The Dangers of Using State-Sanctioned HackersG20G7.com
By Sean McGuffin
The string of large-scale data breaches in recent years—from Yahoo to Equifax—demonstrates the alarming threat posed by cyber-crime and espionage; a threat made all the more serious when considering the election interference in France and the United States. Yet, while it’s generally understood that both criminals and foreign intelligence agencies carry out attacks such as these, there is something that is less known: the ways in which these two groups have begun working together, and how dangerous it would be to allow this precedent to set.
The Russian Federal Security Service (FSB) has developed a bad reputation for partnerships of this kind by protecting, recruiting, and pressing into service hackers who it then uses to carry out online attacks. According to cyber-security expert Jeffrey Carr, “Russian hackers who are caught are given the choice to work for the FSB or go to jail. The FSB also has some on contract hire.” This prognosis matches the story of Dmitry A. Artimovich, who was arrested in 2013 for creating spamming programs. While awaiting trial for cyber-crimes in Moscow, Artimovich said he was offered a way to avoid trial all together if he was willing to work for the government. Former U.S. Secretary of Homeland Security Michael Chertoff, commenting on cyber-security, even said that “the Russians are pretty much No. 1 in terms of using criminal organizations as partners.”
This policy may seem odd, but it has its advantages. For states that lack the funding or other necessities, using criminals may be the best way to build their cyber capabilities. As one expert put it, “there’s no Silicon Valley in Russia.” Cyber criminals are already experienced at hacking into secured systems and folding them into the state’s cyber forces can provide states sanctioned cyber-attacks with a useful veil of plausible deniability. Additionally, enlisted cyber-criminals are cheap, constantly testing their skills against new counter measures, and can act as a useful auxiliary force. The hackers on the other hand gain protection from prosecution or extradition.
These advantages may seem appealing, but one should consider the possible ramifications. One of the advantages of using hackers as proxies is plausible deniability and the anonymity it can provide, but this can cut both ways. Once a state is known for using proxies and hackers to wage its cyber campaigns, this advantage can lose much of its potency, and a state could possibly even be accused of performing cyber-attacks it had no part in due in part to this reputation.
This flows into another issue—assigning culpability. If a hacker is under government protection, then that government could and should be considered responsible for their actions, regardless of whether it ordered an attack or not, and the hackers are considered state actors.
This policy stance had already been seen in action when the United States sanctioned Russia for its interference in the 2016 presidential election. It was notable because the sanctions targeted key individuals in leadership roles and the hackers themselves. This was a good example of holding states accountable for their actions but should be applied more broadly by all states when credibly faced with this type of threat.
Another issue to consider is the possibility of retaliation. This could become very serious if a major cyber-attack is launched, for instance on a power plant like the one in western Ukraine, and another state decides to respond with an action of its own. Any retaliation is unlikely to remain solely in the cyber space, but rather affect other aspects of the “real world,” and could turn very ugly if lives or critical infrastructure are harmed. The room for misunderstanding is wide, the possibility of an attack being misattributed is too high, and the norms for how to respond to cyber-attacks are still being set. All of these factors become worse when quasi-government hackers are involved.
As seen with the U.S. sanctions against Russia, action carried out in cyber-space can spill out into the “real world” because cyber-space is becoming an integral part of our modern system as any other part of the real world. When faced with these kinds of threats, policy makers should increasingly disregard the cyber-theater the attack is carried out in and look solely at the repercussions of the attack. In essence, when responding, treat the threat as if computers weren’t even involved.
Government cooperation with cyber-criminals is a reality we are already living with. As one expert said, “It would be no surprise if there are links, and it would be a great surprise if there were no links.” Cyber-space is only going to grow in importance, and as such the danger and uncertainty created when governments partner with cyber-criminals is too great to allow. While norms are still being set, it’s important that states come to an understanding on how they will treat their cyber-security.
About the author: Sean McGuffin is Fellowship Editor at Young Professionals in Foreign Policy (YPFP) and currently works at a large consulting firm. He graduated from Old Dominion University and previously served as a research intern at the Hudson Institute, where he provided research on cyber-security policy, among other topics.