State Proxies & Plausible Deniability: Challenging Conventional Wisdom

Uploaded on 2015-09-24 in INTELLIGENCE--International, FREE TO VIEW

plausibledeniability.jpg


It is often argued that states use proxies to claim plausible deniability for their actions. This logic certainly has a historical basis. In the Cold War era, when direct war between Russia and the USA was too risky, offensive actions conducted via conduits reduced the risk of retaliation. Likewise, proxies in the cyber domain are able to ‘muddle attribution’.  For example, before and during Russia's invasion of Georgia in 2008, Russian cyber militias disabled key portions of Georgia’s communication system. This was convenient as for the attack to work, civilian systems in third-party states needed to be compromised - if a Russian state actor was implicated, the attack would have violated tenants of armed conflict. Further, assuming Russian government involvement in the Estonian 2007 attacks, the Kremlin was able to retaliate to Estonia whilst circumventing accountability and avoiding some of the diplomatic costs of direct action. 

Whilst this conventional wisdom is not dismissed, the extent to which it holds true is questioned. The appeal of proxies, for the purposes of plausible deniability, has been overemphasised for two reasons.

First, cyber attacks that stem from a state can already have a significant degree of plausible deniability, given the difficulties in attributing cyber attacks. For example, attacks can be rerouted to travel through other states whilst comments placed in computer code can be altered to mimic other languages and culture.

Second, in response to difficulties in attribution, circumstantial evidence is increasingly being used in the forensic process⁠. For example although the alleged involvement of the Russian state in Estonian denial of service attacks in 2007 remains unproven, Russia’s clear incentive to retaliate in response to the relocation of a Russian war memorial, accompanied by the lack of Russian assistance in preventing the attacks, strongly suggests their tacit support. Jason Healey has previously criticised the international community for treating every state as if it were ‘Cyber Somalia’, unable to restrain attacks from its territory or mitigate their impact. Healey insists that states should be less reluctant to place blame on other states when cyber attacks stem from their territory. As this use of circumstantial evidence becomes more widely accepted, the plausible deniability associated with proxies becomes harder to claim. 

Therefore, whilst difficulties in attribution contribute to the appeal of proxies, a state's ability to claim plausible deniability has arguably been overemphasised. But, given the popularity of proxies in the cyber domain, they must appeal for other reasons. 

Proxies appeal for a variety of reasons.  One of the most significant drivers is a process of power diffusion. Characteristics of the cyber domain have facilitated the growth of a number of non-state actors. Given the low barriers to entry, a number of non-traditional actors are able to make meaningful contributions. Unlike fighter jets and navy vessels, sophisticated tools in the cyber domain can be developed by small businesses and starts-ups. Given the current shortage of cyber security related skills, governments struggle to compete with the salaries offered by the private sector or the economic opportunities that exist in online criminal activity. GCHQ has struggled to retain employees with technically capable staff able to command considerably higher salaries in the private sector

For less powerful states, proxies provide an opportunity to bolster their capability in a power balancing process against stronger adversaries. Cyber militias in a number of weaker states such as Latvia, Lithuania, Georgia, and Kyrgyzstan have all threatened to retaliate against future Russian cyber or kinetic attacks. When states lack internal capability, proxies offer a viable strategy to help balance the odds. 

Working with proxies may also reflect national culture. The Kremlin has historically held ties with organised crime and mafia groups and these relationships have extended into the cyber domain. As previously discussed in this blog, within Estonia, a number of political, cultural and historical characteristics facilitate the participation of civil society state cyber security activity.

States may also use proxies as they are cost effective. Outsourcing means that states are not faced with a range of costs including sick leave, holiday pay and training of full-time employees. This is especially attractive given that returns on investment in training are particularly low: many government workers will quickly move to the private sector after they have finished government training, given the economic opportunities. In addition, as the power diffusion process has empowered a number of actors, states should have a healthy choice of firms and organisations to work with, theoretically increasing the efficiency and driving down the costs of outsourcing. 

It is clear states need to utilise proxies effectively in the cyber domain; plausible deniability being one of a number of benefits.  Yet, government officials should proceed with caution. Proxy actors operate outside the control of government, affording them an unpredictability unwelcome by policymakers. With proxy actors representing a risky, albeit necessary, resource, perhaps the real challenge for states is learning when to say no.

Jamie Collier is completing  a Doctorate in Cyber Security at Oxford University

http://www.cybersecurityrelations.com

 

« Russia in Ukraine & Syria: US Revise Cyber Budget
UK’s Surveillance Dragnet Legal Challenge »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Zentek Digital Investigations

Zentek Digital Investigations

Zentek has been providing digital forensics services to the public and private sector for computers and mobile devices since 2004.

We Watch Your Website

We Watch Your Website

We Watch Your Website provide website monitoring, protection, malware removal and root cause analysis services to help you keep your website secure.

Mega

Mega

Mega is a secure cloud data storage provider with browser-based high-performance end-to-end encryption.

Department of Energy - Cybersecurity, Energy Security, and Emergency Response (CESER)

Department of Energy - Cybersecurity, Energy Security, and Emergency Response (CESER)

The Office of Cybersecurity, Energy Security, and Emergency Response (CESER) addresses the emerging threats of tomorrow while protecting the reliable flow of energy to Americans today.

Halon

Halon

Halon is a flexible security and operations platform for in-transit email.

IXDen

IXDen

IXDen provides a novel software-based approach to OT systems protection, covering Industrial IoT cybersecurity and sensor data integrity.

CPP Group UK

CPP Group UK

CPP Group UK develops products to help insurers add further value to their products and services through its innovative suite of new products in FinTech, InsurTech and cyber security.

Cybersecure Policy Exchange (CPX)

Cybersecure Policy Exchange (CPX)

Cybersecure Policy Exchange is a new initiative dedicated to advancing effective and innovative public policy in cybersecurity and digital privacy.

Ministry of Information and Communications (MIC) - Vietnam

Ministry of Information and Communications (MIC) - Vietnam

The Ministry of Information & Communications of Vietnam is the policy making and regulatory body in the field of information technology and national information and and communication infrastructure.

BreachQuest

BreachQuest

BreachQuest brings together cybersecurity experts with decades of experience identifying security flaws, penetrating networks, and responding to incidents.

Tide Foundation

Tide Foundation

Tide's breakthrough multi-party-cryptography enables TRUE-zero-trust technology that unlocks cyber-herd immunity.

link22

link22

link22 offers a high level of expertise within IT security and system solutions. We help public and private actors with highly secure IT-solutions.

SMARTEST

SMARTEST

SMARTEST is a world-class IT solutions provider active in the most challenging and demanding industries such as the oil and gas industries.

Helix Security Services

Helix Security Services

Helix Security provides IT & information security consultancy to government and businesses across New Zealand.

Tsaaro Academy

Tsaaro Academy

Tsaaro Academy is a unique privacy certification training platform and here you earn a privacy certification CEH, CISM and DPO from India’s No.1 Privacy training platform.

Security Awareness Special Interest Group (SASIG)

Security Awareness Special Interest Group (SASIG)

The Security Awareness Special Interest Group (SASIG) addresses the human aspects of security and fraud prevention in an initiative to improve trust and confidence in the online environment.