Projecting Power in the Fifth Domain : An assessment of why states use proxies for offensive cyber operations

(1)

Projecting Power in the Fifth Domain

An assessment of why states use proxies for offensive cyber operations

Mattas Hjelm

Thesis, 30 ECTS War Studies

Master’s Programme in Politics and War Spring 2021

Supervisor: Niklas Karlén Word count: 17 788

(2)

Abstract

In the 21st century, cyber operations have become the modern manifestation of political warfare between great powers. Many states have made considerable efforts to build up their respective cyber commands. Contrary, or as a complement to this, some states choses to rely upon actors detached from the state for conducting their operations online. What incentives explain this strategy? There are inherent risks with employing proxies and states nowadays have an ability to conduct cyber operations from central military commands. This presents a puzzle. By using a comparative case study approach, this thesis provides a portrait of how two leading cyber actors, Russia and The United States employ different strategies in the digital domain. To understand the motivations behind state delegation of cyber conflict, this thesis applies Principal-Agent theory to explain the relationships states cultivate with non-state actors. I propose a framework containing three hypotheses that ought to affect the decision to delegate; cyber proxies offer states a possibility to enhance their capabilities, save cost and evade accountability. Through analysing the cases, I find that the use of cyber proxies could partly be explained by my hypotheses rooted in the PA theory. Lower internal cyber capability and the desire to save costs may explain why states choses to use proxies in the digital domain. However, the empirical evidence is not strong enough to suggest that cyber proxies offer states a possibility to evade accountability. Rather, it is the cyber domain itself that complicates attribution efforts. Consequently, the findings do not confirm the hypothesis that cyber proxies provide enhanced plausible deniability benefits compared to government agents. In spite of that, this thesis concludes that cyber proxies together with their implications for escalatory dynamics will probably remain challenging in the foreseeable future.

(3)

List of Abbreviations

APT – Advanced Persistent Threat CIA – Central Intelligence Agency

DDoS – Distributed Denial of Service Attack DHS – Department of Homeland Security DoD – Department of Defense

DoJ - Department of Justice

D4M - Deny, Degrade, Disrupt, Destroy, and Manipulate FSB – Federal Security Service of the Russian Federation

GRU The Main Directorate of the General Staff of the Armed Forces of the Russian Federation ICT – Information Communication Technology

NCPI – National Cyber Power Index NSA – National Security Agency

TTPs – Tactics, Techniques and Procedures

SCADA – Supervisory control and data acquisition systems SORM – System for Investigative Operations

SVR – The Foreign Intelligence Service of the Russian Federation USCYBERCOM – US Cyber Command

(5)

1. Introduction

1.1 Research Problem

Throughout history, many countries have been using proxies as means to strategic ends outside of their physical boundaries (Mumford 2013:11). The emergence of cyberspace as a new warfighting domain has further tested the state-centric model of international relations. Along with the proliferation of non-state actors which characterizes today’s digital domain, the threat environment has become increasingly complex. Nowadays, non-state actors can impose significant harm to individuals, corporations and even nation-states. The low price of entry and asymmetries in vulnerability means that small actors now have more capacity to exercise power in cyberspace compared to traditional domains of world politics (Nye 2010:1f).

However, the academic coverage of cyber warfare and offensive cyber operations are still characterized by its state-centricity (See e.g. Rid 2013; Buchanan 2016; Clarke & Knake 2010). This narrow approach is arguably problematic as it presents a puzzling gap between existing literature and the empirical evidence. Both media reporting and investigations conducted by private cybersecurity firms portrays a heterogenous cyber threat environment (see e.g. Zilber 2018; Beran 2020; CrowdStrike 2020). The complex empirical picture points, not only to states but to a broad range of non-state actors such as cyber criminals, hacktivists and “hackers-for-hire”.

The relationships between non-state and state actors present many risks and emphasizes important questions about control, authority and the use of offensive capabilities, similar to traditional proxy warfare. However, the existing literature on cyber proxies is limited (See e.g. Maurer 2018a; Borghard & Lonergan 2016; Collier 2017). Countries pursuing proxy relationships share the common challenge of balancing the benefits of using proxies with the inherent risks these constellations pose. Hence, investigating these relationships matter for a variety of reasons. It is important for War Studies, as an academic discipline, to fully understand this emerging trend in the cyber domain. Cyberspace has enabled a new set of effects below the threshold of war. Delegating offensive cyber operations to proxies can have serious implications for international stability as accidents and miscalculation in the digital domain can have disastrous consequences in the psychical world (see e.g. Futter 2018). State-sponsored hackers has already blacked out entire cities, paralyzed both banks and hospitals as well as

(6)

shutting down shipping firms, oil refineries and factories (Greenberg 2019). Consequently, non-state actors with malicious intent can be devastating for national security.

Many private cybersecurity companies track state-sponsored actors and assess how these groups are utilized. The academic research within this space also focuses upon the nature of these proxy relationships. However, few attempts has been made to understand the motivations behind the use of non-state actors in cyberspace. In a 2013 UN report on cybersecurity, 15 states including the United States, Russia and China agreed that states must not use proxies to commit internationally wrongful acts and should seek to ensure that their territories are not used by non-state actors for unlawful use of information and communication technologies (UNGA 2013) However, if the international community wishes to limit the use of state-sponsored proxies in cyberspace, an understanding of why nations choose to use them is essential. There exists a research gap concerning why countries choses to rely upon non-state actors for cyber operations despite the inherent risks these relationships constitute. Simultaneously, many states have made considerable efforts to build up their respective cyber commands. Hence, the risks with employing proxies together with the apparent ability to conduct cyber operations from central military commands presents a puzzle that questions the incentives for why states use cyber proxies.

1.2 Aim & Research Question

Cyberspace represents a new domain of conflict, adding to the existing domains of use of force by land, air, sea, and space. The overarching aim of this thesis is to contribute to the growing field of cyber conflict and acknowledge the variety of threat actors that exist in the digital domain. By solely focusing on states we risk missing a substantial part of the empirical reality where non-state actors play an increasing role. Strict state-centric views of cyber conflict do not sufficiently reflect the current environment where a plethora of actors can project power beyond traditional borders. The cyber domain represents a domain of warfare that is particularly appropriate for the use of proxies (Krieg & Rickli 2019:12).

By combining the literature of proxy warfare and cyber conflict, I seek to address the abovementioned gap by shedding light on the relationships between states and non-state actors in contemporary cyberspace. Understanding the relationship between states and cyber proxies is important. Despite the ongoing debate whether cyberattacks are comparable to armed attacks

(7)

under international law, it is unquestionable that the former can inflict great harm to our modern interconnected society. Examining the motivations behind using proxies in cyberspace can inform norms and international law trying to regulate this phenomenon and eventually lead to better developed defensive measures. My thesis seeks to explain why offensive cyber operations are outsourced to proxies despite the many incentives not to do so. In order to achieve this aim, the thesis pursue the following central research question:

> Why do states use proxies for conducting cyber operations?

I argue that states using non-state actors in cyberspace is a new and important example of conflict delegation in international politics, and this choice of strategy should be analysed through the lens of the Principal–Agent theory. To explore this I conduct a comparative case study combined with the method of structured focused comparison on the Russian Federation and the United States. In this thesis, cyber proxies are broadly defined as ‘individuals or loosely affiliated hacking groups, often times criminals, that are called upon by the state to conduct parts of or all of specific cyber operations’ (CFR 2021). Thus, this thesis does not view US contractors as proxies since they neither ‘build cyber weapons’ nor direct offensive cyber operations. Both of these activities remain the exclusive responsibility of the US military and the intelligence community (Mahoney 2021:66). For analytical clarification, I use US military joint doctrine’s definition of cyber operations (CO) as “the employment of cyberspace capabilities where the primary purpose is to achieve objectives in or through cyberspace” (JCS 2018:I-1).

1.3 Disposition

Chapter 2 opens by providing an overview of previous research on cyber conflict and non-state actors in cyberspace. Chapter 3 subsequently discusses the concept of proxies and introduces the theoretical framework. PA theory is explained and followed by theoretical reasoning on why states delegate. I consult the broader literature on the use of physical proxies in order to develop my hypotheses. Chapter 4 presents the methodological considerations including research design, material and the operationalization of my theoretical framework. Chapter 5 analyses the empirical material and assess the hypotheses respectively. The final chapter of the thesis presents the summary of the findings and some concluding remarks. The chapter also includes suggestion for future research.

(8)

2. Previous research

This chapter is dedicated to previous research on cyber conflict. As cyber operations have found their place in the toolboxes of modern statecraft, the phenomenon has simultaneously gained a lot of attention in the academic world. The first section of this chapter discusses trends and developments in the cyber conflict literature. The subsequent section account for the limited literature on non-state actors in the digital domain.

2.1 Cyber Conflict

Already in 1993, John Arquilla and David Ronfeldt wrote about the imminent danger of cyberwar. Their article pays attention to the potential risks of ICT-infrastructures related to military conflicts (Arquilla & Ronfeldt 1993). About two decades later, Richard Clarke and Robert Knake’s ‘Cyber War’ (2010) echoed these concerns. The authors argued that cyber war has already begun, and that nations are currently preparing the cyber battlefield. This influential publication triggered the academic debate whether ‘cyber war’ will or will not take place. Whereas one side advocated that cyberwar is inevitable, scholars such as Erik Gartzke (2013), Adam Liff (2012) and Thomas Rid (2012) have been more sceptical of its occurrence, arguing that cyber-attacks does not reach the required threshold of war. Thomas Rid argues that cyber capabilities are most likely to be used for intelligence collection, sabotage, and subversion rather than for all out cyber war (Rid 2012; Rid 2013). During the last decade, this view has enjoyed increasingly scholarly consensus.

More recent scholarships have left the debate of the contested concept of ‘cyber war’ and instead shifted focus to the structural dynamics of cybersecurity. Ben Buchanan's prominent book ‘The Cybersecurity Dilemma’ (2016) applies the well-known concept in international relations to the new warfighting domain that cyberspace represents. The increasing role of offensive cyber operations have been discussed extensively in scholarly circles. The question if, and how the notion of traditional deterrence applies to cyberspace has gotten a lot of attention. Thomas Shelling’s classical work on deterrence was introduced as early as 1966 but seems just as relevant in today's security landscape. The most influential publication in the cyber-context is arguably Martin C. Libicki’s ‘Cyberdeterrence and Cyberwar’ (2009). On the same topic, Joseph Nye (2017) discusses whether deterrence works in cyberspace or not. In his article, Nye argues that deterrence in cyberspace is not impossible, but punishment occupies a lesser degree of the strategy space than in the case of nuclear weapons (ibid:68).

(9)

If we further explore the context of offensive operations, there are various articles dealing with the concept of coercion and its applicability in the cyber domain. Erica Borghard and Shawn Lonergan (2017) critically assesses traditional coercion theory in cyberspace advocating that states use force, or its threat, to achieve political objectives. However, the authors conclude that cyber power alone has limited effectiveness as a tool of coercion, although it has significant utility when coupled with other elements of national power. Travis Sharp (2017) on the other hand challenges the conclusions that cyber operations are not feasible coercion strategies. His article argues that cyber operations contribute to coercion by imposing costs and destabilizing an opponent’s leadership.

However, what deterrence, coercion and ultimately the question whether cyber war will or will not take place have in common is that these theories suffer from a strict state-centric bias. It is assumed that cyber operations are conducted directly by the military personnel of rivalling states. This assumption often overlooks the importance of non-state actors in cyberspace and the dynamic relationship between states and their cyber proxies.

2.2 Non-state Actors in the Cyber Domain

The heterogeneity of actors involved in cybersecurity is being neglected as the vast majority of existing literature stays within the traditional frames of international relations and focuses on interstate activity. States using non-state actors in the cyber domain is nowadays a common occurrence. Yet it remains severely under-analysed. Only a few scholars have paid attention to this phenomenon. Christian Czossek explores state-proxy relationships and the concept of ‘cyber power’ on behalf of NATOs Cooperative Cyber Defence Centre of Excellence (Czossek 2013). Florian Egloff (2018) develops an alternative viewpoint in his doctoral thesis as he explores the analogy between cyberspace and the sea in the age of privateering. Egloff’s dissertation investigates how the historical analogy to mercantile companies, privateers, and pirates between the 16th and 19th century can elucidate the relationship between non-state actors and states in cybersecurity.

In 2016, Tim Maurer published the article “Proxies and Cyberspace” in which he tries to conceptualise the relationships between states and non-state actors in cyberspace. Maurer demonstrates how the term ‘proxies’ has been used differently, both within and across academic disciplines. Hence, he emphasizes the necessity of a clear-cut definition, especially in an

(10)

international context as the term is hard to translate into other languages. In a subsequent article, Maurer (2018b) discusses cyber proxies and their implications for liberal democracies. Here Maurer argues that cyber proxies are not an entirely new or unique phenomenon, suggesting that lessons learned from conventional proxies can be applied. Proxy relationships differ from country to country and reflect a high degree of path dependence. Consequently, how states engage with hackers resembles how they have engaged with other non-state actors in the past (Maurer 2018b:183).

Maurer published a book in 2018 titled “Cyber Mercenaries” which seeks to better understand how states use non-state actors in offensive cyber operations. The author outlines a spectrum of proxies ranging from direct governmental control to groups who are simply tolerated and appreciated by the state. Maurer builds an analytical framework for assessing the nature of proxy relationships and illustrates them in various case studies. A substantial part of the book also discusses the relevance of international law in the cyber domain. The legal aspects of proxy relationships are also the main focus for Schmitt and Vihul (2014). In their article, the authors make comprehensive assessments of the law of state responsibility, the law of self-defence as well as the international humanitarian law in connection to cyber operations.

On a further note, Sigholm (2013) provides a comprehensive overview of non-state actors in cyber conflict. These actors have varying motivations, methods and targets. Some act alone while others act in loosely connected networks or more formal structures. In his article, Sigholm tries to account for the entire palette of the many different actors existing in this new domain, ranging from ordinary citizens and patriot hackers to cyber terrorists and hacktivists (ibid:11). Jamie Collier (2017) takes this one step further providing a taxonomy on the phenomenon of states using proxy actors in the cyber domain, outlining both the availability of proxy actors as well as the nature of state-proxy relations. Collier argues that proxies are an increasingly important component of state strategy in the cyber domain but he also emphasizes how they can undermine a state’s autonomy and security. The perils of employing cyber proxies is the main focus of Borghard and Lonergan (2016). According to the authors, governments face significant dilemmas when equipping cyber proxies with tools that could be turned against them. Hence, the core of the article explores how states can manage the risks associated with these dilemmas and the conditions under which they are likely to backfire.

(11)

The abovementioned scholars have devoted a good deal of theoretical and empirical work to the topic of non-state actors in cyberspace. However, the field of research is lacking a serious analysis of state motivations for delegating to proxy actors. That states sometimes choose to delegate rather than attack their enemies using their own national capabilities is proven. The reasons for this, however, are obscure. My thesis intent to answer this question and contribute to the growing research field of non-state actors in the digital domain. The next section put the phenomenon of proxies in a historical context and outline a theoretical framework for the subsequent analysis.

(12)

3. Theoretical framework

As demonstrated by the previous section, there is a limited literature discussing cyber proxies. Drawing on the literature on physical proxies I try to circumvent this limitation. This chapter is divided into three parts. The first offers a brief discussion on proxies as a phenomenon throughout history. The subsequent section introduces Principal-Agent theory and the risks involved with delegating authority to non-state actors. The third and final section build on prior applications of the principal-agent theory and present three observable hypotheses derived from the theory in question.

3.1 Explaining the Use of Proxies

War by proxy is not a new phenomenon in international politics (Hughes 2014:2). Since ancient times, nation-states and empires have used auxiliaries, privateers, mercenaries and proxies for the execution of military functions on their behalf. From ancient Greece and the Middle Ages to the modern nation-state, proxies have been employed to help achieve foreign policy goals. Thucydides described how Athens and Sparta relied on other cities as proxies to support their cause during the Peloponnesian War in the fifth century BC (Thucydides 2012:219). In 1513, Niccoló Machiavelli wrote his classic work The Prince, in which he expressed himself extremely critical to the practice, calling proxies “useless, undisciplined, and disloyal” (Machiavelli 2005:43). The Roman Empire used barbarian tribes and the Renaissance city-states of Italy employed ‘the condottieri’ (Krieg & Rickli 2019:5). During the Cold War period, proxy warfare implied one of the two superpowers using another state as a means to an end. For decades, USA and the Soviet used proxies in conflicts in Asia, Latin America and Africa, where Soviet support for the Vietcong in Vietnam and the US support for the Mujahedeen in Afghanistan are arguably the most famous examples (Krieg & Rickli 2019:5). Nowadays proxy war has become synonymous with the violence in Syria, Libya and Yemen (Rauta 2021:114). Since the end of the Cold War, scholars have focused predominantly on non-state actors used by states as proxies. The last decade of conflict has seen a rise in their strategic appeal, especially with the transformation of the Arab Spring protests into civil wars heavily influenced by regional and international dimensions. Proxy wars are now a core feature of the contemporary and future strategic and security environment (Rauta 2020:38).

Most scholarship on these actors assess the nature of their relationship with the state and how they have helped states project power throughout history. As noted, much of the theorizing

(13)

around proxy warfare draws on Cold War analysis of the rivalry between the superpowers and their allies during conflicts in the third world (see e.g. Dunér 1981; Bisell 1978; Hoekstra 2018). Studies on state-sponsored terrorist and insurgent groups also provide theoretical contributions to the field. In this context, the PA Theory is widely used (e.g. Salehyan 2010; Byman & Kreps 2010; Krishnan 2019). As delegation is a core feature, I argue that PA theory provides the best analytical tools to understand state use of cyber proxies. Thus, the subsequent sections introduce this comprehensive theory and explain its relevance for research on cyber proxies. Using prior applications of the PA framework as a foundation, I develop three hypotheses rooted in the theory regarding state motivations for using cyber proxies.

3.2 Principal-Agent Theory: An Overview

Principal-Agent theory lies within the rational choice paradigm. The initial assumptions of the theory is that actors are rational and inherently self-interested (Corbin 2011:31) The PA framework, originally derived from microeconomic theory such as research on bureaucracies and firms, has in recent years been frequently applied to other contexts including PMCs, sponsorship of terrorist organizations and rebel groups (Krishnan 2019:544f). The framework revolves around the concept of delegation. In essence, without the practice of delegation, no principal-agent relationship would exist. According to Tallberg (2002:25) delegation is likely to take place when the expected benefits outweigh the expected costs. In the simplest terms “delegation is the process by which the principal offers a conditional grant of authority to an agent to act on their behalf” (Byman & Kreps 2010:3). The principal chooses to delegate certain functions to the agent in the expectation that the agent will act in ways that produce outcomes desired by the principal (Tallberg 2002:25).

A necessity for any PA relationship is that the delegation of tasks by principals to agents only works if agents can be incentivized (Krishnan 2019:548). Hence, it is important to emphasize that the relationship is a two-way street. The act of delegation is not solely the choice of the state but rather a strategic partnership between the principal and the agent. Proxies face a choice between contracting with a government or relying on their own efforts and resources (Salehyan 2010:506). There are various incentives for proxies to enter into agreements with principals. The agent arguably wants to maximize two things: (1) the resources they have at their disposal, and (2) the autonomy they have over their own actions (Salehyan et al 2011:716). Principals can provide the agents with money, equipment and other resources. Moreover, principals can create sanctuaries providing the agent with legal cover (Salehyan 2010:507).

(14)

Despite the importance of acknowledging this side in the relationship, my thesis will mainly focus on the principal. While agents can shirk duties or take independent action once the relationship has been formed, the power to select into the relationship ultimately lies with the principal. More broadly, the entire purpose of the relationship is centred on serving the principal’s interests and carrying out the tasks stipulated by the principal (Borghard 2014:27). Assessing the motivations behind proxies decisions to act on behalf of states is therefore outside the scope of this thesis and a potential entry for future research.

The scope condition of this thesis is that states are sometimes unwilling or unable to use their own forces to reach foreign policy objectives. Thus, proxies are viewed as a substitute for the direct use of force (Salehyan 2010:494). There is a plethora of explanatory factors why states engage in the direct use of force such as demonstration of military power, status or territorial gain. What is important is that the use of proxies must be understood in relation to these and when governments consider those options unfeasible. The PA theory provides many incentives why a principal might choose to delegate authority to an agent. Three primary reasons are however the most commonly cited in the reviewed literature. Principals delegate to an agent to (1) enhance capability (2) limit cost, and (3) avoid accountability. The first two are connected to a functionalist explanatory model whereas the latter is connected to a political-instrumentalist model. These models derive from Kruck (2014) article in which he investigates states use of PMCs. The subsequent section will discuss these three reasons further and deduce theorized hypotheses inspired by Kruck (2014).

However, an analysis of the principal-agent framework also demonstrates that there are many risks with delegation. The agent’s interests are likely to differ from the principal’s which might result in divergence between the agent’s actions and the principals intentions (Maurer 2018a:43). Due to the abovementioned rationality, the agent has an incentive to ‘shirk’ commitments in order to maximize their own benefits at the expense of the principal (Krishnan 2019:545) This is called agency loss and stems from the imperfect alignment of interests between principals and agents. In order to overcome these risks, principals must design mechanisms for screening, monitoring and incentivizing agents (Borghard 2014:26).

These risks are also present the context of cyberspace. States equip cyber proxies with tools and capabilities that potentially could be turned against them. Another important risk to emphasize is that proxies could act in a way that risks unwanted or unintended escalation with a state’s adversaries (Borghard & Lonergan 2016:414). Thus, governments must strike a careful

(15)

balance between sufficiently equipping proxies to carry out their missions, while ensuring the latter refrain from using state resources against their interests (ibid.). The inevitable problems of using proxies, as outlined above, leads again to ask why states would use cyber proxies in the first place especially when they could build up or use their own central capabilities, The next section will build on prior applications of the PA theory and explain the benefits of delegation.

Figure 1: Theoretical Puzzle

(Source: Delreux & Adriaensen 2017:27)

3.2.1 The Rationale of Delegation

In order to understand why states use cyber proxies, it is decisive to consider the incentives for delegation. Building on prior application of the PA theory, this section shed light on state motivations for using non-state actors to achieve foreign policy goals. All principals face the choice of whether to perform the desired functions ‘in house’ or to outsource them. How states use proxies in cyberspace is not very different from how states have used conventional proxies. There are however some fundamental differences between hacker groups and rebel groups that need to be emphasized. The most important of them is arguably what Maurer (2018a:7) refers to as ‘the diffusion of reach’, meaning the ability to cause effects remotely not only over regional but also global distances. A proxy no longer needs to be in physical proximity to its target. Due to the proliferation of ICTs in general, and the Internet in particular, a proxy is not restricted to the territory of the conventional conflict. A cyber proxy can operate from a principal’s territory, or from the territory of a third country. This is arguably different from “safe havens” in the traditional proxy literature since hackers’ smaller footprint makes it more likely that the ‘host’ country is unable to detect their presence on its soil (ibid:156).

(16)

Additionally, the diffusion of power to the individual level enabled by the Internet has resulted in a qualitative difference in a non-state actor’s ability to cause harm compared to conventional use of proxies. This is perhaps the other most salient aspect of cyberspace compared to other security areas (ibid:26). However, despite these differences between conventional proxies and cyber proxies, one can still reasonably assume that the state rationale for delegating authority to non-state actors is similar regardless of domain.

The functionalist explanatory model

A functionalist model of delegation apprehend the increasing use of non-state actors as a means for the effective and cost-efficient pursuit of states’ security goals (Petersohn 2010: 533). From the perspective of the functionalist explanatory model, rooted in PA theory, rational governmental actors (principals) strive for effective and cost-efficient solutions to security problems by delegating tasks to proxies (agents).

States use proxies when they lack capabilities. This is a well-documented motivator to outsource the burden of warfare (Borghard & Lonergan 2016:412). Throughout history, rulers had to outsource capability externally if they lacked skilled citizens and/or resources to sustain a standing army. Capability consequently incorporates both capacity (i.e. the number of troops available) as well as skills and expertise of the available manpower (Krieg & Rickli 2019:74). Principals are likely to delegate authority to an agent with the expertise, time, political ability, or resources to perform a task. The greater the gains from specialization, the greater the incentives to delegate (Hawkins et al 2006:13). The cyber domain is not an exception. Maurer (2018a:38) argues that additional expertise is one of the main contributions that proxies bring to the table. Non-state actors can provide specific expertise or even direct access to targets. Similar to early nation-states struggling to overcome their lack of a navy, states today are only starting to build their own cyber capabilities. Thus, in order to fill this gap, an increasing number of states have begun to rely on proxies (ibid). Specialization and expertise should however not be confused with the level of sophistication. It is generally assumed that higher levels of attack sophistication are associated with state involvement, and that therefore such attacks, when observed, may more likely be attributable to government actors (Canfil 2016).

Additionally, most scholars agree that states use proxies to minimize costs. According to Byman (2018) deploying a state’s own forces is an expensive endeavour. Hence, proxies are deemed as a cheaper option. Principal-agent theory rests on the assumption that actors want

(17)

to reduce costs due to their rational nature. Delegating authority to agents is thus seen as a way to yield economic utility as proxies offer the possibility of achieving objectives to a lower cost (Bar-Siman-Tov 1984:267). However, it is not only economic incentives that motivate state delegation to non-state actors. Costs also include time, resources and the developing knowledge associated with particular tasks (Salehyan et al 2011:713). Additionally, using your own forces for offensive operations often results in international condemnation and sanctions. However, acting through proxies are not condemned as strongly as hostile actions by government troops since the international community often look the other way when states act through proxies (Salehyan 2010:504). PA theory tells us that delegation is employed as a cost-saving device. If we follow that logic, delegation is likely when the costs and expected consequences of operations are high and tolerance for such costs is low. In order to avoid these costs, states use proxies instead.

Based on the above discussion, two specific hypotheses of delegation can be deduced from the functionalist explanatory model. They largely build on Kruck’s article (2014:116). The first revolves around principals’ lack of capability and the second is based on cost-efficiency. The capability hypothesis (H1): the more complex the technological and operative contexts of operation, the higher the dependence of principals on non-state actors material and/or immaterial resources, and the more states will make use of proxies. By implication, states with weaker internal cyber capabilities are more likely to use cyber proxies.

The cost-efficiency hypothesis (H2): the higher the incentives for saving costs and the higher the anticipated gains from delegation, the more states will rely on proxies. States with larger hacker communities are more likely to rely on cyber proxies, as the agent’s services can be used at a lower cost.

Political-instrumentalist model

In contrast with the functionalist view, the political-instrumentalist model sees delegation as a strategy of governments to reduce political costs rather than enhance effectiveness. The political-instrumentalist model relies on the PA literature on accountability-evasion as motives for delegation (Kruck 2014:117). According to this strand of PA research, delegation may be a rational strategy for political cost-sensitive actors seeking to avoid accountability for controversial or unsuccessful policy decisions and measures.

(18)

According to the political-instrumentalist model delegation is a strategy that serves to avoid politically costly operations and dodge scrutiny from the civil society, media and the international community. Transferring the execution of security functions to proxies may help governments to hide the origins of unpopular decisions from other state organs and broader constituencies (Kruck 2014:118). Thus, the use of proxies serves to cover or downplay the responsibilities of governments as the responsibility is shifted to non-state actors. This strategy depends on whether the ‘distance’ between the government and proxies can be upheld.

There seems to be a consensus assuming that states use proxies when they can plausibly deny sponsorship (Cormac & Aldrich 2018:477). The employment of proxies can blur the direct lines of responsibility and accountability which is of great importance as the state needs to manage its perception externally vis-à-vis the international community (Krieg & Rickli 2018:125) Proxies provide the principal with the ability to conduct war with limited footprints (if any) and without any negative publicity connected to the actions (Krieg & Rickli (2019:75). Whereas a state’s conventional military attack on an adversary creates a clear connection to the perpetrator and thus a clear target for retaliation from the adversary, state delegation to proxies may blur the linkage between the agent and the state sponsor. Hence, retaliation is more difficult to justify because of the weak evidence between state intent and agent actions (Byman & Kreps 2010:6). Thus, from the political-instrumentalist model we can deduce the following hypothesis: The accountability-evasion hypothesis (H3): The less popular an operation is among the international audience, the greater will be the incentives of governmental actors to reduce political costs and thus they are more likely rely on proxies. States will first and foremost outsource politically and societally controversial tasks to proxies.

(19)

4. Research Design

This thesis has an explanatory approach and uses a deductive comparative case study design. The choice of methods are largely based on the character of the research question as well as the study's temporal and spatial limitations. The following section explain why a comparative case-study method is the most suitable research design and why an explanatory approach is chosen. Thereafter, the case selection procedure is accounted for and a motivation for why Russia and the United States are selected. Subsequently, the method of structured focused comparison is presented and operationalized to clarify how I will empirically assess my theorized hypotheses. Finally, the material is presented.

4.1 Comparative case study

A qualitative case study approach is a promising method to pursue for many reasons. Cyberspace is still a relatively new phenomenon with limited data available. Moreover, information on cyber proxies in particular is very limited as it is usually classified or characterized by obscurity (Maurer 2018a:25). By taking this information-poor environment into consideration, Gerring (2009:26) argues that the case study approach allows the researcher to consult multiple sources and overcome whatever biases may affect the secondary literature. In order to answer the study's purpose and research question, two cases are compared. Thus the research design constitutes a comparative case study (CCS). According to Collier (1993:104) comparisons are fundamental tools of analysis and frequently used in testing hypotheses. As a design option, CCS are suitable when “why” questions are being posed about a process or a specific outcome. Additionally, CCS are most powerful when they are informed by a theory such as an explanation of how activities are understood to contribute to a chain of results that will produce the intended outcome (Goodrick 2014:4). Since this thesis aims at testing the explanatory potential of the principal-agent theory in general, and my theorized hypotheses in particular, a case study design is arguably advantageous. The posed question ‘why states use cyber proxies’ is clearly outcome-focused which further justifies the choice of design.

George and Bennett (2005:115) argues that case studies are effective tools for theory testing. However, they are often not meant to completely refute the theories they test. Rather the goal is to help identifying scope conditions for which theories will and will not work (ibid). The

(20)

comparative case study is thus used to examine the context and features of two instances of specific phenomena in detail. Similarly to a single-case study, the comparative approach is based on “thick description”. However a major difference between the two approaches is that the goal of comparative case studies is to identify contrasts, similarities or patterns across the cases. These discoveries in turn contribute to the development or the confirmation of theory (Mills et al 2010:174). Using the comparative case study design allows me to study the two cases in depth and to gain a comprehensive knowledge of the reasons why some states choose to delegate certain tasks to cyber proxies while others do not. According to Bryman (2008:58) “we can understand social phenomena better when they are compared in relation to contrasting cases or situations”. Another motivating factor is highlighted by Bartlett and Vavrus (2016) who emphasizes that a CCS approach is particularly suitable for international comparisons and for the examination of globally interconnected phenomena. Cyberspace is arguably an example of the latter.

The PA theory is tested against empirical material and the findings may either strengthen or weaken the theory in question. The reason for choosing an explanatory approach is the study’s deductive logic where the theoretical reasons for state delegation are tested more deeply against empirical cases. Deductive reasoning begins with a theory, which leads to hypotheses from which testable concepts are generated and thereupon tested against a set of observations (Schwartz-Shea-Yanow, 2012:26-27). According to Blatter and Haverland (2012:6) case studies are superior to large-N studies in helping the researcher to understand the perceptions and motivations of actors which I intend to do. Explanatory frameworks that take a broad spectrum of causal factors into account goes hand in hand with the use of case studies in their empirical application. Concentrating one’s empirical investigation on a few cases allows for two things: 1) taking a broader set of theoretical approaches into account and 2) collecting more precise empirical evidence (ibid:8).

4.2 Case selection

Case selection is the rational selection of one or more instances of a phenomenon as the particular subject of research. The reasons for selecting a case vary from interest in the particular case to theoretical considerations. The relevance of the cases for the research objective is the most important criterion for selection (Mills et al 2010:61). Halperin and Heath (2012:207) argues that case studies are an “incredibly powerful tool” for examining whether

(21)

concepts and theories travel, and whether (or not) they work in the same way in cases other than where they were originally developed. In order to assess the proposed hypotheses, I will conduct a comparative case study on the Russian Federation and the United States. A CCS is the ideal method of analysis since the variance in proxy use must be evaluated empirically. I choose the two presented cases based on Mill’s method of difference. When using this approach, researchers select cases that have the same or comparable circumstances, but that differ in the presence or absence of the phenomenon they want to study (Mills et al 2010:62). It is therefore also referred to as a different-outcomes comparison, where cases are selected on the basis of membership in the set of the outcome (Beach & Pedersen 2019:237). This approach also follows the logic of King, Keohane and Verba (1994) who argues that selection should allow for the possibility of variation on the dependent variable. It is difficult to explain variation on the dependent variable if it does not vary. According to them, research is inadequate if the researcher tries to explain for example the outbreak of war with studies only of war, or the onset of revolutions with studies only of revolutions (ibid:129). Consequently, by following this logic I chose to compare a case of state-use of cyber proxies (Russia) with a case of non-use of cyber proxies (USA). While the number of states expressing their intent to develop offensive cyber capabilities has seen a substantial increase during the last years, only a few have actually used such capabilities. The selected cases are therefore considered to be established cyber powers who have not only demonstrated the capability and intent, but have also conducted offensive cyber operations (Maurer 2018a:21).

Additionally, Russia is considered an autocracy whereas the US a democracy. If domestic political structures influence state decisions to go to war (e.g. the democratic peace), domestic political structure should also have implications for a much broader range of international behaviour, such as explaining why states use proxies in cyberspace. Therefore, this possible alternative explanation will be addressed briefly in the concluding section of the analysis chapter.

4.3 Structured focused comparison

The study uses George and Bennet's approach, the method of structured and focused comparison (2005:177). The method is deemed ‘structured’ in that the researcher asks a number of questions that reflect the research objective and theoretical focus of the inquiry. These

(22)

questions in turn are asked of each case under study to make a systematic comparison. The method is ‘focused’ in that it only deals with certain aspects of the cases examined. The first thing to do is to identify the universe of which a group of cases to be studied are instances. In my thesis this arguably constitutes national strategies in cyberspace. Second, a well-defined research objective and appropriate research design to achieve that objective should guide the analysis. Third, the case studies should employ variables of theoretical interest for purposes of explanation (George & Bennett 2005:181f) This is where the PA theory and my theorized hypotheses come into play.

In order to operationalize the variables, one must consider both the purpose of the study, as well as the research question. Both cases are analysed based on the three hypotheses rooted in PA theory which are assumed to affect the probability of states using proxies in cyberspace. Thus they constitute the study’s independent variables (i.e. the explanations). The independent variables are analysed via indicators constituting specific questions following the abovementioned logic of George and Bennett’s structured focused comparison. The study examines if use of cyber proxies is affected by the independent variables. Thus, the conclusions can either strengthen or weaken the theory in question. The study's independent variables are presented below in the same order in which they will be assessed in the subsequent analysis. The hypotheses are operationalized to indicators in the form of questions.

H1: Capability hypothesis: the more complex the technological and operative contexts of operation, the higher the dependence of principals on non-state actors material and/or immaterial resources, and the more states will make use of proxies. By implication, states with weaker internal cyber capabilities are more likely to use cyber proxies.

To explore this hypothesis, I assess respective country’s cyber capability. The logic behind this is simple. If lacking sufficient capabilities, the higher probability to delegate to a proxy actor. Thereafter I examine if, and how multifaceted bureaucracies might result in structural inefficiencies and thus work as a motivating factor for using cyber proxies instead of state entities. The focus is consequently on the agencies of the countries responsible for conducting cyber operations. In presence of competition issues and overlap between agencies, cyber proxies arguably provide an option to circumvent the drawbacks of inefficiencies within the state. Additionally, according to the theoretical discussion in chapter 3, the level of

(23)

sophistication is also of interest. Thus, the common modus operandi of respective country is examined.

- What does the cyber capability in the country look like?

- Which agencies are responsible for conducting cyber operations? - What common modus operandi does the country employ?

H2: The cost-efficiency hypothesis: the higher the incentives for saving costs and the higher the anticipated gains from delegation, the more states will rely on proxies. States with larger hacker communities are more likely to rely on cyber proxies, as the agent’s services can be used at a lower cost.

To evaluate cost-saving as an explanation for using proxies, I examine the private market in respective country to determine skill-level, recruitment issues for state agencies and the presence (and attraction) of a cyber-criminal underworld. If there is a private market with unemployed skilled individuals the probability of using proxies would arguably increase. Understanding the costs of conducting a cyber operations is also important.. Hence, I conduct an analysis of two cyber operations; the first conducted through a proxy actor on Russia’s behalf and the second operation conducted by a US state agency to evaluate whether proxies offer a more cost-efficient option or not.

- How does the private market look in the country? - What was the cost of the operation?

H3: The accountability-evasion hypothesis: The less popular an operation is among the international audience, the greater will be the incentives of governmental actors to reduce political costs and thus they are more likely rely on proxies. States will first and foremost outsource politically and societally controversial tasks to proxies.

In considering accountability-evasion as an explanation, I assess whether or not plausible deniability is attainable in today’s cyberspace. This is mainly done through an assessment of technical and intelligence capabilities and a discussion about the attribution problem. If a state can plausible deny involvement in a cyber operation through the use of a proxy, negative international reactions ought to be unlikely. Therefore, if we assume that accountability-evasion

(24)

is a motivating factor for using cyber proxies, we would expect that international reactions are more present in connection with a state-conducted cyber operation than an operation conducted by a proxy actor.

- Is plausible deniability attainable in today’s cyberspace?

- How does the international community react to alleged operations? Table 1: Variables & Indicators

PAT framework - Variables Indicators

H1: Capability - Cyber capabilities

- Responsible agencies - Common modus operandi

H2: Cost-efficiency - Private market

- Cost of operation

H3: Accountability-evasion - The possibility of plausible deniability

- International reactions

The table is used to guide the analysis. The left column summarizes the theory's independent variables and the right column presents the indicators which are deduced from the questions.

(25)

4.4 Material

Case studies facilitates exploration of a phenomenon within its context using a variety of data sources (Baxter & Jack 2008:544). The material for this thesis has been collected from a wide variety of mediums such as academic articles and books as well as reports by think tanks and the media, to primary literature, such as government documents and statements from officials. The myriad of private cybersecurity companies also publishes many reports on the topic. It is arguably beneficial to collect material from many different sources as the subject of cybersecurity can be very complex, especially when examining non-state actors.

When news articles of the topic have been utilized, multiple articles from different news agencies have been examined in order to avoid significant bias. When Russian material have been used, all translation are made by me unless otherwise indicated. Additionally, it is important to acknowledge the Western bias when consulting reports from Cyber Security firms. Most of these firms are based in the United States and the vast majority of their reports deal with threat actors from a US-perspective. By following the logic of triangulation I avoid the problem of unreliable measures (Beach & Pedersen 2019:128).

When evaluating the capability-hypothesis, I consulted the Belfer National Cyber Power Index (NCPI) to assess both Russia’s and The US cyber capabilities. This was further complemented by relevant research and strategic documents covering the subject. Although ITU (2018) has released a similar index, the dataset of NCPI is both more recent and more comprehensive, thus chosen. The team behind the NCPI has produced the best model to-date for assessing cyber power. It measures country’s cyber capabilities in the context of seven national objectives, using 32 intent indicators and 27 capability indicators with evidence collected from publicly available data (Belfer Center 2020:1). The most comprehensive cyber power is the country that has (1) the intent to pursue multiple national objectives using cyber means and (2) the capabilities to achieve those objective(s) (ibid:2). When examining which agencies responsible for cyber operations in respective country I consulted think-tank reports and documents from governmental agencies. The common modus operandi is mainly assessed through consulting academic journals, books and reports from private cyber security firms.

The cost-efficient hypothesis is evaluated through an assessment of the private markets in respective country. Both media and industry reports have written a lot about this topic and in particular about recruitment issues facing state-agencies in cybersecurity. The material offer

(26)

valuable open source insights into Moscow’s and Washington’s cyber limitations and how this might affect the reliance and use on non-state actors. It concentrates on Russian and American state organisations, primarily the military and intelligence services and their connections to the IT industry, criminal hackers and other third parties. In terms of analysing the cost of cyber operation, I consulted a US Department of Justice (DoJ) concerning a Russian-sponsored cyber operation (the Yahoo Hack in 2017). This indictment brought to light how Russia uses cyber criminals to aid its hacking efforts to pursue its political ends. The second case under scrutiny is the US-originated Stuxnet-attack from 2010 which has been the subject of countless articles and reports examining the operation in terms of manpower and cost. Even though Stuxnet is considered extremely sophisticated and far more complex than the Yahoo Hack, the comparison still gives a good indication how costs can differ if the operation is conducted by state entities or delegated to non-state actors.

The third and final hypothesis is evaluated through first discussing the possibility of achieving plausible deniability in the digital domain and the problem of attribution. Thereafter I assess the international response in connection with cyber operations. Here, public statements from officials and media coverage constitutes the majority of the material.

(27)

5. Analysis

This chapter explore the rationale for cyber proxy use within Russia and contrasts it with the United States. Three explanations rooted in PA theory have been used to understand the motivations for cyber conflict delegation. According to the theoretical framework, states use cyber proxies to enhance capability, save cost and evade accountability. The subsequent sections will look at each of the theorized hypotheses in turn and provide empirical data to suggest whether these hypotheses can motivate cyber proxy use or not. Each section is followed by a run-down of the empirical findings and their implications for the theory and the stipulated hypotheses. Ultimately, the final section of this chapter briefly addresses the alternative explanation of whether or not differentiation in regime-type may affect why states use cyber proxies.

5.1 Capability-hypothesis

The first explanation for using cyber proxies focuses on capabilities. According to PA theory, state delegate when they lack sufficient capability to conduct the task themselves. Thus, if this factor is a reason for using proxies, one may expect to see that low national cyber capability and low commitment to building an internal cyber workforce increases the incentives for cyber proxy use. Additionally, overlapping functions and infighting in a state’s bureaucracy can limit the state agencies flexibility, thus further motivating proxy use. Finally, the common modus operandi tells us about the level of sophistication. It is assumed that higher levels of attack sophistication are associated with state involvement, thus these are more likely conducted by government actors. Consequently, low level of sophistication incentives states to employ proxies.

5.1.1 Russia is lagging behind

What the West perceives as a Russian digital offensive is largely a consequence of a deep-seated sense of insecurity in Russia due to its inferior position in both capability and technology vis-à-vis its rival (Vendil Pallin & Hjelm 2021). According to the National Cyber Power Index, Russia is an actor characterized by “High intent, low capability”. Countries falling under this label are actively signalling to other states that they intend to develop their cyber capabilities but do not currently have the capabilities at hand to achieve their cyber goals (Belfer Center 2020). Russia has in recent years demonstrated a capacity to craft and employ sophisticated malware to support operations that range from espionage to disrupting critical infrastructure.

(28)

However, the government in Moscow cannot escape the difficulties in developing the needed technology to keep pace with its rivals (Cheravitch & Lilly 2020:31). This correspond well with the logics of delegation rooted in PA theory as the capability-dilemma arguably incentives Russia to use other options. To manage or mitigate its shortage of capability, the Russian government solicit or coerce individuals and organisations to conduct operations on Moscow’s behalf (ibid:38).

According to SIS1_{, Russia has employed organised crime groups to supplement its lacking}

cyber capability. This is further accentuated by GCHQ2_{who described the link between Russian}

Intelligence services and the cyber criminals as a “symbiotic relationship” (ISC 2020). The domestic hackers enhance Moscow’s capabilities as they are leveraged by government actors to carry out activities that benefit Russia’s agenda.

The Russian intelligence apparatus consists of the following three primary organizations; • The Main Intelligence Directorate (GRU)

• The Federal Security Service (FSB) • The Foreign Intelligence Service (SVR)

Russian military is a latecomer to the cyber arena. For many years, cyber was the exclusive domain of the state’s security services. The FSB, appears to be the Federation’s lead actor for conducting cyber operations. It also maintains and operates SORM, the State’s internal cyber surveillance system (Connell & Vogler 2016:6). In the 1990s and early 2000s when Russia’s internet was largely unregulated, the FSB developed relationships that helped it co-opt or coerce independent Russian hackers into cyber operations, helping to circumvent the human capital challenges (Oliphant 2017). The Foreign Intelligence Service (SVR) is Russia’s external intelligence agency. Despite its title and status as the primary foreign intelligence service, little evidence exists that the SVR is involved in cyber operations. However, the group named APT29 (aka. CozyBear) is believed to work for the Russian government, either the FSB and/or SVR. (NCSC UK 2018).

1_{SIS is the UK’s foreign human intelligence (HUMINT) agency, focusing on intelligence}

gathering.

2_{GCHQ is the UK’s signals intelligence (SIGINT) agency – also focusing on intelligence}

(29)

Inside the GRU, the 6th Directorate is probably mainly responsible for carrying out cyber operations (Estonian Foreign Intelligence Service 2018: 55). When it comes to offensive cyberspace operations, or what the US military describes as deny, degrade, disrupt, destroy, and manipulate (D4M) operations, the GRU is the primary actor. The GRU’s dominance makes sense given that the SVR and FSB are more focused on espionage (Grzegorzewski & Marsh 2021).

There appears to be rivalry and competition within the Russian system. A lot of empirical evidence point to coordination issues and competition between Russian intelligence agencies (Van Wie Davis 2021:53; Soldatov & Rochlitz 2018:84). Bureaucratic competition has long complicated Moscow’s efforts to develop cyber capabilities. Even during the Soviet period, a zero-sum approach by state actors to resources resulted in bureaucratic hurdles for initiatives to enhance the cyber capabilities. When the GRU entered the field of cyber operations, the FSB, openly opposed the initiative (Connell & Vogler 2016:7). Reports indicates that the GRU and FSB possess overlapping or unclear responsibilities and compete with one another for political influence and funding (Morgus et al 2019:20).

A clear example of coordination issues between the agencies was when both unknowingly targeted the DNC at the same time for a hack-and-dump operation (Grzegorzewski & Marsh 2021). This is a major difference to Western Intelligence agencies, which almost never go after the same target without coordinating due to fear of compromising each other’s operations (Ioffe 2018). Deconflicting missions and infighting between Russian agencies has increased recently which leads actors to leak information to undermine rival organisations, resulting in attribution or arrests. Threats from “rivals within the state” prompt bureaucrats to seek outside alliances in order to secure their position vis-à-vis opponents (Hedberg 2016:69). Thus, by delegating authority to proxies, agencies can build loyal relationships which can serve as important allies in struggles against ‘internal’ rivals.

Russian intelligence services have become adept at integrating their network operators with their information operators (Soldatov & Borogan 2018:18). Cyber-enabled influence operation, is perhaps the most widely recognized Russian modus operandi. Moscow uses cyber actions to amplify broader propaganda efforts, sowing discontent within the governments and populations of the targeted state (Valeriano et al 2018:369). This modus is not characterized by a particular high level of sophistication and fail to coerce in a direct manner. The Russian approach to cyber

(30)

strategy appears to be more about ambiguous signalling and amplifying propaganda than it does direct compellence. These strategies do not generate concessions in a manner similar to the cyber superpower, the US (Jensen et al 2019:229).

5.1.2 USA: The Cyber Hegemon

The United States is the most sophisticated actor in the fifth domain and considered the world’s cyber hegemon (Valeriano et al 2018:599). Cyber capabilities began growing in America’s intelligence agencies, armed services, and computer and telecommunications industries in the 1970s (Warner 2020:2). The US has substantial cyber capabilities thanks to comparatively advanced technology and a large military budget (USCYBERCOM 2018). That the US is powerful in the cyber domain is also pointed out in the NCPI, where the country is deemed as an “High intent, High capability”-actor. Countries with high levels of both intent and capability are the highest-ranking countries in the NCPI. These countries both signal in strategies and in previously attributed cyber-attacks that they intend to use cyber to achieve policy goals and have the capabilities to achieve them (Belfer Center 2020).

Several US institutions bear responsibility for cyber activities. Responsibilities are divided between the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), the Central Intelligence Agency (CIA), the National Security Agency (NSA), and the Department of Defense (DoD), including the Strategic Command’s Cyber Command (Van Wie Davis 2021:27). The latter have extensive offensive capabilities for breaking into and destroying foreign communications and computer networks. Military cyber operations, however, are constrained by governing legal authorities and must be approved by the US president (ibid:28).

The US approach to cyber operations appears to be unified and characterized more by collaboration than competition. For example, The DHS and the DoD signed a cybersecurity pact in September 2010 formalizing their cooperation, allowing the colocation of personnel, joint operational planning, and allowing the DHS to use the NSA’s advanced technical expertise (ibid:29). Furthermore, the NSA and military Cyber Command are both located at Fort Meade outside Washington DC, and intelligence experts say working closely together is already the norm - with the former providing much support and expertise to the latter (Haizler 2017:37). While USCYBERCOM has responsibility for offensive cyber operations, the foundation for

(31)

that capability will reside on the intelligence and surveillance capabilities of the NSA and their exploitation capability. Consequently, U.S. cyberwarfare elements appear much more coordinated with one another than in the case in Russia.

The United States uses cyber operations at a much more sparing rate with more coordinated, sophisticated, and controlled actions compared to the cyber operations coming out of Russia (Valeriano et al 2018:593, 599). When the U.S. engages in cyber operations, it places a higher priority on cyber “Pearl Harbours” or one-time, major attacks on adversary’s computer network and operating systems. With a preference for precision strikes against a target’s command and control system, US cyber-attacks rely on complicated, costly, and time-intensive operations (ibid:569). This modus operandi are more likely to have a compellent effect than disruptions or espionage.

5.1.3 Summary

There seems to be evidence indicating that one of the reasons for why states use cyber proxies is motivated by limitations of the technology and human capital needed for to build up cyber capabilities. The analysis demonstrates a substantial capability-gap between Russia and the United States (see radar charts of capabilities below). To overcome this apparent hurdle in the cyber domain, Russia rely on ”patriotic hackers” and cyber criminals for cyber operations. Thus, the use of non-state actors enhances Russia’s current lacking cyber capabilities.

(Source: Belfer Center 2020:71) When Russian state-sponsored actors conducted massive distributed denial of service (DDoS) attacks (which are considered fairly simple) against Estonia in 2007 and Georgia in 2008, the

(32)

United States simultaneously developed the Stuxnet malware (an attack unparalleled in its sophistication, which will be elaborated more later on). These examples clearly demonstrate the gulf in capabilities between the two countries. Russia needs more than their current limitations allow, thus motivating the use of cyber proxies.

The level of cyber coordination which characterize US forces in the domain is visibly missing from the Russian military force structure. Instead, Russia relies heavily on its intelligence agencies to direct and coordinate cyber operations with hacker groups. The empirical evidence points to bureaucratic overlaps and infighting between Russia’s agencies, which have a history of alleged competition. These structural inefficiencies could reasonably motivate state agencies to utilize cyber proxies. In the case of Russia, the presence of such challenge may encourage states to use cyber proxies as they could be employed to overcome bureaucratic constraints. Additionally, Russia’s common modus operandi appear relatively modest compared to the U.S. level of sophistication. Consequently, the empirical evidence combined arguably confirms my hypothesis that states with weaker internal cyber capability are more likely to use proxies. This implies that the rationale for delegation, rooted in PA theory, has explanatory power in this regard.

5.2 Cost-efficiency

The second explanation for using cyber proxies focuses on cost-efficiency. According to PA theory, one of the most important functions of delegation is a cost-saving device. Following the logic of my hypothesis, cost is deemed as a driver if agents services can be utilized to a lower cost due to the character of the private market and availability of actors. Furthermore, there should be a significantly higher cost of conducting the operation by the hands of a government agent vis-a-vis a non-state actor for the hypothesis to be confirmed.

5.2.1 Russia: The nexus between crime and state

In 2017, Prime Minister Dmitriy Medvedev described brain drain as a significant problem for Russia’s development and future competitiveness in the information field as the low salaries in Russia compared to those offered in the West create an outward flow of specialists (TASS 2017). However, the empirical picture also points to a darker side of the private market in the country. A lot of Russian hackers finds crime to be a very lucrative business in which they can

Projecting Power in the Fifth Domain : An assessment of why states use proxies for offensive cyber operations