State Proxies & Plausible Deniability: Challenging Conventional Wisdom

plausibledeniability.jpg


It is often argued that states use proxies to claim plausible deniability for their actions. This logic certainly has a historical basis. In the Cold War era, when direct war between Russia and the USA was too risky, offensive actions conducted via conduits reduced the risk of retaliation. Likewise, proxies in the cyber domain are able to ‘muddle attribution’.  For example, before and during Russia's invasion of Georgia in 2008, Russian cyber militias disabled key portions of Georgia’s communication system. This was convenient as for the attack to work, civilian systems in third-party states needed to be compromised - if a Russian state actor was implicated, the attack would have violated tenants of armed conflict. Further, assuming Russian government involvement in the Estonian 2007 attacks, the Kremlin was able to retaliate to Estonia whilst circumventing accountability and avoiding some of the diplomatic costs of direct action. 

Whilst this conventional wisdom is not dismissed, the extent to which it holds true is questioned. The appeal of proxies, for the purposes of plausible deniability, has been overemphasised for two reasons.

First, cyber attacks that stem from a state can already have a significant degree of plausible deniability, given the difficulties in attributing cyber attacks. For example, attacks can be rerouted to travel through other states whilst comments placed in computer code can be altered to mimic other languages and culture.

Second, in response to difficulties in attribution, circumstantial evidence is increasingly being used in the forensic process⁠. For example although the alleged involvement of the Russian state in Estonian denial of service attacks in 2007 remains unproven, Russia’s clear incentive to retaliate in response to the relocation of a Russian war memorial, accompanied by the lack of Russian assistance in preventing the attacks, strongly suggests their tacit support. Jason Healey has previously criticised the international community for treating every state as if it were ‘Cyber Somalia’, unable to restrain attacks from its territory or mitigate their impact. Healey insists that states should be less reluctant to place blame on other states when cyber attacks stem from their territory. As this use of circumstantial evidence becomes more widely accepted, the plausible deniability associated with proxies becomes harder to claim. 

Therefore, whilst difficulties in attribution contribute to the appeal of proxies, a state's ability to claim plausible deniability has arguably been overemphasised. But, given the popularity of proxies in the cyber domain, they must appeal for other reasons. 

Proxies appeal for a variety of reasons.  One of the most significant drivers is a process of power diffusion. Characteristics of the cyber domain have facilitated the growth of a number of non-state actors. Given the low barriers to entry, a number of non-traditional actors are able to make meaningful contributions. Unlike fighter jets and navy vessels, sophisticated tools in the cyber domain can be developed by small businesses and starts-ups. Given the current shortage of cyber security related skills, governments struggle to compete with the salaries offered by the private sector or the economic opportunities that exist in online criminal activity. GCHQ has struggled to retain employees with technically capable staff able to command considerably higher salaries in the private sector

For less powerful states, proxies provide an opportunity to bolster their capability in a power balancing process against stronger adversaries. Cyber militias in a number of weaker states such as Latvia, Lithuania, Georgia, and Kyrgyzstan have all threatened to retaliate against future Russian cyber or kinetic attacks. When states lack internal capability, proxies offer a viable strategy to help balance the odds. 

Working with proxies may also reflect national culture. The Kremlin has historically held ties with organised crime and mafia groups and these relationships have extended into the cyber domain. As previously discussed in this blog, within Estonia, a number of political, cultural and historical characteristics facilitate the participation of civil society state cyber security activity.

States may also use proxies as they are cost effective. Outsourcing means that states are not faced with a range of costs including sick leave, holiday pay and training of full-time employees. This is especially attractive given that returns on investment in training are particularly low: many government workers will quickly move to the private sector after they have finished government training, given the economic opportunities. In addition, as the power diffusion process has empowered a number of actors, states should have a healthy choice of firms and organisations to work with, theoretically increasing the efficiency and driving down the costs of outsourcing. 

It is clear states need to utilise proxies effectively in the cyber domain; plausible deniability being one of a number of benefits.  Yet, government officials should proceed with caution. Proxy actors operate outside the control of government, affording them an unpredictability unwelcome by policymakers. With proxy actors representing a risky, albeit necessary, resource, perhaps the real challenge for states is learning when to say no.

Jamie Collier is completing  a Doctorate in Cyber Security at Oxford University

http://www.cybersecurityrelations.com

 

« Russia in Ukraine & Syria: US Revise Cyber Budget
UK’s Surveillance Dragnet Legal Challenge »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Via Resource

Via Resource

Via Resource is a leading provider of information security recruitment and consultancy services.

RIVA Solutions

RIVA Solutions

RIVA provides innovative best practices in IT and management consulting, program support services and emerging technologies.

Eden Legal

Eden Legal

Eden Legal provides legal services on commercial and regulatory issues affecting digital businesses.

ExtraHop Networks

ExtraHop Networks

ExtraHop performs real-time analysis of wire data for performance troubleshooting, security detection, optimization and tuning, and business analytics.

CS Group

CS Group

CS Group offers a complete range of security solutions from consultancy to security maintenance and from secure infrastructure design to security governance.

Mastercard

Mastercard

MasterCard is a leading global payments solutions company that serves consumers and businesses in over 210 countries and territories worldwide.

Stealthcare

Stealthcare

Stealthcare is a full service, global cyber security firm offering solutions that educate, empower and protect.

Smart Contract Security Alliance

Smart Contract Security Alliance

The Smart Contract Security Alliance supports the blockchain ecosystem by building standards for smart contract security and smart contract audits.

Cyber-Physical Systems Security Institute (CPSSI)

Cyber-Physical Systems Security Institute (CPSSI)

CPSSI is a non-profit, by-invitation-only research and educational organization focused on practical and theoretical solutions to the cybersecurity challenges facing Cyber-Physical Systems.

Ermetic

Ermetic

Ermetic’s identity-first cloud infrastructure security platform provides holistic, multi-cloud protection in an easy-to-deploy SaaS solution.

Delta Tech Security

Delta Tech Security

Delta Tech is Pakistan’s Leading Cyber Security Solution Provider. We bring you a world-class set of consulting, next-generation products, and customized training to help protect against cyber attacks

Rolls-Royce Cybersecurity Technology Research Network

Rolls-Royce Cybersecurity Technology Research Network

Rolls-Royce has partnered with Purdue University and Carnegie Mellon University to create the Rolls-Royce Cybersecurity Technology Research Network.

Palitronica

Palitronica

Palitronica build cutting-edge hardware and breakthrough software that revolutionizes how we defend critical infrastructure and key resources.

AdvIntel

AdvIntel

AdvIntel is a next-generation threat prevention and loss prevention company launched by a team of certified investigators, reverse engineers, and security experts.

BalkanID

BalkanID

BalkanID is an Identity governance solution that leverages data science to provide visibility into your SaaS & public cloud entitlement sprawl.

Antigen Security

Antigen Security

Antigen Security is a Digital Forensics, Incident Response and Recovery Engineering firm helping businesses and service providers prepare for, respond to, and recover from cyber threats.