In February 2018, the cybersecurity firm FireEye published a report detailing the activities of a hacker group called APT37 (also known as Reaper, TEMP.Reaper, ScarCruft, or Group123), which had carried out a series of cyberattacks across Asia. The report assessed “with high confidence” that the group was acting on behalf of the North Korean government. APT37 primarily engages in gathering intelligence on South Korean entities, particularly those affiliated with the government, military, and defense industries. It has also targeted organizations active in helping North Korean defectors and those engaged in reunification efforts on the Korean Peninsula.
This is just one example of a rising trend, as states increasingly turn to “cyber proxies”—hacker groups that carry out cyber operations on behalf of or in concert with nation states. Yet analysts know very little about how these groups operate and the nature of their relations with their state sponsors: the clandestine nature of cyber operations means these proxies have largely gone unnoticed. If the United States is to respond effectively to this emerging risk, it needs a better understanding of their activities.
The Rise of Cyber Proxies
Cyber proxies can be individual hackers hired for a particular operation or organized groups of hackers such as China’s Comment Crew, the Iranian Cyber Army, and the Syrian Electronic Army. There are also nontraditional cyber proxies such as defense contractors and security companies like Lockheed Martin, BAE Systems, and Israeli technology firm NSO Group. Offerings from these companies include the sale of software that can break into and degrade or destroy adversary computer systems. Some analysts therefore argue that these companies should also be labeled as cyber proxies, not least because targets on the receiving end of their operations often perceive them as such and respond accordingly.
The increasing use of cyber proxies is especially alarming since it may increase the likelihood of cyberattacks. Although we have not yet seen the full potential of cyberattacks, they are widely perceived as less lethal than conventional weapons, which lowers the threshold for their use. And they are relatively cheap to deploy. The latest system vulnerabilities and sophisticated tools to exploit them are often readily available for sale on the dark web. Hackers are available for hire by the hour. This means even the poorest states can afford to deploy highly sophisticated cyberattacks against rivals. Attackers can also exploit the same vulnerabilities to launch mass attacks against multiple targets simultaneously—a challenging task with conventional weapons outside a full-scale war situation.
The use of cyber proxies for offensive cyber operations only exacerbates the problem. Proxies do not involve the same kind of “boots on the ground” costs the public and media pay close attention to, so elected officials and state agents may be less concerned about the political costs of cyberattacks.
The Strategic Logic of Cyber Proxies
Working with cyber proxies is appealing for states because it enables them to tap into skills, expertise, tools, and capabilities that state agencies may lack or find too expensive to develop in house. Cyber proxies often operate in the gray areas of international politics; they can offer political cover for governments that may not want to be tied to cyber operations that come to light. Proxies also enable states to avoid revealing their in-house capabilities—an important advantage for states that want to maintain strategic ambiguity as norms evolve in the cyber domain.
States employ a variety of models in their relations with their cyber proxies. The United States, for instance, keeps its proxies—defense contractors—relatively close, enabling tight direction and monitoring of their activities in terms of target selection and techniques used. Others, like Iran and Syria, may opt to put more operational distance between them and their proxies, providing material and ideological support in exchange for the proxies’ cooperation in targeting specific political adversaries.
Other states, like Russia, may put even greater distance between them and their proxies, avoiding direct input and giving the proxy carte blanche in terms of targets and techniques. The Russian government is increasingly extending tacit support to various hacker groups, even using the threat of criminal prosecution and bribes to elicit their cooperation, particularly in targeting the United States and its allies. In general, however, the support of the state is mostly passive; in many cases, the only link between the proxy and the state is that the state willingly turns a blind eye to the activities of the proxy despite having the capacity to crack down. This opens the intriguing possibility of hackers being unwitting proxies of the state.
Finally, some states, like China, have used a combination of these approaches to manage their relations with their proxies. Until recently, Chinese proxies operated with more distance. But China has been centralizing its offensive cyber operations, pursuing a systematic program of incorporating private hackers into its intelligence agencies while shifting responsibilities for cyber operations away from the People’s Liberation Army and toward more specialized cyber units at the Ministry of State Security.
While working with proxies offers tangible benefits to states, it also entails significant risks. For instance, states face a “Promethean dilemma” where their proxies could turn their skills, capabilities, and tools against them. This is likely to happen in cases where the relationship between the state and proxy is so loose that the proxy has little incentive to cooperate with and abide by the directives of the state sponsor.
Accountability for Cyber Proxies
Despite the variety of models and risks associated with cyber proxies, my research suggests that one consistent feature of proxies is that they are much less likely to be employed by states with strong domestic accountability mechanisms. Prior research suggests that although most members of the public do not pay much attention to state-level offensive cyber operations, once they are made aware of cyber breaches, they tend to prefer a measured response that limits the potential for escalation. Furthermore, long-term exposure to cyber attacks tends to mitigate the emotional responses associated with them, reinforcing the public’s preference for cyber restraint.
Given the public’s general preference for cyber restraint, it is reasonable to expect that where citizens can hold their elected officials accountable for proxy-executed cyber operations, these officials are less likely to pursue such operations. My research confirms this using newly collected data on over one hundred hacker groups around the world. The effect is particularly strong where vertical accountability mechanisms, such as elections and other democratic processes, are robust. The effect is much weaker, on the other hand, where government officials are mainly held to account through horizontal accountability mechanisms, such as parliamentary and regulatory oversight institutions.
Reining in Cyber Proxies
These insights are important in helping combat cyber proxies. For one, it suggests that pressure from citizens and civil society groups could be useful in curbing the use of proxies where vertical accountability institutions are functional. Attributing cyberattacks to state sponsors (even if the evidence remains fluid) might spur pressure from citizen groups that might limit future attacks. It also suggests that policies that rely on regulatory and other state oversight institutions to keep cyber operations in check will be largely ineffective.
For now, popular responses to cyberattacks include the issuing of condemnatory statements by senior government officials, diplomatic protests (such as expelling diplomats), and legal measures (like the indictment of proxy hackers). These measures work by labeling proxy-executed cyber operations as deviant with the aim of mobilizing domestic and international condemnation of the behavior. By making it clear that the activities of cyber proxies are known and won’t be tolerated, public deterrence measures aim to increase the cost of continued offensive cyber operations. Strong vertical accountability mechanisms can be useful here, helping to increase pressure on state sponsors to limit the use of proxies.
The US government, for instance, has been particularly active in using criminal indictments to stem the tide of proxy-executed cyber operations. Available data shows that the US Department of Justice has unsealed at least twenty-four indictments since 2014, with 195 criminal counts against ninety-three foreign individuals accused of cyber influence operations at the behest of a state sponsor. Iranian, Chinese, Russian, Syrian, and North Korean hackers have been charged with a variety of crimes ranging from malicious destructive hacks to the theft of trade secrets and other intellectual property.
Other approaches include technical deterrence measures such as efforts aimed at strengthening the resilience of computer systems to cyber breaches. Some of these measures are specifically aimed at protecting critical infrastructure such as electric grids, communications, and transportation control systems.
Beyond these measures, states could implement various overt and covert retaliatory actions. These retaliatory attacks could take place in the cyber domain, through targeted sanctions, or with conventional military strikes. Broader economic sanctions could also be a useful deterrent, particularly where the targeted country is heavily dependent on the retaliating state for critical goods and services.
No Silver Bullet
All of these approaches have significant limitations. For one, the need for indictments to be based on publicly releasable evidence is problematic given the attribution challenges involved in establishing the source of cyberattacks. Information collected to establish attribution may not be admissible in court or may divulge sensitive intelligence sources and methods. Incontrovertible evidence regarding the source of an attack may not be available when it is most useful for criminal prosecution purposes. To complicate matters, apprehending individuals living overseas requires the cooperation of law enforcement agencies in those countries, further reducing the likelihood that hackers will ever see a day in court.
Technical defense measures, meanwhile, are often expensive and complex to implement properly. Ultimately, technical deterrence is only effective if it meaningfully changes the cost-benefit calculus of cyberattackers. So long as they consider it worthwhile to increase their efforts to surpass improved cybersecurity measures, technical deterrence will always fall short.
Sanctions also have their limitations. For one, they do little to elicit behavioral change in the target if there are no clear guidelines as to the conditions under which sanctions will be lifted or eased. The imposition of sanctions is also costly to the retaliating state, since it must forgo trade and other economic relations with the sanctioned state, and this economic pain is exacerbated if the sanctioned state responds with sanctions of its own. Retaliation through covert cyberattacks, meanwhile, could spark a cycle of tit-for-tat attacks that might lead to further escalation.
Given the limitations of these existing methods, there is an urgent need to explore more robust approaches to deterring state-sponsored proxy attacks. Overcoming attribution challenges and improving the efficiency of technical deterrence measures are paramount, as are limiting the negative effects of sanctions. As my research demonstrates, strengthening democratic accountability institutions might also hold promise, although doing so comes with its own set of challenges. What is clear, however, is that there are no silver bullets for countering cyber proxies. Policymakers need to pay more attention to these nonstate actors; understanding their evolving connections with state sponsors will be crucial in crafting an effective response.
William Akoto is an assistant professor of international politics at Fordham University.
The views expressed are those of the author and do not reflect the official position of the United States Military Academy, Department of the Army, or Department of Defense.
Image credit: freestocks.org