civilian populations, are not prohibited as long as the activities do not incite crimes" (66)
- from "computer network operations" to "cyber effects operations" (55)
Some quotes on aspects that I have focused more on:
- Volunteerism
- Private market
- How proxies are controlled
1. VOLUNTEERISM:
- "The 1998 events [anti-China protests in Indonesia] reveal the strong, even foundational role of patriotism in China's hacktivist groups, an attitude that stands in stark contrast to many Western hackers' shared ideology of opposition to governments." (109)
- the Chinese "patriotic hackers were so patriotic that they wanted to help the government improve its cybersecurity. When the government turned down their offer to help, they grew frustrated and started defacing websites of the Chinese government itself to raise more awareness of the existing vulnerabilities" (110); The government tries "keeping those actor's patriotism in check and subsequently frustrated proxies might turn against the government rather than focusing their energy externally." (119)
- "…wave of volunteerism that emerged among the population in Ukraine once the conflict escalated across all sectors. Yet, the interviewees also remarked that the government lacked the capacity to effectively absorb these additional resources - it was unable to mobilize them and amplify the state's power" (41);
"in addition to lacking an overal strategy to mobilize these additional capabilities and provide active support, the Ukrainian government has also been inconsistent in its stance towards passive support" (99):
"Head of the Ukrainian Interior Ministry […] offered facilities and staffing assistence. [Elsewhere] hackers shared hacked data with Ukraine's Security Service, [and] »criminal proceedings were instituted […] and some arrests were made«"(99)
- other than DDoS, leaks and web defacements by nationalist Ukrainian hacker groups: "It is notable that the [Ukraine] conflict does not appear to have politicized and mobilized the most sophisticated non-state actors with cyber capabilities - the cybercriminals - to change their profit-driven behavior to more politically driven action to any significant degree. […] For its part, the Ukrainian government has not had the capacity and strategy in place to mobilize the capabilities provided by volunteers. One explanation for the Ukrainian government's limited ability to mobilize non-state actors is the general poor state of the military."(100)
- "…people deciding to join a DDoS attack voluntarily (as in the case of the German and British hackers who lent their support to the Ukrainian Cyber Forces in 2015)" (134)
- patriotic criminals (102 f.)
- "military and civilian [cyber] attacks are hard to distinguish […] in peacetime, civilians hide the military" (108)
- "In 2001, when Chinese patriotic hacktivists were targeting the United States, the Chinese government eventually decided to intervene and stop the hacktivists' attack […] by using its official media outlets to publish statements […] that while they understood the hackers' »passion,« they discouraged the attacks" (147); "The US government does not condone so-called 'patriotic hacking' on its behalf" (147)
- "Hackers were used to target opponents of the [Iranian] regime" (82); pro-US hacker targeted Wikileaks, Anonymous, LulzSec, Ecuador (Edward Snowden), Syrian Electronic Army, Libya, Jihadis, … (17)
- "the report concluded, »[…] that a single individual is very capable of waging cyber war at a level we previously attributed only to intelligence agencies or crime syndicates«" (17)
- 1979, "group of Iranian students stormed the US embassy […] the Iranian students expressed a desire to be affiliated with their respective governments and to become their agents" (84)
- "Khamenei in a spech »urgend his country's students - whom he called »cyber war agents« - to prepare for battle... 'You are the cyber-war agents and such a war requires Amman-like insight and Malik Ashtar-like resistance. Get yourself ready for such war wholeheartedly.«" (81)
- "pro-Kremlin youth organizations, partly as counterbalance to potential popular uprisings" (59)
2. PRIVATE MARKET:
- "Even as firms shifted from [private] military to security services, the private market for security services grew dramatically, driven by the push for privatization, a general reconceptualization of the role and size of the state, increased economic incentives for outsourcing, and the specific political incentives to use contractors as overt or covert proxies. Demand from the intelligence community grew as well, and the 9/11 terrorist attacks provided an additional catalyst." (72)
- "explosion of small start-up companies in this field. […] Governments around the world are therefore not only working with large companies when it comes to cybersecurity but often also with [cleared] small boutique firms." (75); "…increasing number of US military and intelligence employees […] start their own companies" (80)
- "Singer's description of conventional private military and security companies offering services along the full length of the spear, with the exception of the deadly tip, appears to apply to private cybersecurity contractors as well." (77); eg, Endgame Inc. ids potential targets but doesn't conduct the attack (76)
- "the United States […] cannot wage war without the private military industry." (80)
- hackback-/take-down companies: "Bollywood movie companies hiring an Indian company to launch DDoS attacks on sites hosting pirated movies. […] DDoS-for-hire service from China against a South Korean competitor." (35)
- "the United Arab Emirates paid Hacking Team USD 634,500 for the use of its product [with some zero-days], with which they surveiled over 1,000 people." (79)
- "»SCADA systems are also 'hard to patch', so even old vulnerabilities are actual« (13)
- "the US government has explained at great length that it considers political espionage legitimate (while considering espionage for commerical competitive advantage illegitimate …" (56)
- "North Koreans earn foreign money by developing software in China and perform hacking activities to collect national industrial secrets at the same time." (132)
3. HOW PROXIES ARE CONTROLLED:
- "The three main instruments principals can use bilaterally to minimize the divergence of interest and behavior [»the agency problem«] are (1) screening and selection, (2) monitoring, and (3) punitive measures [financial penalties, exclude contractors from bidding, arrest]. In addition, principals may use multiple agents as an additional instrument, keeping agents weak by introducing competition" (44)
- "discrepancy between the state's projected capacity […] and its de facto capacity and power. […An] ineffective attempt at cracking down on the non-state actor could expose this discrepancy and prove a source of embarrassment." (47)
- "Iranian and Syrian governments are not merely tolerating and providing passive support to hackers operating out of their territories. They are aware of the hackers' activities and […] they are »fail[ing] altogether to take any 'apropriate steps' to protect [the hackers' targets] … or to persuade or to compel [the hackers] to withdraw«" (92)
- an "indication that the Russian government can effectively enforce the law if it so chooses is the fact that malware used by Russian and east European cybercriminals is often designed so that it »purposefully avoids infecting computers if the program detects the potential victim is a native resident.« […] When Russian hackers do target victims in Russia, Moscow's response is swift and harsh [but wouldn't care about frauds restricted to other parts of the world]" (95)
- "the Chinese government […] regularly reined in its hacktivists with public statements calling on them to stop their campaigns." (97)
- "In China these links between state and private are also blurred. […] Huawei and ZTE »aspire to be 'normal' companies but like all Chinese private sector companies have what is in effect a 'shadow board' in the form of a Communist Pary cell which can override management decisions and enforce adherence to national strategic priorities.«" (108)
- "States interested in trying to shape another state's proxy relationship can try to influence these various factors by (1) working to change that state's awareness of the threat posed by these non-state actors; (2) building up that state's capacity to prevent, stop, or punish a non-state actor's malicious activity […]; or (3) exerting coercive power through naming and shaming, sanctions, and military or law enforcement punishment" (138)
- the DIME(LE) model "outlines the various instruments of statecraft - diplomacy, information, military, economy, and (in the expanded version) law enforcment" (139)
- "a state may try to undermine trust between the proxy and the beneficiary by exploiting vulnerabilities in the relationship such as divergent interests and information asymmetries" (141)
- "comprehensive economic sanctions […] viewed as counterproductive, leading to the rise of more targeted sanctions [inviduals rather than entire countries]" (141)
- "»Parties usually overestimate the other party's control over proxies while underestimating their own level of control.«" (142)
- "while some companies claim that they have no control over how their products are used once they are sold […], many companies offer customer service and product updates that require a continuing relationship […It] may therefore be possible for a company to terminate its relationship and product's functionality; […] easier to do this than to take back the sale of conventional tangible goods." (79)
- preventive statements: "»Regardless of the motivation, the NIPC reiterates such activity is illegal and punishable as a felony. The US government does not condone so-called 'patriotic hacking' on its behalf.«" (147)
- "…building a normative regime and taboo of unacceptable practices […] is unlikely in the foreseeable future" (154)
- "A state might also build a relationship to a non-state actor to prevent hacktivists […] or other non-state actors from interfering with government operations by, for example, shutting down a website forum that the government is monitoring for intelligence purposes. The Jester already revealed that »I don't hit the ones that are being actively monitored and infiltrated on the Human Intelligence side. And I herd more people to them by hitting everything else around them, leaving them no place to go except into the arms of the big boys.«" (40)
OTHER:
- "the US government used a fake job interview to trick a suspect, Vasily Gorshkov, into traveling to the United States" (96)
- "more than 80 percent of the industrial control systems in China use foreign technologies, and this use is increasing" (119)
- "Comparing the proxy relationships in existing cyber powers […] requires us to revisit distinctions between private & public spheres that are blurred in countries where prebendalism reigns…" (3)
"prebendalism" = Präbendalismus (Max Weber) = Pfründenwirt. (Pfrund vom lat. praebenda) = Ämter (Staat, Kirche, …), die zugleich einen Anspruch auf die Erträge einer mit dem Amt verbundenen Vermögensmasse gewähren (im Ggs. zu direkter Besoldung bspw.; heute negativer Klang, noch wohl Praxis u.A. in Nigeria)
August 25, 2019
A beneficial exploration of cyber proxies and their use by the United States, Russia, China, and Iran. The key takeaway from this book is that our potential adversaries have a much more comprehensive view of operations in cyberspace than we do. In most of the military meetings discussing cyberspace that I’ve participated in, the focus very rarely diverts from how to stop adversaries from conducting cyber-attacks targeting critical infrastructure (power plants, electric grids, dams, etc). While that is a legit concern, foreign nations are significantly more interested in information operations that have the power to influence the broader political outcome than they are in any military application. Russian efforts to influence the 2016 presidential election being exhibit A. Overall, the book was rather dry and academic but I still think it a very useful read for helping those of us in the United States to gain a greater understanding of how potential adversaries think and operate. In turn, it should lead to much deeper thought and discussion when we develop our own strategies for combating these challenges. 3 stars.
What follows are my notes on the book:
The author defines Cyber Proxies as “intermediaries that conduct or directly contribute to an offensive cyber action that is enabled knowingly, whether actively or passively, by a beneficiary. This broad definition covers the phenomenon of states committing to support specific proxies as well as states omitting to take certain actions and turning a blind eye to a non-state actor’s malicious actions” (xi). The author argues that projecting coercive power through cyberspace is not only a state-centric affair but often a dynamic interplay between state and non-state actors that raises important questions over control, authority, and the legitimacy of the use of cyber capabilities. Interviewing many players involved in the cyber-attacks on Ukrainian critical infrastructure, the interviewees were significantly more interested in the impact of information operations on the broader political outcome than they were the military applications of the attacks. A view that was ahead of its time considering the cyber meddling/information operations on the 2016 US presidential election (xii).
The book has three main arguments: 1) it is important to focus on proxies, not just states, in the cyber domain, 2) state use of cyber proxies is not that different from how states have used conventional proxies throughout history, and 3) there is a new diffusion of reach which allows state and non-state actors to cause effects remotely across vast distances through offensive cyber operations (xiv).
There is no agreed upon definition for cybersecurity. States like Russia and China consider content an information security threat whereas others, like the US, consider content and the free flow of information a human right. The latter states exclude content from their definitions and use the term cybersecurity. The former frame their scope of concerns as information security (6).
The ability to cause harm is not a significant differentiator between state and non-state hackers above a certain, fairly low level of technical sophistication. Consequently, cyber proxies can cause significant harm and pose a security threat from a national and international security perspective (13). In fact, today some individuals have more sophisticated cyber capabilities than many nation-states. What are cyber proxies used for? For operating in “the space between” diplomacy or sanctions and military action. There is a lot of things that you can do in that space between those tools to accomplish the national interest (14).
Cyber proxies are not all the same. They could be individual hacktivists or criminals, networks of the same, or organized groups like militias, private companies, or criminal organizations (17).
Three main types of proxy relationships can be identified: 1) delegation, where the beneficiary has overall control over the proxy and delegates authority to act on its behalf (principal-agent theory), 2) orchestration, state supported but without direct control or specific instructions (usually accompanied by string ideological bond), and 3) sanctioning, passive support or deliberately turning a blind eye to non-state activities (safe havens(20). Each of these will be shown in the case studies presented later in the book. The author chooses to classify proxies by degree of control rather than their intent because proxies’ motives could be multi-faceted and change over time (22).
By 2015, attitudes towards the question of attribution have changed dramatically. The question is not if, but when attribution can be made. It is also not viewed as a binary choice but a question of degree. However, robust attribution remains challenging and is often not available within the timeframe that decision makers might need to act in a national security context (23-24).
Proxies have been an instrument of power since ancient times: mercenaries, auxiliaries, and privateers have been in use since the Peloponnesian War in the 4th century B.C. Both the US and the USSR used proxies heavily during the Cold War (29). What they all had in common was that they are not legally part of the government to which they are attached.
The author lays out a framework to explain the various combinations of beneficiary-proxy relationships: state/state (think Cold War client states), state/non-state (like private security contractors), non-state/state (think organized crime utilizing weak states), and non-state/non-state (al-Qaeda franchises) (34).
Four conditions must be met for proxy relationships to develop: 1) actors detached from the state must be available to act as proxies, 2) the state has a perceived need, 3) the state must have the ability to mobilize actor to function as proxies, and 4) the proxy must also benefit from the relationship (36).
There is a general shortage of skilled labor in this field, both for states and non-state actors. So if military cyber warriors cannot develop or retain the talent, it will naturally find itself in a position where it has no choice but to rely on proxies (39).
Thinking back to the distinction between cybersecurity and information security, some of the most high profile cyber attacks against the US were driven by content, not military concerns (Sony, being the most prominent example) (51). The Russian campaign against the 2016 elections were in large part driven by their fight against Clinton for her encouraging protest against Putin along with the leak of the Panama Papers (that exposed Russian doping and offshore financial shenanigans. The release of DNC emails was likely viewed as tit-for-tat information operations (54). The US meanwhile, continues to view offensive cyber operations as distinct from information and psychological operations (55).
Lawyers struggle thanks to the artificial distinction between espionage and operations designed to deliver effects where the only distinction is intent.
Perhaps more than any other country, Russia is alarmed over the cognitive aspects of cyber issues as much as their technical aspects. Russian policy emphasizes internal stability as the death blow to the USSR came not from NATO conventional forces but from imperialist information war (58). The color revolution in Georgia, Ukraine and the Arab Spring of 2011 fueled the Kremlin’s perception of the threat. Putin feared the US had finally developed a magic tool that could bring people to the streets via the internet (60).
Like Russia, China too has a strong tendency to view information as a threat. The Communist Party still reigns. Russia and China differ noticeably when it comes to projection of cyber offensive power. Russia is exclusively focused on information operations while China has both an information ops and a offensive cyber focus. While the US silos emerged between electronic warfare, psychological operations, and cyber operations, China has pursued an integrated framework (63).
Chapter 4: Cyber Proxies on a Tight Leash: The United States. Private security contractors are a classic example of delegation and principal-agent relationships. This is an extension of the US practice of outsourcing functions to the private sector and defense contractors (79).
Chapter 5: Cyber proxies on a Loose Leash: Iran and Syria. Iran had a rude wake-up call to the danger posed by cyberspace following the 2009 Stuxnet malware hit them. Khameni urged the nations students to get ready for war in cyberspace. In a few short years, Iran’s capability has evolved rapidly, ad proxies have played a key role. Like Russia and China, Iran’s actions are driven by the need for regime stability. Iran was not about to be the next to fall in the Arab Spring. They required Internet cafes to collect user’s personally identifiable information (PII) and Internet service providers to share data on their customers with the government (81-82). HE argues there are similarities with how Iran uses cyber proxies and their use of students during the 1979 hostage crisis. Spontaneous action by the students later gave way to regime approval and support. In 2010, students hackers began actions on their own becoming proxies to Iran. The government is aware of their activities, but are failing to take any appropriate steps to compel them to stop.
Chapter 6: Cyber Proxies on the Loose: The Former Soviet Union. Russia and its former satellites most closely display sanctioning behavior (where they could stop the activity but don’t because they consciously but indirectly benefit from proxies hitting third parties). These countries stand out for their many individuals with strong technical skills (a remnant of their strong university system with heavy focus on math and engineering). With the collapse of the USSR, a highly educated and literate society saw unemployment skyrocket and the economy not be able to absorb all the talent. With weak law enforcement and opportunity for huge profit, illicit activities became very attractive. The state could stop this, and does whenever the victims are Russian. But as long as the criminals continue to target the US and Europe, enforcement remains non-existent (94-95). Because they refuse to cooperate with US law enforcement, the US has been capturing criminals whenever they leave the country, thanks to our large extradition policies with so many countries. Russia, in turn views this as systematic kidnapping of its citizens. Both the in Estonia (2007) and Ukraine (2015), were clear cases of the Russian government sanctioning cyber operations and doing little to put an end to them. In the war with Gerogia in 2008, proxy actions were coordinated and synchronized with a military attack. There is circumstantial evidence that the government was involved with these (the DDoS C2 servers were located in Russia, the infrastructure was operated by cyber criminal organizations, the attack was coordinated in known Russian hacker forums) (102). The US has sought cooperation with Russia to no avail; in fact the Russian FSB unit that is supposed to coordinate with the FBI was heavily involved in the cyber attacks on Yahoo. In conclusion, the combination of economic hardship, relative impunity, and high reward, has created an environment in which malicious cyber activity has flourished in Russia.
Chapter 7: Change over Time: China’s Evolving Relationships with Cyber Proxies. Over the past two decades, China’s relationship with cyber proxies has evolved from permiting malicious behavior, to creating institutions and structures to orchestrate private actors, to eventually tightening the leash further to delegation (107). These three phases largely coincided with the tenures of China’s last three leaders: Jiang Zemin (1994-2003), Hu Jintao (2003-2013), and Xi Xinping (2013-present). The latter consolidated power through a series of widespread crackdowns and institutionalized incentive mechanisms. The distinction between state and private sector is very different from the US. Companies like Huawei and ZTE aspire to be normal but have shadow boards run by the communist party that can override management (108). China also seeks to blur the lines between military and civilian actors. Per thir most recent military strategy argued that since military and civilian cyber attacks are hard to distinguish, the PLA should persist in the integration of peace and war and the integration of military and civilian activities such that in peacetime, civilians hide the military and in wartime the civilians and military join hands and attack together (108). While many Western hackers have a strong, anti-government mentality, China has cultivated a very string since of patriotism, directing their attacks at external enemies. China did actually make some changes (how long they last is yet to be determined) after talks on preventing cyber-enabled theft of intellectual property for competitive advantage (espionage against the government remains fair game). In 2015, China made further moves towards a monopolistic state in this domain when they reformed the PLA with the creation of a Strategic Support Force that consolidated military cyber capabilities. They have also expanded domestic control by expanding the militia system, creating stronger ties with hacktivists. With weak enforcement and so many hacktivists, China has moved to coopt them rather than crack down on them.
The author discusses the DIME(LE) [Diplomatic, Information, Military, Economic, Law Enforcement) toolset for possible ways to influence cyber proxies at home and abroad. Private companies (like Sony, and banks) are expressing growing interest in “hacking back” due to the inaction of government to address the challenges that are impacting their bottom line, some companies going as far as to position counter-attack capabilities offshore to avoid legal troubles.
Conclusion: While inter-state war has been in decline since WWII, use of proxies has only grown. The author concludes with X key findings: 1) projecting coercive power thru cyberspace is not a state-centric affair but a dynamic interplay between state and proxies. 2) States use proxies for a wide variety of purposes, not limited to projecting power abroad. 3) Categorizing proxies by intent or motive is not particularly helpful. 4) There are three main types of proxy relationships: delegation, orchestration, and sanctioning. 5) Countries pursue different models for proxy relationships but face similar challenges in managing the relationships and balancing the cost and risk of escalation.
What follows are my notes on the book:
The author defines Cyber Proxies as “intermediaries that conduct or directly contribute to an offensive cyber action that is enabled knowingly, whether actively or passively, by a beneficiary. This broad definition covers the phenomenon of states committing to support specific proxies as well as states omitting to take certain actions and turning a blind eye to a non-state actor’s malicious actions” (xi). The author argues that projecting coercive power through cyberspace is not only a state-centric affair but often a dynamic interplay between state and non-state actors that raises important questions over control, authority, and the legitimacy of the use of cyber capabilities. Interviewing many players involved in the cyber-attacks on Ukrainian critical infrastructure, the interviewees were significantly more interested in the impact of information operations on the broader political outcome than they were the military applications of the attacks. A view that was ahead of its time considering the cyber meddling/information operations on the 2016 US presidential election (xii).
The book has three main arguments: 1) it is important to focus on proxies, not just states, in the cyber domain, 2) state use of cyber proxies is not that different from how states have used conventional proxies throughout history, and 3) there is a new diffusion of reach which allows state and non-state actors to cause effects remotely across vast distances through offensive cyber operations (xiv).
There is no agreed upon definition for cybersecurity. States like Russia and China consider content an information security threat whereas others, like the US, consider content and the free flow of information a human right. The latter states exclude content from their definitions and use the term cybersecurity. The former frame their scope of concerns as information security (6).
The ability to cause harm is not a significant differentiator between state and non-state hackers above a certain, fairly low level of technical sophistication. Consequently, cyber proxies can cause significant harm and pose a security threat from a national and international security perspective (13). In fact, today some individuals have more sophisticated cyber capabilities than many nation-states. What are cyber proxies used for? For operating in “the space between” diplomacy or sanctions and military action. There is a lot of things that you can do in that space between those tools to accomplish the national interest (14).
Cyber proxies are not all the same. They could be individual hacktivists or criminals, networks of the same, or organized groups like militias, private companies, or criminal organizations (17).
Three main types of proxy relationships can be identified: 1) delegation, where the beneficiary has overall control over the proxy and delegates authority to act on its behalf (principal-agent theory), 2) orchestration, state supported but without direct control or specific instructions (usually accompanied by string ideological bond), and 3) sanctioning, passive support or deliberately turning a blind eye to non-state activities (safe havens(20). Each of these will be shown in the case studies presented later in the book. The author chooses to classify proxies by degree of control rather than their intent because proxies’ motives could be multi-faceted and change over time (22).
By 2015, attitudes towards the question of attribution have changed dramatically. The question is not if, but when attribution can be made. It is also not viewed as a binary choice but a question of degree. However, robust attribution remains challenging and is often not available within the timeframe that decision makers might need to act in a national security context (23-24).
Proxies have been an instrument of power since ancient times: mercenaries, auxiliaries, and privateers have been in use since the Peloponnesian War in the 4th century B.C. Both the US and the USSR used proxies heavily during the Cold War (29). What they all had in common was that they are not legally part of the government to which they are attached.
The author lays out a framework to explain the various combinations of beneficiary-proxy relationships: state/state (think Cold War client states), state/non-state (like private security contractors), non-state/state (think organized crime utilizing weak states), and non-state/non-state (al-Qaeda franchises) (34).
Four conditions must be met for proxy relationships to develop: 1) actors detached from the state must be available to act as proxies, 2) the state has a perceived need, 3) the state must have the ability to mobilize actor to function as proxies, and 4) the proxy must also benefit from the relationship (36).
There is a general shortage of skilled labor in this field, both for states and non-state actors. So if military cyber warriors cannot develop or retain the talent, it will naturally find itself in a position where it has no choice but to rely on proxies (39).
Thinking back to the distinction between cybersecurity and information security, some of the most high profile cyber attacks against the US were driven by content, not military concerns (Sony, being the most prominent example) (51). The Russian campaign against the 2016 elections were in large part driven by their fight against Clinton for her encouraging protest against Putin along with the leak of the Panama Papers (that exposed Russian doping and offshore financial shenanigans. The release of DNC emails was likely viewed as tit-for-tat information operations (54). The US meanwhile, continues to view offensive cyber operations as distinct from information and psychological operations (55).
Lawyers struggle thanks to the artificial distinction between espionage and operations designed to deliver effects where the only distinction is intent.
Perhaps more than any other country, Russia is alarmed over the cognitive aspects of cyber issues as much as their technical aspects. Russian policy emphasizes internal stability as the death blow to the USSR came not from NATO conventional forces but from imperialist information war (58). The color revolution in Georgia, Ukraine and the Arab Spring of 2011 fueled the Kremlin’s perception of the threat. Putin feared the US had finally developed a magic tool that could bring people to the streets via the internet (60).
Like Russia, China too has a strong tendency to view information as a threat. The Communist Party still reigns. Russia and China differ noticeably when it comes to projection of cyber offensive power. Russia is exclusively focused on information operations while China has both an information ops and a offensive cyber focus. While the US silos emerged between electronic warfare, psychological operations, and cyber operations, China has pursued an integrated framework (63).
Chapter 4: Cyber Proxies on a Tight Leash: The United States. Private security contractors are a classic example of delegation and principal-agent relationships. This is an extension of the US practice of outsourcing functions to the private sector and defense contractors (79).
Chapter 5: Cyber proxies on a Loose Leash: Iran and Syria. Iran had a rude wake-up call to the danger posed by cyberspace following the 2009 Stuxnet malware hit them. Khameni urged the nations students to get ready for war in cyberspace. In a few short years, Iran’s capability has evolved rapidly, ad proxies have played a key role. Like Russia and China, Iran’s actions are driven by the need for regime stability. Iran was not about to be the next to fall in the Arab Spring. They required Internet cafes to collect user’s personally identifiable information (PII) and Internet service providers to share data on their customers with the government (81-82). HE argues there are similarities with how Iran uses cyber proxies and their use of students during the 1979 hostage crisis. Spontaneous action by the students later gave way to regime approval and support. In 2010, students hackers began actions on their own becoming proxies to Iran. The government is aware of their activities, but are failing to take any appropriate steps to compel them to stop.
Chapter 6: Cyber Proxies on the Loose: The Former Soviet Union. Russia and its former satellites most closely display sanctioning behavior (where they could stop the activity but don’t because they consciously but indirectly benefit from proxies hitting third parties). These countries stand out for their many individuals with strong technical skills (a remnant of their strong university system with heavy focus on math and engineering). With the collapse of the USSR, a highly educated and literate society saw unemployment skyrocket and the economy not be able to absorb all the talent. With weak law enforcement and opportunity for huge profit, illicit activities became very attractive. The state could stop this, and does whenever the victims are Russian. But as long as the criminals continue to target the US and Europe, enforcement remains non-existent (94-95). Because they refuse to cooperate with US law enforcement, the US has been capturing criminals whenever they leave the country, thanks to our large extradition policies with so many countries. Russia, in turn views this as systematic kidnapping of its citizens. Both the in Estonia (2007) and Ukraine (2015), were clear cases of the Russian government sanctioning cyber operations and doing little to put an end to them. In the war with Gerogia in 2008, proxy actions were coordinated and synchronized with a military attack. There is circumstantial evidence that the government was involved with these (the DDoS C2 servers were located in Russia, the infrastructure was operated by cyber criminal organizations, the attack was coordinated in known Russian hacker forums) (102). The US has sought cooperation with Russia to no avail; in fact the Russian FSB unit that is supposed to coordinate with the FBI was heavily involved in the cyber attacks on Yahoo. In conclusion, the combination of economic hardship, relative impunity, and high reward, has created an environment in which malicious cyber activity has flourished in Russia.
Chapter 7: Change over Time: China’s Evolving Relationships with Cyber Proxies. Over the past two decades, China’s relationship with cyber proxies has evolved from permiting malicious behavior, to creating institutions and structures to orchestrate private actors, to eventually tightening the leash further to delegation (107). These three phases largely coincided with the tenures of China’s last three leaders: Jiang Zemin (1994-2003), Hu Jintao (2003-2013), and Xi Xinping (2013-present). The latter consolidated power through a series of widespread crackdowns and institutionalized incentive mechanisms. The distinction between state and private sector is very different from the US. Companies like Huawei and ZTE aspire to be normal but have shadow boards run by the communist party that can override management (108). China also seeks to blur the lines between military and civilian actors. Per thir most recent military strategy argued that since military and civilian cyber attacks are hard to distinguish, the PLA should persist in the integration of peace and war and the integration of military and civilian activities such that in peacetime, civilians hide the military and in wartime the civilians and military join hands and attack together (108). While many Western hackers have a strong, anti-government mentality, China has cultivated a very string since of patriotism, directing their attacks at external enemies. China did actually make some changes (how long they last is yet to be determined) after talks on preventing cyber-enabled theft of intellectual property for competitive advantage (espionage against the government remains fair game). In 2015, China made further moves towards a monopolistic state in this domain when they reformed the PLA with the creation of a Strategic Support Force that consolidated military cyber capabilities. They have also expanded domestic control by expanding the militia system, creating stronger ties with hacktivists. With weak enforcement and so many hacktivists, China has moved to coopt them rather than crack down on them.
The author discusses the DIME(LE) [Diplomatic, Information, Military, Economic, Law Enforcement) toolset for possible ways to influence cyber proxies at home and abroad. Private companies (like Sony, and banks) are expressing growing interest in “hacking back” due to the inaction of government to address the challenges that are impacting their bottom line, some companies going as far as to position counter-attack capabilities offshore to avoid legal troubles.
Conclusion: While inter-state war has been in decline since WWII, use of proxies has only grown. The author concludes with X key findings: 1) projecting coercive power thru cyberspace is not a state-centric affair but a dynamic interplay between state and proxies. 2) States use proxies for a wide variety of purposes, not limited to projecting power abroad. 3) Categorizing proxies by intent or motive is not particularly helpful. 4) There are three main types of proxy relationships: delegation, orchestration, and sanctioning. 5) Countries pursue different models for proxy relationships but face similar challenges in managing the relationships and balancing the cost and risk of escalation.
June 19, 2019
Another bureaucrat telling the World why everybody needs his just guidance and expert newspaper reading skills.
November 15, 2018
Three dependants; IOT, identity politics, vagaries of personalities. These are some of the domains which will increasingly matter in the domain of Internet interactions. Whether it's the higher office of a country or its citizens, the Internet as classified as an operational domain that is fluid, non physical yet increasingly important to the world population must contend with the livelihoods, socially constructed norms and perceived slights. These are things which requires a discipline framework encouraged and constantly refreshed and negotiated to be applicable in cyberspace. For all its nascent abilities we are currently in an expanding phase of what the internet, it's relevance and disruptions would mean to a state and its people. The digital proxies in pursuit of private economic gains, political or religious ideological wants and how they contend with the state and their behaviour. These are important questions as a quantum breach could spell disorders.
June 4, 2018
"In December 2015, a cyber attack against the Ukrainian electrical grid cut power in the western part of the country for about six hours... Despite its significance in the history of cyber incidents, it had little effect in the broader scheme of the conflict. In fact, it had occurred only a month after conventional bombs physically destroyed pylons supporting the power supplies to Crimea. The kinetic attack did not cause a brief power shortage that lasted for hours; it continued for months, affecting not only the Russian naval base located there but also the people of Crimea. Therefore, while the cyber attack targeting the power supply in western Ukraine was an escalation viewed through the prism of cyber conflict, it was only a blip in the broader 'cybered conflict.'"
March 3, 2018
Sensational title notwithstanding, this is a very good book on digital “proxies”: non-state organizations that hack in the interests of some nation-state, and which are affiliated to varying degrees. The author outlines a spectrum of these proxies, from US military contractors with their direct governmental relationship, to patriotic hacktivist groups in Russia and the Ukraine who are simply tolerated and appreciated by the state. The main part of the book is a set of case studies, which I found fascinating; and it then goes on to discuss some of the relevant international law (or lack thereof) around the actions of these proxies.
May 28, 2021
Cyber Warfare is the most dangerous aspect of 21st Century. Countries are engaged in cyber attacks against each other and Cyber mercenaries are their choice.
Displaying 1 - 7 of 7 reviews