State Proxies & Plausible Deniability: Challenging Conventional Wisdom

plausibledeniability.jpg


It is often argued that states use proxies to claim plausible deniability for their actions. This logic certainly has a historical basis. In the Cold War era, when direct war between Russia and the USA was too risky, offensive actions conducted via conduits reduced the risk of retaliation. Likewise, proxies in the cyber domain are able to ‘muddle attribution’.  For example, before and during Russia's invasion of Georgia in 2008, Russian cyber militias disabled key portions of Georgia’s communication system. This was convenient as for the attack to work, civilian systems in third-party states needed to be compromised - if a Russian state actor was implicated, the attack would have violated tenants of armed conflict. Further, assuming Russian government involvement in the Estonian 2007 attacks, the Kremlin was able to retaliate to Estonia whilst circumventing accountability and avoiding some of the diplomatic costs of direct action. 

Whilst this conventional wisdom is not dismissed, the extent to which it holds true is questioned. The appeal of proxies, for the purposes of plausible deniability, has been overemphasised for two reasons.

First, cyber attacks that stem from a state can already have a significant degree of plausible deniability, given the difficulties in attributing cyber attacks. For example, attacks can be rerouted to travel through other states whilst comments placed in computer code can be altered to mimic other languages and culture.

Second, in response to difficulties in attribution, circumstantial evidence is increasingly being used in the forensic process⁠. For example although the alleged involvement of the Russian state in Estonian denial of service attacks in 2007 remains unproven, Russia’s clear incentive to retaliate in response to the relocation of a Russian war memorial, accompanied by the lack of Russian assistance in preventing the attacks, strongly suggests their tacit support. Jason Healey has previously criticised the international community for treating every state as if it were ‘Cyber Somalia’, unable to restrain attacks from its territory or mitigate their impact. Healey insists that states should be less reluctant to place blame on other states when cyber attacks stem from their territory. As this use of circumstantial evidence becomes more widely accepted, the plausible deniability associated with proxies becomes harder to claim. 

Therefore, whilst difficulties in attribution contribute to the appeal of proxies, a state's ability to claim plausible deniability has arguably been overemphasised. But, given the popularity of proxies in the cyber domain, they must appeal for other reasons. 

Proxies appeal for a variety of reasons.  One of the most significant drivers is a process of power diffusion. Characteristics of the cyber domain have facilitated the growth of a number of non-state actors. Given the low barriers to entry, a number of non-traditional actors are able to make meaningful contributions. Unlike fighter jets and navy vessels, sophisticated tools in the cyber domain can be developed by small businesses and starts-ups. Given the current shortage of cyber security related skills, governments struggle to compete with the salaries offered by the private sector or the economic opportunities that exist in online criminal activity. GCHQ has struggled to retain employees with technically capable staff able to command considerably higher salaries in the private sector

For less powerful states, proxies provide an opportunity to bolster their capability in a power balancing process against stronger adversaries. Cyber militias in a number of weaker states such as Latvia, Lithuania, Georgia, and Kyrgyzstan have all threatened to retaliate against future Russian cyber or kinetic attacks. When states lack internal capability, proxies offer a viable strategy to help balance the odds. 

Working with proxies may also reflect national culture. The Kremlin has historically held ties with organised crime and mafia groups and these relationships have extended into the cyber domain. As previously discussed in this blog, within Estonia, a number of political, cultural and historical characteristics facilitate the participation of civil society state cyber security activity.

States may also use proxies as they are cost effective. Outsourcing means that states are not faced with a range of costs including sick leave, holiday pay and training of full-time employees. This is especially attractive given that returns on investment in training are particularly low: many government workers will quickly move to the private sector after they have finished government training, given the economic opportunities. In addition, as the power diffusion process has empowered a number of actors, states should have a healthy choice of firms and organisations to work with, theoretically increasing the efficiency and driving down the costs of outsourcing. 

It is clear states need to utilise proxies effectively in the cyber domain; plausible deniability being one of a number of benefits.  Yet, government officials should proceed with caution. Proxy actors operate outside the control of government, affording them an unpredictability unwelcome by policymakers. With proxy actors representing a risky, albeit necessary, resource, perhaps the real challenge for states is learning when to say no.

Jamie Collier is completing  a Doctorate in Cyber Security at Oxford University

http://www.cybersecurityrelations.com

 

« Russia in Ukraine & Syria: US Revise Cyber Budget
UK’s Surveillance Dragnet Legal Challenge »

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law are experts in information technology, data privacy and cybersecurity law.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

BackupVault

BackupVault

BackupVault is a leading provider of completely automatic, fully encrypted online, cloud backup.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

DigitalStakeout

DigitalStakeout

A simple and cost-effective solution to monitor, investigate and analyze data from the web, social media and cyber sources to identify threats and make better security decisions.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Cyber Security Service Supplier Directory

Cyber Security Service Supplier Directory

Free Access: Cyber Security Service Supplier Directory listing 5,000+ specialist service providers.

D-RisQ

D-RisQ

D-RisQ is focussed on delivering techniques to reduce the development costs of complex systems and software whilst maximising compliance

CERT-UA

CERT-UA

CERT-UA is the national Computer Emergency Response Team for Ukraine.

Ingenico Group

Ingenico Group

Ingenico is a leader in secure electronic payment solutions.

Alan Boswell Group

Alan Boswell Group

We are a Group of Companies providing specialist Insurance Broking and Risk Management advice and services including Cyber Risk cover.

Wireless Logic

Wireless Logic

Wireless Logic delivers a range of secure and resilient value-added M2M/IoT managed services that empower remote devices to communicate cost-effectively, two ways.

Seclytics

Seclytics

Seclytics is a one-stop cyber threat intelligence correlation and prediction platform.

BehavioSec

BehavioSec

BehavioSec uses the way your customers type, swipe, and hold their devices, and enables them to authenticate themselves through their own behavior patterns.

Baltimore Cyber Range (BCR)

Baltimore Cyber Range (BCR)

Baltimore Cyber Range provides IT and cybersecurity training, simulation and placement services across the full spectrum of experience and skill levels.

Caveonix

Caveonix

Caveonix’s RiskForesight TM solution is an automated, proactive risk and compliance platform designed for hybrid and multi-cloud.