State Proxies & Plausible Deniability: Challenging Conventional Wisdom

plausibledeniability.jpg


It is often argued that states use proxies to claim plausible deniability for their actions. This logic certainly has a historical basis. In the Cold War era, when direct war between Russia and the USA was too risky, offensive actions conducted via conduits reduced the risk of retaliation. Likewise, proxies in the cyber domain are able to ‘muddle attribution’.  For example, before and during Russia's invasion of Georgia in 2008, Russian cyber militias disabled key portions of Georgia’s communication system. This was convenient as for the attack to work, civilian systems in third-party states needed to be compromised - if a Russian state actor was implicated, the attack would have violated tenants of armed conflict. Further, assuming Russian government involvement in the Estonian 2007 attacks, the Kremlin was able to retaliate to Estonia whilst circumventing accountability and avoiding some of the diplomatic costs of direct action. 

Whilst this conventional wisdom is not dismissed, the extent to which it holds true is questioned. The appeal of proxies, for the purposes of plausible deniability, has been overemphasised for two reasons.

First, cyber attacks that stem from a state can already have a significant degree of plausible deniability, given the difficulties in attributing cyber attacks. For example, attacks can be rerouted to travel through other states whilst comments placed in computer code can be altered to mimic other languages and culture.

Second, in response to difficulties in attribution, circumstantial evidence is increasingly being used in the forensic process⁠. For example although the alleged involvement of the Russian state in Estonian denial of service attacks in 2007 remains unproven, Russia’s clear incentive to retaliate in response to the relocation of a Russian war memorial, accompanied by the lack of Russian assistance in preventing the attacks, strongly suggests their tacit support. Jason Healey has previously criticised the international community for treating every state as if it were ‘Cyber Somalia’, unable to restrain attacks from its territory or mitigate their impact. Healey insists that states should be less reluctant to place blame on other states when cyber attacks stem from their territory. As this use of circumstantial evidence becomes more widely accepted, the plausible deniability associated with proxies becomes harder to claim. 

Therefore, whilst difficulties in attribution contribute to the appeal of proxies, a state's ability to claim plausible deniability has arguably been overemphasised. But, given the popularity of proxies in the cyber domain, they must appeal for other reasons. 

Proxies appeal for a variety of reasons.  One of the most significant drivers is a process of power diffusion. Characteristics of the cyber domain have facilitated the growth of a number of non-state actors. Given the low barriers to entry, a number of non-traditional actors are able to make meaningful contributions. Unlike fighter jets and navy vessels, sophisticated tools in the cyber domain can be developed by small businesses and starts-ups. Given the current shortage of cyber security related skills, governments struggle to compete with the salaries offered by the private sector or the economic opportunities that exist in online criminal activity. GCHQ has struggled to retain employees with technically capable staff able to command considerably higher salaries in the private sector

For less powerful states, proxies provide an opportunity to bolster their capability in a power balancing process against stronger adversaries. Cyber militias in a number of weaker states such as Latvia, Lithuania, Georgia, and Kyrgyzstan have all threatened to retaliate against future Russian cyber or kinetic attacks. When states lack internal capability, proxies offer a viable strategy to help balance the odds. 

Working with proxies may also reflect national culture. The Kremlin has historically held ties with organised crime and mafia groups and these relationships have extended into the cyber domain. As previously discussed in this blog, within Estonia, a number of political, cultural and historical characteristics facilitate the participation of civil society state cyber security activity.

States may also use proxies as they are cost effective. Outsourcing means that states are not faced with a range of costs including sick leave, holiday pay and training of full-time employees. This is especially attractive given that returns on investment in training are particularly low: many government workers will quickly move to the private sector after they have finished government training, given the economic opportunities. In addition, as the power diffusion process has empowered a number of actors, states should have a healthy choice of firms and organisations to work with, theoretically increasing the efficiency and driving down the costs of outsourcing. 

It is clear states need to utilise proxies effectively in the cyber domain; plausible deniability being one of a number of benefits.  Yet, government officials should proceed with caution. Proxy actors operate outside the control of government, affording them an unpredictability unwelcome by policymakers. With proxy actors representing a risky, albeit necessary, resource, perhaps the real challenge for states is learning when to say no.

Jamie Collier is completing  a Doctorate in Cyber Security at Oxford University

http://www.cybersecurityrelations.com

 

« Russia in Ukraine & Syria: US Revise Cyber Budget
UK’s Surveillance Dragnet Legal Challenge »

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Clayden Law

Clayden Law

Clayden Law are experts in information technology, data privacy and cybersecurity law.

Cyber Security Service Supplier Directory

Cyber Security Service Supplier Directory

Free Access: Cyber Security Service Supplier Directory listing 4,000+ specialist service providers.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

BackupVault

BackupVault

BackupVault is a leading provider of completely automatic, fully encrypted online, cloud backup.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Australian Strategic Policy Institute (ASPI)

Australian Strategic Policy Institute (ASPI)

ASPI's International Cyber Policy Centre (ICPC) focuses on the growing importance of cyber-related issues for broader strategic policy.

CertiKit

CertiKit

CertiKit produce toolkit products that accelerate the adoption of ISO/IEC standards, including ISO 27001, helping organizations all over the world to realize the benefits as soon as possible.

INSUREtrust

INSUREtrust

INSUREtrust is focused on insuring emerging risks related to Cyber Liability, Technology Errors & Omissions issues, and Miscellaneous Professional Liability (MPLI).

EclecticIQ

EclecticIQ

EclecticIQ provide a Threat Intelligence Platform for analyzing and managing cyber threats.

Nok Nok Labs

Nok Nok Labs

Nok Nok is a market leader in next generation authentication for cloud, mobile and IoT applications.

KIACS Cyber Security

KIACS Cyber Security

Kuwait Industrial Automation & Control Systems Cyber Security Conference addresses the issue of cyber security threats in Industrial Control Systems for oil, gas, petrochemical and power plants.

ITU Arab Regional Cyber Security Center (ITU-ARCC)

ITU Arab Regional Cyber Security Center (ITU-ARCC)

ITU-ARCC acts as ITU’s cybersecurity hub in the Arab Region localizing and coordinating cybersecurity initiatives.

Institute of Informatics and Telematics (IIT)

Institute of Informatics and Telematics (IIT)

IIT carries out activities of research, assessment, technology transfer and training in the field of Information and Communication Technologies and of Computational Sciences.