State Proxies & Plausible Deniability: Challenging Conventional Wisdom

plausibledeniability.jpg


It is often argued that states use proxies to claim plausible deniability for their actions. This logic certainly has a historical basis. In the Cold War era, when direct war between Russia and the USA was too risky, offensive actions conducted via conduits reduced the risk of retaliation. Likewise, proxies in the cyber domain are able to ‘muddle attribution’.  For example, before and during Russia's invasion of Georgia in 2008, Russian cyber militias disabled key portions of Georgia’s communication system. This was convenient as for the attack to work, civilian systems in third-party states needed to be compromised - if a Russian state actor was implicated, the attack would have violated tenants of armed conflict. Further, assuming Russian government involvement in the Estonian 2007 attacks, the Kremlin was able to retaliate to Estonia whilst circumventing accountability and avoiding some of the diplomatic costs of direct action. 

Whilst this conventional wisdom is not dismissed, the extent to which it holds true is questioned. The appeal of proxies, for the purposes of plausible deniability, has been overemphasised for two reasons.

First, cyber attacks that stem from a state can already have a significant degree of plausible deniability, given the difficulties in attributing cyber attacks. For example, attacks can be rerouted to travel through other states whilst comments placed in computer code can be altered to mimic other languages and culture.

Second, in response to difficulties in attribution, circumstantial evidence is increasingly being used in the forensic process⁠. For example although the alleged involvement of the Russian state in Estonian denial of service attacks in 2007 remains unproven, Russia’s clear incentive to retaliate in response to the relocation of a Russian war memorial, accompanied by the lack of Russian assistance in preventing the attacks, strongly suggests their tacit support. Jason Healey has previously criticised the international community for treating every state as if it were ‘Cyber Somalia’, unable to restrain attacks from its territory or mitigate their impact. Healey insists that states should be less reluctant to place blame on other states when cyber attacks stem from their territory. As this use of circumstantial evidence becomes more widely accepted, the plausible deniability associated with proxies becomes harder to claim. 

Therefore, whilst difficulties in attribution contribute to the appeal of proxies, a state's ability to claim plausible deniability has arguably been overemphasised. But, given the popularity of proxies in the cyber domain, they must appeal for other reasons. 

Proxies appeal for a variety of reasons.  One of the most significant drivers is a process of power diffusion. Characteristics of the cyber domain have facilitated the growth of a number of non-state actors. Given the low barriers to entry, a number of non-traditional actors are able to make meaningful contributions. Unlike fighter jets and navy vessels, sophisticated tools in the cyber domain can be developed by small businesses and starts-ups. Given the current shortage of cyber security related skills, governments struggle to compete with the salaries offered by the private sector or the economic opportunities that exist in online criminal activity. GCHQ has struggled to retain employees with technically capable staff able to command considerably higher salaries in the private sector

For less powerful states, proxies provide an opportunity to bolster their capability in a power balancing process against stronger adversaries. Cyber militias in a number of weaker states such as Latvia, Lithuania, Georgia, and Kyrgyzstan have all threatened to retaliate against future Russian cyber or kinetic attacks. When states lack internal capability, proxies offer a viable strategy to help balance the odds. 

Working with proxies may also reflect national culture. The Kremlin has historically held ties with organised crime and mafia groups and these relationships have extended into the cyber domain. As previously discussed in this blog, within Estonia, a number of political, cultural and historical characteristics facilitate the participation of civil society state cyber security activity.

States may also use proxies as they are cost effective. Outsourcing means that states are not faced with a range of costs including sick leave, holiday pay and training of full-time employees. This is especially attractive given that returns on investment in training are particularly low: many government workers will quickly move to the private sector after they have finished government training, given the economic opportunities. In addition, as the power diffusion process has empowered a number of actors, states should have a healthy choice of firms and organisations to work with, theoretically increasing the efficiency and driving down the costs of outsourcing. 

It is clear states need to utilise proxies effectively in the cyber domain; plausible deniability being one of a number of benefits.  Yet, government officials should proceed with caution. Proxy actors operate outside the control of government, affording them an unpredictability unwelcome by policymakers. With proxy actors representing a risky, albeit necessary, resource, perhaps the real challenge for states is learning when to say no.

Jamie Collier is completing  a Doctorate in Cyber Security at Oxford University

http://www.cybersecurityrelations.com

 

« Russia in Ukraine & Syria: US Revise Cyber Budget
UK’s Surveillance Dragnet Legal Challenge »

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

eBook: Practical Guide to Security in the AWS Cloud

eBook: Practical Guide to Security in the AWS Cloud

AWS Marketplace would like to present you with a digital copy of the new book, Practical Guide to Security in the AWS Cloud, by the SANS Institute.

Clayden Law

Clayden Law

Clayden Law are experts in information technology, data privacy and cybersecurity law.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

BackupVault

BackupVault

BackupVault is a leading provider of completely automatic, fully encrypted online, cloud backup.

Cyber Security Service Supplier Directory

Cyber Security Service Supplier Directory

Free Access: Cyber Security Service Supplier Directory listing 5,000+ specialist service providers.

Wisegate

Wisegate

Wisegate is a community of IT experts providing advisory services on all areas of IT including security.

National Response Centre for Cyber Crime (NR3C)

National Response Centre for Cyber Crime (NR3C)

National Response Centre for Cyber Crime (NR3C) is a law enforcement agency in Pakistan dedicated to fighting cyber crime.

Stealthbits Technologies

Stealthbits Technologies

Stealthbits Technologies is a cybersecurity software company focused on protecting an organization's sensitive data and the credentials attackers use to steal that data.

American Cybersecurity Institute

American Cybersecurity Institute

American cybersecurity Institute is a newly formed not-for-profit organization dedicated to education, advocacy, study and analysis in the space of cybersecurity law and policy.

Griffeshield

Griffeshield

Griffeshield is a company specialised in new information technologies used to protect Intellectual Property.

NetApp Excellerator

NetApp Excellerator

NetApp Excellerator is NetApp’s global start-up program that aims to fuel innovation by partnering with deep-tech start-ups.

Security On Demand (SOD)

Security On Demand (SOD)

Security On-Demand is the world’s first Full Spectrum Cyber-Threat Monitoring service, designed to bridge the gap between data and action.

Guidehouse

Guidehouse

Guidehouse is a leading global provider of consulting services to the public and commercial markets with broad capabilities in management, technology, and risk consulting.