For example, in November, a 22-year-old Canadian hacker pleaded guilty to having worked with two officers of the Russian intelligence agency FSB. A year earlier, Germany extradited a member of the Syrian Electronic Army to the United States. Meanwhile, the seven Iranian hackers accused of being responsible for the massive distributed denial of service DDoS attacks against financial institutions in the United States in 2012 remain at large. These and other cases provide new information about these proxy relationships and their consequences.
Malicious nonstate hackers are a real threat
Policymakers and academics have had a hard time keeping up with how cybersecurity is changing on the ground. Alarmist debates about whether “cyberwar” would take place did get senior policymakers and the public to care about cybersecurity, but at the expense of making them focus on the threat from other states and interstate conflict. This means that they have systematically neglected the role that hackers detached from the state play as proxies and how they facilitate state actors to develop and quickly deploy offensive cyber capabilities.
It is now clear that actors other than states can cause significant harm through hacking. In fact, less sophisticated actors can potentially pose a greater risk than sophisticated actors because they often lack the skills to develop more precise code that would limit the effect of the malware. The WannaCry ransomware that hit computer systems worldwide last year, and forced hospitals in the United Kingdom to turn patients away, demonstrates what can happen if a less sophisticated actor uses malware with the intent to cause harm.
It is possible to identify hackers
One of the big problems in cybersecurity is identifying attackers. This is referred to as the “attribution problem.” However, attributing malicious activity online has become easier in recent years. The Russian, Syrian and Iranian attacks mentioned above led to detailed indictments, which the U.S. government decided to unseal over the past two years. These indictments illustrate that, while attribution remains difficult, for the U.S. government it has become less a question whether it is possible but how long it will take and whether it is willing to disclose what it knows to the public.
Of course, part of the reason is that attackers make mistakes and can afford to be sloppy because they have to fear few consequences (if they remain beyond reach of U.S. agencies). That is why some governments, including the United States, and some specialized private threat intelligence companies, are able to successfully identify the source of an attack with sufficient confidence and evidence to make the case stick in court.
What hackers do tells us how states think
What proxies do helps tell us how their state sponsors think about cyberthreats and how they try to project power online. Tehran, for example, cares at least as much about hacking the accounts of dissidents and potential challengers to the regime as about espionage against other countries. Moscow, Beijing, Tehran and other governments don’t think in terms of cybersecurity but information security — a more expansive concept including content and the control of information. High-profile incidents during the past five years reflect this worldview; the attacks include the Sony cyberattack, the combination of information and cyberoperations in Ukraine and the GitHub incident. These differences among states explain why the international cybersecurity debate cannot be separated from discussions about human rights, at least not as long as some governments care more about regime stability and the perceived threat of information than about technical vulnerabilities and improving the resilience of computer systems.
Hacking is changing international relations
A decade ago, very few policymakers and media outlets paid serious attention to cybersecurity. After the Sept. 11, 2001, terrorist attacks and the Iraq War, they focused on terrorism and conventional war. Many were skeptical that hacking would have a systematic impact on international affairs. Today, it is clear that this hacking wasn’t just hype. It has given actors the ability to cause harmful effects around the globe — assuming there is Internet access — far more cheaply than through conventional means.
This increase in reach is the single most important reason why hacking poses new risks to international peace and security. For example, the tensions between the United States and North Korea did not first change from a regional to a global conflict because of the development of an intercontinental ballistic missile but because of North Korea’s ability to hack systems such as Sony’s. More recent incidents targeting SWIFT, the central nervous system of global finance, highlight how vulnerable even major financial institutions remain to third tier cyber-powers like North Korea.
More states are using proxies
More states have gotten a taste for exploiting the Internet for their purposes. Mercenaries like the 22-year old in Canada, who was paid by the Russian FSB, or politically driven hacktivists like the four Iranians in their mid-20s are helping countries to develop and deploy offensive cyber tools. Ensuring that proxy hackers do not escape their masters and countering their malicious behavior poses major policy challenges. Over the next few years, we will find out whether the new administration’s focus on trying to impose greater consequences in order to deter attacks will work. If successful, it will nudge other countries to tighten the leash on their proxies. If it raises the costs of malicious hackers only a little, it will likely just make them invest a little more time and money to become stealthier and better at hiding their tracks.
Tim Maurer is co-director of the Cyber Policy Initiative at the Carnegie Endowment for International Peace. In January 2018, Cambridge University Press published his “Cyber Mercenaries — The State, Hackers, and Power,” a comprehensive study of proxy relationships between states and hackers. You can follow him on Twitter @maurertim