Skip to main content
The Army Lawyer | Issue 5 2021View PDF

No. 1: Confronting Russian Cyber Proxies

Hacker

(Credit: santoelia – stock.adobe.com)

No. 1

Confronting Russian Cyber Proxies

Rapid Attribution and Coercive Diplomacy


Whenever boldness encounters timidity, it is likely to be the winner, because timidity in itself implies a loss of equilibrium.1

Over the last two decades, Russia’s use of cyber proxies has expanded on a global scale and impacted nearly all aspects of international relations. From effectively shutting down a neighboring government and its financial sector in response to moving a World War II era statue,2 to disrupting communication platforms in Eastern Europe in concert with kinetic operations,3 to gaining access to American critical infrastructure,4 Russia is actively pursuing its strategic objectives through cyber proxies. To date, the United States has tried a variety of methods to hold Russia accountable for its cyber activities including: indicting Russian intelligence officers;5 sanctioning the assets of individual Russian officials; and implementing broader economic sanctions.6 However, the United States implemented these actions months—if not years—after the incidents first became known and, therefore, had little utility in dissuading future Russian aggression.7

Much of the United States’ delay and ambiguity in response seems, at least in part, due to a burdensome attribution process that imposes unrealistic legal standards to effectively react to cyber activities.8 The speed with which cyber incidents occur, the obfuscation of actors, and plausible deniability through cyber proxies make current legal regimes untenable. As stated in the National Defense Strategy of 2018, adversaries are “using other areas of competition short of open warfare to achieve their ends (e.g., information warfare, ambiguous or denied proxy operations, and subversion). These trends, if unaddressed, will challenge our ability to deter aggression.”9 This assessment is especially relevant to Russia as one of the most sophisticated cyber actors known to use cyber proxies to challenge the United States.

The United States should move away from the current international legal standards of proxy attribution to confront Russia and its use of cyber proxies. Instead, a new policy—one grounded in a strategy of rapid attribution and coercive diplomacy—should be used to supplement the current void of applicable international law. The National Cyber Strategy of 2018 identified the United States’ need to build a cyber-deterrence initiative, but failed to give concrete policy prescriptions for dealing with cyber aggression.10 New standards of rapid attribution and coercive diplomacy would complement international law and induce Russia to adhere to acceptable norms of behavior in cyberspace.

This article aims to identify strategy proscriptions to counter Russian cyber proxy activities by assessing Russia’s strategic outlook and use of cyber proxies, identifying various shortcomings of international law, and proscribing a rapid attribution and coercive diplomacy strategy. This strategy will include specific recommendations for rapid attribution and decisively engaging Russia through coercive diplomacy, particularly economic sanctions on the Russian oil and gas sector. Such attribution and sanctions will deter Russia from future cyber activities against the interests of the United States and begin to rein in the proxy actors working under Russia.

The United States should move away from the current international legal standards of proxy attribution to confront Russia and its use of cyber proxies. Instead, a new policy—one grounded in a strategy of rapid attribution and coercive diplomacy—should be used to supplement the current void of applicable international law.

Assessment of Russian Cyberspace Activities

Why States Use Proxies to Conduct Foreign Affairs

States use proxy relationships as a way to accomplish national objectives while limiting cost, reducing the risk of “direct conflict,” maintaining some “plausible deniability,” and “projecting power.”11 In any proxy relationship, there are two parties involved: the principal and the agent. The relationship is premised on the mutual benefit of both parties that exceed the costs of conducting business; however, the principal (i.e., the state) is the chief beneficiary and directs the agent.12 Additionally, the relationship between the agent and the principal must be intentional for the principal to be held responsible for the actions of the agent.13 Therefore, an actor who operates on behalf of a principal, for the principal’s benefit, with some formalized relationship, will impute its actions to the principal and is considered a proxy.14

Proxy relationships can be particularly attractive to states because they provide “war on the cheap.”15 States generally use proxies to accomplish a specific task that allows the state to utilize and benefit from a resource without having to maintain the overhead costs associated with continual employment.16 As more actors enter the realm of cyberspace and gain technical sophistication, competition between proxies will increase and theoretically drive costs down even further.17

Using proxies also puts distance between an aggressor state and target state. Proxies provide states an outlet to pursue foreign policy objectives at a lower cost and with a reduced threat of escalation.18 As in the Cold War, direct confrontation between the United States and the Soviet Union created too great a risk of escalation, but competition via proxies occurred without escalating to direct conflict between the superpowers (e.g., the Russian–Afghan War, or American intervention in Vietnam).19 A principal state can use proxies to escalate or deescalate engagements with the presumption of effective control of the proxy.20

Finally, proxies provide states with some level of plausible deniability for its actions in cyberspace. Plausible deniability benefits states in “situations in which a target state is able to attribute an attack to an actor, but unable to prove a link between such an actor and a state sponsor.”21 However, as states become more sophisticated and confident in their attribution processes, the cover and appeal of plausible deniability diminishes.22

Actions Russian Cyber Proxies Have Taken Against U.S. Interests

Many cyber exploits attributable to Russia are well-known, but specific instances over the last five years are worth highlighting to demonstrate the pervasiveness of Russian-aligned cyber proxy activity. The cases below demonstrate an active attempt to undermine the political stability of the United States, target critical infrastructure, and wreak havoc globally.

As demonstrated in Table 1,23 over the past five years, Russian state agencies have worked with several proxy groups to execute strategic objectives through cyber means against the United States. As stated in the United States Summary of the 2018 National Defense Strategy, “revisionist powers . . . are competing across all dimensions of power. They have increased efforts short of armed conflict by expanding coercion to new fronts, violating principles of sovereignty [and] exploiting ambiguity.”24 Cyber proxies have become a valuable resource for the Russian government because they can accomplish political objectives economically while providing Russia plausible deniability from attribution.25 Finally, Russia recognizes its relative economic, political, and military shortcomings compared to the United States and utilizes cyber proxies to asymmetrically offset its weaknesses and challenge the United States.

Russian Strategic Outlook

Russia’s current approach to the cyber realm is informed by past events, especially its defeat in the Cold War. At the end of the Cold War, and in the decades since, Russia has recognized its inability to compete with the United States and its North Atlantic Treaty Organization (NATO) allies economically, militarily, and even ideologically in international politics.26 The sway and intrigue of international communism and Marxism was largely lost with the dissolution of the Soviet Union.27 However, many in Russia did not believe the end of the Cold War was evidence of liberal democracy triumphing over Marxism, rather they perceived the West had effectively subverted the Soviets through various sources of national power and messaging.28

This belief led Russia to find asymmetric means to counter a perceived and ever growing threat of domination from the United States and Europe.29 In the immediate aftermath of the Cold War “Russia initially sought to integrate into the Western system in the early 1990s,” however, Russia’s outlook has since changed to “view the U.S.-led [international] order as a threat to Russia’s core interests in its perceived sphere of influence.”30 Recognizing its relative position, Russia has sought to find asymmetric means to counter an ever growing threat of domination from the United States and Europe.31 To counteract their disadvantages at the end of the Cold War, and to build national power before reentering international power politics, Russia first needed to influence and control its domestic populace.

Like many authoritarian regimes, Russia sees itself in a constant state of competition and attack.32 Russia perceives its foes, led by the United States, as constantly competing for the hearts and minds of the Russian citizenry and testing Russia’s domestic ideological hegemony.33 Accordingly, Russia has taken aggressive steps to counter any assumed usurpation by sponsoring state news agencies, intimidating sources critical of the Kremlin, and launching effective and widespread media campaigns that reflect the government’s interests.34 The Russian government has projected the perception of a constant ideological struggle with foreign states on its populace in a controlled manner to ensure support for its political objectives.35 By proliferating the idea of an ideological siege, the Kremlin has attempted to embolden citizens to assist the state or to placidly accept Russia’s political messaging.36

Table 1. Significant Russian Cyber Proxy Events

Russia has adopted a whole of government approach, known as “political warfare,” to counter the perceived threat from the United States. Political warfare refers to “the employment of military, intelligence, diplomatic, financial, and other means—short of conventional war—to achieve national objectives.”37 In reality, political warfare is similar to the multi-domain campaign of the United States in that it harnesses the powers of diplomacy, information, military, and economics (or DIME), to achieve strategic objectives across the spectrum of conflict.38 As a component of political warfare, Russia uses “information warfare” to achieve its international political objectives.39 As part of its larger political warfare strategy, the Russian perspective on information warfare encompasses exploiting computer networks and associated platforms, as well as “electronic warfare, psychological operations, and information operations.”40

Recognizing its power projection shortcomings, the 2010 Military Doctrine of the Russian Federation emphasized “the prior implementation of measures of information warfare in order to achieve political objectives without the utilization of military force and, subsequently, in the interest of shaping a favorable response from the world community to the utilization of military force.”41 For Russia, “the main battlespace is the mind and, as a result, new-generation wars are to be dominated by information and psychological warfare, in order to achieve superiority in troops and weapons control, morally and psychologically depressing the enemy’s armed forces personnel and civil population.”42 It is through a “siege” lens that Russia views the rest of the world and justifies the use of information warfare to influence and undermine its perceived adversaries.43 Arguably, Russia believes pursuing information warfare mirrors the actions of its adversaries and is, therefore, an appropriate response to those perceived threats.

How Russia Views and Uses Cyberspace

In 2013, General Valery Gerasimov, the Russian Chief of the General Staff, wrote an often cited—and nearly as often misunderstood—article stating, “The very ‘rules of war’ have changed [because of cyber and information operations]. The role of nonmilitary means of achieving political and strategic goals has grown, and, in many cases, they have exceeded the power of force of weapons in their effectiveness.”44 As many scholars have noted, Gerasimov was not writing his article to articulate a new Russian way of war, rather he recognized that cyber operations can rapidly disseminate information to shape public opinion and topple authoritarian regimes (including Russia) as part of a larger information campaign.45 Under current doctrine, the United States “treats information operations and cyberspace operations as distinct zones organized under different Department of Defense directives, other near peer competitors, such as . . . Russia do[es] not.”46 Russia recognizes the power of information platforms (i.e., social media) to disseminate information leading to strategic effects. Cyberspace presents the Russian government the means to rapidly execute its information warfare operations to achieve strategic objectives in near real-time.47 Russia seeks to exploit the utility of information warfare to rapidly shape conflicts, but also understands its own vulnerabilities to the same threats.

Why Russia Uses Cyberspace

The short answer is economics. To highlight the difference in economic spending power, in 2019, the United States spent $732 billion (3.4 percent of Gross Domestic Product (GDP)) on defense compared to Russia’s $65.1 billion (3.9 percent of GDP).48 Recognizing its comparative position, Russia has invested in less expensive technologies that counter big, expensive U.S. weapons and systems.49 Russia’s asymmetric approach is not new. It has been developing weapons to counter American power projection capabilities for decades: submarines and cruise missiles to sink aircraft carriers, service-to-air missiles to counter strategic stealth bombers, hypersonic projectiles to defeat anti-missile weapons, etc.50 In addition to being a cheaper alternative than procuring advanced weapon systems, cyber capabilities can be especially economical when conducting activities through proxies. A state can draw from a talented pool of individuals to meet specific needs and forego the costs of training associated with gaining and maintaining the required expertise.51 Cyberspace is a relatively inexpensive means to compete with and counter the United States’ advantage in other domains of conflict.

Russia recognizes the power of information platforms (i.e., social media) to disseminate information leading to strategic effects. Cyberspace presents the Russian government the means to rapidly execute its information warfare operations to achieve strategic objectives in near real-time.

Who Are Russian Cyber Proxies?

During the Soviet-era, Russia heavily invested in its human capital; and, in the 1990s and early 2000s, many former Soviet bloc countries had highly educated societies—particularly in mathematics and computer science.52 Since the collapse of the Soviet Union, there have been massive economic struggles throughout former Soviet bloc countries, leading to a highly-educated and under-employed populace.53 As economic struggles continued following the end of the Cold War, many qualified information technology professionals turned to more nefarious forms of employment, giving rise to a substantial and influential cybercrime apparatus within Russia and its former satellite states.54

Russia’s attitude toward these cybercrime syndicates has developed into what Tim Maurer, Director of the Cyber Initiative for the Carnegie Endowment, describes as a “sanctioning regime” for cyber proxies. Under a sanctioning regime, “a state consciously, but indirectly, benefits from a malicious activity targeting a third party, an activity which the state could stop but chooses not to. Sanctioning describes environments where the state directly creates a fertile ground for such malicious activity to occur in the first place.”55 In the case of Russia, cyber actors (which include cyber criminals, hacktivists, and state-sponsored hacking teams) are continually operating from within its sphere of influence with the nascent understanding that, as long as they avoid attacking Russian assets or run counter to the interests of the Kremlin, most activities will be tolerated.56 As John Carlin, former Assistant U.S. Attorney General for National Security, stated, “[w]hat you’re seeing is one of the world’s most sophisticated intelligence operations when it comes to cyber espionage using the criminal groups for their intelligence ends and protecting them from law enforcement.”57

The blending of nongovernmental groups with various intelligence agencies has become the modus operandi for Russian cyber activities. At one moment, cyber actors will conduct independent cybercriminal activity, and in the next moment, they are enlisted to help the Russian government meet specific political objectives.58 Table 2 contains a list of the most prominent Russian intelligence agencies commonly found working with proxies in the cyber realm, creating advanced persistent threats (APT), along with some of the names of the proxy groups.59

Current International Law Has Limited Utility to Counter Russian Cyber Proxies

Actions Taken by Russian Cyber Proxies Do Not Constitute a Use of Force

As discussed above, Russia has significantly departed from expected norms of behavior between states, but its actions do not rise to the level considered a “use of force” under current international legal standards. Article 2(4) of the United Nations Charter states, “All Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations.”60

The term “force” in Article 2(4) has generally meant “armed force” directed against the territorial integrity of a state by an armed aggressor.61 United Nations General Assembly Resolution 3314 (Definition of Aggression) provided examples of force between states, including “invasion or attack by armed forces . . . bombardment . . . [or] blockade of ports . . . .”62 While the list is not exhaustive, traditional concepts of force are still the guiding principles when determining if a force-threshold meets international legal standards. Under current definitions, Russia’s actions do not meet the international legal threshold for a use of force.

The United States uses an “effects-based” test to determine whether a cyber-activity rises to the level of force, meaning a cyber-activity is compared to traditional kinetic operations.63 Under the United States’ view, a cyber-activity must “proximately result in death, injury, or significant destruction [to] be viewed as a use of force.”64 The Tallinn Manual 2.0 echoes the United States approach in Rule 69, stating that “[a] cyber operation constitutes a use of force when its scale and effects are comparable to non-cyber operations rising to the level of a use of force.”65 Therefore, because Russian cyber-activities have not crossed the kinetic effects threshold, or met the United Nation’s international standard for a use of force, Russia’s actions cannot be considered a use of force by the United States. Designating Russian actions below the threshold of force is significant because it limits the United States’ ability to invoke measures in self-defense to counter Russian aggression.

Actions Taken by Russian Cyber Proxies Are Not International Wrongful Acts

Article 2 of the Articles on Responsibility of States for International Wrongful Acts (ARSIWA) states, “[t]here is an internationally wrongful act of a State when conduct consisting of an action or omission: a) is attributable to the State under international law; and b) constitutes a breach of an international obligation of the State.”66 Further, “[t]he characterization of an act of a State as internationally wrongful is governed by international law” not the domestic law of a state.67 However, international law has specifically left the issue of espionage unaddressed, thus creating a void in applicable international law.68

The Tallinn Manual 2.0 defines cyber espionage as “any act undertaken clandestinely or under false pretenses that uses cyber capabilities to gather, or attempt to gather, information.”69 The idea of peacetime espionage has almost become opinio juris as an acceptable norm of state behavior because it is so pervasive and accepted.70 The United States’ previous responses to cyber intrusions support the notion that cyber activities are not “internationally wrongful acts, but instead [are] a species of espionage that is generally unregulated by international law.”71 While Russia’s cyber actions against the United States may appear egregious, they fall within the scope of espionage and are outside the purview of international wrongful acts.72

International Attribution Requirements for Proxy Forces Are Too Stringent

Attributing cyber proxy activities to a state presents a trifecta of problems. First, to attribute a cyber-action to a state through proxy action, it must be determined what level of control the state has over the proxy or non-state actor.73 Second, if the responsible state does exert the requisite control, it is unclear how certain (i.e., what standard of proof) a victim-state must be before taking counter-actions against the responsible state.74 Third, applicable attribution models are based on cases dealing with clear uses of force, while cyber-activities rarely meet the use of force threshold.75 Combining these three factors outlines the limited utility international law provides when attempting to attribute cyber proxy activity to a state.

Table 2. Russian Intelligence and Proxy Affiliation

The test to determine the level of control required for attributing proxy conduct to a state is based on the International Court of Justice (ICJ) case, Nicaragua v. United States.76 The Nicaragua case dealt with the United States’ involvement in supporting proxy forces (contras) against the Nicaraguan government during the Cold War.77 The case held that states must have “effective control” over the non-state actors when the alleged breach of international law occurs for their actions to be attributable to the state.78 The ICJ held that, even though the United States was “financing, organizing, training, supplying and equipping . . . the contras, . . . [selecting] . . . its military or paramilitary targets, and . . . planning . . . the whole of its operation[s],” there was still insufficient evidence to demonstrate the United States had “effective-control” of the proxies.79 According to the ICJ in Nicaragua, proxies must be “completely dependent” on the sponsoring state for its actions to be imputed on a sponsoring state.80 Given the limited information that has been released regarding attribution of Russian activities, it is unlikely to meet the high burden of “effective-control” set by Nicaragua, and thus limiting the applicability of international law regarding proxies.

The various evidentiary standards required to establish attribution of proxy action to a state under international legal standards are just as opaque as the “effective-control” standards. The ICJ has addressed the standard of proof issue in three cases and appears to adopt a “sliding scale of evidence based on the severity of the offense.”81 In recent cases, the ICJ has put forth “decisive legal proof,” “conclusive evidence,” “balance of probabilities,” and “balance of the evidence,” as acceptable standards of proof, depending on the “seriousness of the allegations” in recent cases.82 Some scholars have synthesized these rulings and suggest the ICJ’s baseline standard is a “clear and convincing” standard where “the party with the burden of proof . . . [must] convince the arbiter in question that it is substantially more likely than not that the factual claims that have been made are true.”83 A shifting evidentiary standard does not provide a realistic framework to assign attribution to Russia for the actions of its proxies.

Finally, the effective-control test and the varying burdens of proof standards provide few parallels to cyber activities since the underlying actions addressed by the ICJ involved obvious uses of force and were conducted by military or paramilitary groups that were executing kinetic operations in a geographic space.84 Cyber activities generally do not rise to a level considered a use of force, are typically conducted by clandestine operators, and the actions occur in the digital ether of ones and zeros. Russian cyber proxy activities need to be addressed with a new policy and strategy-driven approach to rapidly identify aggressors in cyberspace and which also has inherent flexibility to counter actions against the interests of the United States that fall below the threshold of force.

Discouraging Russia’s Use of Cyber Proxies Through Coercive Diplomacy

Implement a Rapid Attribution Strategy

The National Cyber Strategy states, “[t]he United States will formalize and make routine how we work . . . to attribute and deter malicious cyber activities with integrated strategies that impose swift, costly, and transparent consequences when malicious actors harm the United States . . . .”85 To address Russian cyber proxy activity, an attribution strategy focused on American security through an aggressive cyber foreign policy is essential. As Harold Koh, former legal advisor for the Department of State, aptly stated, questions of attribution “are as much questions of a technical and policy nature rather than exclusively or even predominantly questions of law. Cyberspace remains a new and dynamic operating environment, and we cannot expect that all answers to the new and confounding questions we face will be legal ones.”86

A new attribution policy should be grounded in foreign policy and power politics by 1) examining the cyber activity for common or key indicators attributable to a known state or proxy actor; and 2) determining which state stands to gain geopolitically from a specific activity against the interests of the United States. Once the United States has made its assessment, the responsible state should be identified and attributed through a public announcement. Under this attribution regime, the United States will have the flexibility to exercise different levers of national power to counter cyber aggressors long before attempting to meet a high international legal standard of proof. As another former legal advisor to the Department of State, Brian Egan noted, “a State acts as its own judge of the facts and may make a unilateral determination with respect to attribution of a cyber-operation to another State. . . . [T]here is no international legal obligation to reveal evidence on which attribution is based prior to taking appropriate action.”87 When making an attribution claim for malicious cyber activity, the United States should act in its security interests, make a reasoned decision, and promptly confront cyber aggressors with the best information available. In other words, the United States should not allow imperfect information to delay and compromise public attribution and an appropriate response.

After the United States has publicly attributed a cyber activity to a state, the burden should shift to the accused state to rebut the allegation.88 The accused state would have two options: 1) demonstrate it has not sanctioned the activity and is therefore not responsible; or, 2) actively work with the United States to hold the perpetrators accountable before retaliation measures are enacted.89 If the accused state simply denies the suspected malicious activity without providing any additional evidence, or is non-cooperative, then coercive diplomatic actions should be considered and initiated against that state.90

It may be argued that a policy with a lower attribution standard and corresponding coercive measures is destabilizing; however, the opposite is true. “The proof necessary for attribution in cyber exploitation involving State responsibility certainly need not stand up in court,” and remains a state’s prerogative.91 The United States has taken a cautious approach to publicly attributing cyber activity, which has, in turn, emboldened aggressors.92 Publicly announcing attribution means “attackers are no longer invisible and there will be consequences for their actions. This message reshapes opponent thinking about the risk and potential costs of cyber actions against the United States.”93 

The United States operating with greater attribution freedom to address malicious cyber activity directly could have a stabilizing effect by establishing cyber norms.94 As the United States more rapidly attributes cyber proxy activity to states, and standardizes the processes and responses to malicious cyber activity, expectation management and cost analysis on the part of adversaries will determine whether challenging the United States is still beneficial.95 As of yet, the United States’ responses have not effectively deterred actions by malicious cyber actors. The implementation of stringent economic consequences by the United States may provide more incentive for Russia to exercise its “sanctioning regime” and reign in cyber proxies acting on its behalf.

Consequential Coercive Diplomacy Through Economic Sanctions

“Economic sanctions provide a range of tools . . . to alter or deter the objectionable behavior of a foreign government, individual, or entity in furtherance of U.S. national security or foreign policy objectives,” and have been a central tenet of the United States’ policy to rein in Russia.96 Currently, the United States has a robust economic sanctions regime imposed on Russia, primarily in response to Russian aggression against Ukraine (and also used to address Russia’s other nefarious behaviors).97 However, there is some debate as to the effectiveness of these sanctions against Russia.

Most sanctions on Russia do not broadly target the Russian economy or entire sectors. Rather, they consist of broad restrictions against specific individuals and entities, as well as narrower restrictions against wider groups of Russian companies. Overall, more than four-fifths of the largest 100 firms in Russia (in 2018) are not directly subject to any U.S. or [European Union] sanctions, including companies in a variety of sectors, such as transportation, retail, services, mining, and manufacturing.98

Some suggest the sanctions on Russia were purposely designed to be relatively weak so as not to harm the Russian populace at large but to instead focus on members of specific companies, industries, and members of government.99 However, further analysis shows that when sanctions are targeted against a specific industry and broadly enforced, the sanctions have tangible consequences.100 It is exactly these types of industry-specific and broadly-enforced sanctions that could, in reaction to malicious cyber activity, be implemented to quickly deter Russia and force the Kremlin to rein in its proxies.

The Russian economy is heavily dependent on fossil fuel exports, making up roughly 60 percent of Russia’s exports and 30 percent of its gross domestic product.101 Russia is the largest single energy supplier to the Europe Union, accounting for 27 percent of oil imports and 41 percent of natural gas imports.102 However, the United States and Europe remain strong allies against Moscow.

The United States can impose upon its target the near-equivalent of a siege if it makes economic sanctions total and secondary, meaning applied as well to third parties who traffic with the target. That is because the United States, given its unique economic position, is capable of dividing the world into those who choose to trade with America and those who choose to trade with the target.103

The United States should work with its European allies to implement sanctions on Russian oil and gas exports to stop malicious cyber activities. While the specific methods of enacting sanctions are beyond the scope of this article, the United States should specifically seek out methods to exploit Russia’s vulnerable single-commodity-based economy in reaction to malicious cyber activity. Sanctions against Russia’s oil and gas sectors would be particularly effective because those sectors have enormous influence in the Russian government.104 As discussed, with the proper economic pressures in place—and given the right incentives—the Russian government’s cyber proxy “sanctioning regime” could exercise its ability to identify perpetrators and stop their activity.105

Conclusion

Current cyber threats posed by proxy actors against the United States operate in an underdeveloped section of international law. Accordingly, international relations and statecraft provide useful tools for addressing malicious cyber activity. The United States must exercise the options at its disposal to maintain a favorable balance of power in cyberspace by employing pressure through other domains that adversaries cannot match, particularly economic means. As James Lewis, a preeminent scholar in the cyber field, stated, “[t]he most effective actions to date in causing state attackers to recalculate risk have not depended on the Department of Defense or Cyber Command, but on attribution, indictments and the threat of sanctions.”106

Publicly attributing malicious cyber activity to a state in a timely manner and holding that state responsible through a burden-shifting model is likely to cause some backlash against the United States. However, actions taken in cyberspace that do not neatly fit into a recognized area of international law are bound to create ambiguity and unease. As states continue to develop norms in cyberspace, the United States should harken back to the proverb by Thucydides: “The strong do what they can, and the weak suffer what they must.”107 The United States should not be constrained by inapplicable and unresponsive international legal regimes. Rather, the United States should confront cyber adversaries through a policy of rapid attribution and coercive diplomacy to deter future aggression, thereby building international law and norms that support the interests of the United States. TAL


MAJ Anderson is the brigade judge advocate for the 513th Military Intelligence Brigade at Fort Gordon, Georgia.


Notes

1. Carl von Clausewitz, On War 223 (Michael Howard ed., Peter Paret trans., Alfred A. Knopf, Inc. 1993) (1832).

2. Damien McGuiness, How a Cyber Attack Transformed Estonia, BBC News (Apr. 27, 2017), https://www.bbc.com/news/39655415.

3. John Markoff, Before the Gunfire, Cyberattacks, N.Y. Times (Aug. 12, 2008), https://www.nytimes.com/2008/08/13/technology/13cyber.html.

4. Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors, Cybersecurity & Infrastructure Sec. Agency, https://us-cert.cisa.gov/ncas/alerts/TA18-074A (Mar. 16, 2018).

5. Six Russian GRU Officers Charged in Connection with Worldwide Deployment of Destructive Malware and Other Disruptive Actions in Cyberspace, U.S. Dep’t of Just. (Oct. 19, 2020), https://www.justice.gov/opa/pr/six-russian-gru-officers-charged-connection-worldwide-deployment-destructive-malware-and [hereinafter Six Russian GRU Officers]. The Department of Justice has made the full indictment publicly available. Id.

6. Off. of Foreign Assets Control, U.S. Dep’t of Treasury, Ukraine/Russia-Related Sanctions Program (2016), https://home.treasury.gov/system/files/126/ukraine_overview_of_sanctions.pdf.

7. Six Russian GRU Officers, supra note 5.

8. Kristen E. Eichensehr, The Law & Politics of Cyberattack Attribution, 67 UCLA L. Rev. 520, 565–73 (2020) (advocating the position that cyber-attacks should be governed by international law and allegations against a party require a strong evidentiary showing).

9. U.S. Dep’t of Def., Summary of the 2018 National Defense Strategy of the United States of America 3 (2018) [hereinafter Summary of the 2018 National Defense Strategy].

10. Donald J. Trump, U.S. President, National Cyber Strategy of the United States of America (2018) [hereinafter National Cyber Strategy].

11. Tim Maurer, Cyber Mercenaries: The State, Hackers, and Power 6, 38–39 (2018).

12. C. Anthony Pfaff, Proxy War Ethics, 9 J. Nat’l Sec. L. & Pol’y 305, 310 (2017).

13. Id. at 311.

14. Maurer, supra note 11, at 31.

15. Pfaff, supra note 12, at 305 (citing Andrew Mumford, Proxy Warfare and the Future of Conflict, 158 RUSI J. 40, 40 (2013)).

16. Jamie Collier, Proxy Actors in the Cyber Domain: Implications for State Strategy, 13 St Antony’s Int’l Rev. 25, 35 (2017).

17. Id.

18. Syed H. Manna, Book Review, Projecting Power: How States Use Proxies in Cyberspace, 10 J. Nat’l Sec. L. & Pol’y 445, 453 (2019) (reviewing Maurer, supra note 11).

19. In both the Afghan–Russian War and American intervention in Vietnam, the superpower was engaged in a protracted conflict against an enemy supported by the opposing superpower, but great power conflict was avoided. See Robert Pear, Arming Afghan Guerillas: A Huge Effort Led by the U.S., N.Y. Times (Apr. 18, 1988), https://www.nytimes.com/1988/04/18/world/arming-afghan-guerrillas-a-huge-effort-led-by-us.html. See also Jesse Greenspan, Which Countries Were Involved in the Vietnam War: How Eight Countries Got Bogged Down in Vietnam’s War Cold War Proxy Battle, History, https://www.history.com/news/vietnam-war-combatants#section_4 (June 17, 2019).

20. Maurer, supra note 11, at 41–42. See also Collier, supra note 16, at 34–35.

21. Collier, supra note 16, at 35. See also Maurer, supra note 11, at 23.

22. See sources cited supra note 21.

23. Cyber Operations Tracker, Council on Foreign Rels., https://www.cfr.org/cyber-operations/ (last visited June 16, 2021) (all data gathered in Table 1 was pulled directly from the above source. The results were filtered by placing the “Russian Federation” under the “State Sponsor” tab and the “United States” under the “Victim” tab. The specific instances were chosen to demonstrate Russia’s attempt to undermine American political processes and leadership, disrupt information networks, and cause severe economic damage. The Cyber Operations Tracker is a valuable resource with links to various news stories providing additional details about each attack and providing additional insight to the threat actors.).

24. Summary of the 2018 National Defense Strategy, supra note 9, at 2.

25. Maurer, supra note 11, at 39–40.

26. Joseph S. Nye Jr., The Future of Power 168–72 (2011).

27. Id.

28. Maurer, supra note 11, at 58.

29. Stephen Blank, Cyber War and Information War à la Russe, in Understanding Cyber Conflict: Fourteen Analogies 81, 84 (George Perkovich & Artel E. Levite eds., 2017).

30. Andrew Radin & Clint Reach, Russian Views of the International Order, at iii (2017), https://www.rand.org/content/dam/rand/pubs/research_reports/RR1800/RR1826/RAND_RR1826.pdf.

31. Blank, supra note 29, at 83–84.

32. Maurer, supra note 11, at 58–60.

33. Blank, supra note 29, at 84.

34. Maurer, supra note 11, at 59–61. See also Anton Troianovski & Ivan Nechepurenko, Navalny Arrested on Return to Moscow in Battle of Wills with Putin, N.Y. Times, https://www.nytimes.com/2021/01/17/world/europe/navalny-russia-return.html (Aug. 25, 2021) (providing an example of the widespread campaigns to silence opposition within Russia).

35. Maurer, supra note 11, at 59–61.

36. Andrei Soldatov & Irina Borogan, Russia’s Approach to Cyber: The Best Defence is a Good Offence, in Hacks, Leaks and Disruptions: Russian Cyber Strategies 15 (Nicu Popescu & Stanislav Secrieru eds., 2018) (discussing the information campaign Russia enacted following the Chechen War to frame political issues favorable to the government).

37. Seth G. Jones, Ctr. for Strategic & Int’l Stud., The Return of Political Warfare (2018).

38. Brandon Morgan, Dropping DIMES: Leveraging All Elements of National Power on the Multi-Domain Battlefield, Mod. War Inst. (Sept. 18, 2019), https://mwi.usma.edu/dropping-dimes-leveraging-elements-national-power-multi-domain-battlefield/ (providing a brief discussion of diplomacy, information, military, and economics (DIME), as well as military planning for multi-domain operations).

39. Blank, supra. note 29, at 82.

40. Michael Connell & Sarah Vogler, Ctr. for Naval Analyses, Russia’s Approach to Cyber Warfare 2, 19 (2016), https://apps.dtic.mil/dtic/tr/fulltext/u2/1019062.pdf.

41. The Military Doctrine of the Russian Federation sec. 13(d), approved by Russian Federation presidential edict on February 5, 2010, https://carnegieendowment.org/files/2010russia_military_doctrine.pdf.

42. Nicholas Fedyk, Russian “New Generation” Warfare: Theory, Practice, and Lessons for U.S. Strategists, Small Wars J. (May 4, 2017, 7:45 AM), https://smallwarsjournal.com/jrnl/art/russian-%E2%80%9Cnew-generation%E2%80%9D-warfare-theory-practice-and-lessons-for-us-strategists-0 (quoting Janis Berzins, Russia’s New Generation Warfare in Ukraine 5 (2014)).

43. Blank, supra note 29, at 82.

44. Andrew Radin et al., Understanding Russian Subversion: Patterns, Threats, and Responses 8 (2020), https://www.jstor.org/stable/resrep26519 (quoting Mark Galeotti, The “Gerasimov Doctrine” and Russian Non-Linear War, In Moscow’s Shadow (July 6, 2014), https://inmoscowsshadows.wordpress.com/2014/07/06/the-gerasimov-doctrine-and-russian-non-linear-war/).

45. Candace Rondeaux, Decoding the Wagner Group: Analyzing the Role of Private Military Security Contractors in Russian Proxy Warfare 59–60 (2019). See also Mark Galeotti, I’m Sorry for Creating the “Gerasimov Doctrine,” Foreign Pol’y (Mar. 5, 2018, 2:04 PM) https://foreignpolicy.com/2018/03/05/im-sorry-for-creating-the-gerasimov-doctrine/.

46. Zhanna Malekos Smith, Ctr. for Strategic & Int’l Stud., Burnt by the Digital Sun: How the Information Environment is Testing the Mettle of Liberal Democracies 18 (2020), https://www.csis.org/analysis/burnt-digital-sun (citing Timur Chabak & Adam Jones, Understanding Russian Information Operations, Signal (Sept. 1, 2018), https://www.afcea.org/content/understanding-russian-information-operations.).

47. Maurer, supra note 11, at 59.

48. Siemon T. Wezeman, Russia’s Military Spending: Frequently Asked Questions, Stockholm Int’l Peace Rsch. Inst. (Apr. 27, 2020), https://www.sipri.org/commentary/topical-backgrounder/2020/russias-military-spending-frequently-asked-questions.

49. Alina Polyakova, Weapons of the Weak: Russia and AI-Driven Asymmetric Warfare, Brookings (Nov. 15, 2018), https://www.brookings.edu/research/weapons-of-the-weak-russia-and-ai-driven-asymmetric-warfare/ (discussing generally Russia’s attempt to counter the United States through technological means).

50. Def. Intel. Agency, Russia Military Power: Building a Military to Support Great Power Aspirations (2017), https://www.dia.mil/Portals/27/Documents/News/Military%20Power%20Publications/Russia%20Military%20Power%20Report%202017.pdf.

51. Collier, supra note 16, at 35.

52. Connell & Vogler, supra note 40, at 7–8 (quoting David Smith, How Russia Harnesses Cyber Warfare, Def. Dossier, Aug. 2012, at 7, 9). See also Nye, supra note 26, at 168–70.

53. Maurer, supra note 11, at 94–96.

54. Id.

55. Id.

56. Maurer, supra note 11, at 95 (citing Alissa de Carbonnel, Hackers for Hire: Ex-Soviet Tech Geeks Play Outsized Role in Global Cyber Crime, NBC News (Aug. 22, 2013, 4:49 PM), https://www.nbcnews.com/technolog/hackers-hire-ex-soviet-tech-geeks-play-outsized-role-global-6C10981346).

57. Lesley Stahl, The Growing Partnership Between Russia’s Government and Cybercriminals, CBS News: 60 Minutes (Apr. 21, 2019), https://www.cbsnews.com/news/evgeniy-mikhailovich-bogachev-the-growing-partnership-between-russia-government-and-cybercriminals-60-minutes/.

58. Maurer, supra note 11, at 94–96.

59. In the table, information in the columns of “Intelligence Agency” and “Intelligence Functions” was pulled from the 2017 Defense Intelligence Agency report, supra note 50, at 72–74. Information in column “Groups Associated with Agency” can be found online. IntSights, Russia’s Most Dangerous Cyber Threat Groups (2019), http://wow.intsights.com/rs/071-ZWD-900/images/RussianAPTs.pdf. An advanced persistent threat is

[a]n adversary with sophisticated levels of expertise and significant resources, allowing it through the use of multiple different attack vectors (e.g., cyber, physical, and deception) to generate opportunities to achieve its objectives, which are typically to establish and extend footholds within the information technology infrastructure of organizations for purposes of continually exfiltrating information and/or to undermine or impede critical aspects of a mission, program, or organization, or place itself in a position to do so in the future; moreover, the advanced persistent threat pursues its objectives repeatedly over an extended period of time, adapting to a defender’s efforts to resist it, and with determination to maintain the level of interaction needed to execute its objectives.

Advanced Persistent Threat (APT), Comput. Sec. Res. Ctr., https://csrc.nist.gov/glossary/term/advanced_persistent_threat (last visited June 25, 2021).

60. U.N. Charter art. 2, ¶ 4.

61. G.A. Res. 3314 (XXIX), art. 3 (Dec. 14, 1974).

62. Id. See also Military and Paramilitary Activities in and Against Nicaragua (Nicar. v. U.S.), Judgment, 1986 I.C.J. 14, ¶¶ 190–196 (June 27).

63. Harold Hongju Koh, Legal Advisor, U.S. Dep’t of State, Address to the USCYBERCOM Inter-Agency Legal Conference: International Law in Cyberspace (Sept. 18, 2012), https://2009-2017.state.gov/s/l/releases/remarks/197924.htm.

64. Id.

65. Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations 330 (Michael N. Schmitt & Liis Vihul eds., 2017) [hereinafter Tallinn Manual 2.0].

66. G.A. Res. 56/83 annex, Responsibility of States for Internationally Wrongful Acts, art. 2 (Dec. 12, 2001).

67. Id. art 3.

68. Inaki Navarrete & Russell Buchan, Out of the Legal Wilderness: Peacetime Espionage, International Law and the Existence of Customary Exceptions, 51 Cornell Int’l L.J. 897, 912 (2019).

69. Tallinn Manual 2.0, supra note 65, at 168.

70. Navarrete & Buchan, supra note 68, at 912 (citing Jeffrey H. Smith, State Intelligence Gathering and International Law, 28 Mich. J. Int’l L. 543, 544 (2007)). See also Off. of Gen. Couns., U.S. Dep’t of Def., Law of War Manual 1116 (12 June 2015) (C3, 13 Dec. 2016) (section 18.21.2 describes Tu Quoque “as an argument that a state does not have standing to complain about a practice in which itself engages” and corresponding footnote 305 which describes the United States’ understanding of espionage as a tool of foreign policy).

71. William Banks, State Responsibility and Attribution of Cyber Intrusions After Tallinn 2.0, 95 Tex. L. Rev. 1487, 1512 (2017) (citations omitted).

72. Id.

73. Christian Payne & Lorraine Finlay, Addressing Obstacles to Cyber-Attribution: A Model Based on State Response to Cyber-Attack, 49 Geo. Wash. Int’l L. Rev. 535, 557 (2017).

74. Eichensehr, supra note 8, at 578. See also Payne & Finlay, supra note 73, at 558–60, (discussing the various levels of proof used by the ICJ when determining attribution standards)

75. Id.

76. Antonio Cassese, The Nicaragua and Tadić Tests Revisited in Light of the ICJ Judgment on Genocide in Bosnia, 18 Eur. J. Int’l Law 649, 652–57 (2007). See Military and Paramilitary Activities in and Against Nicaragua (Nicar. v. U.S.), Judgment, 1986 I.C.J. 14 (June 27).

77. Paul S. Reichler, The Nicaragua Case: A Response to Judge Schwebel106 Am. J. Int’l L. 316, 318 (2012) (the Tadic Test was not discussed since the United States does not ascribe to the Tadic methodology to determine direction and control of a proxy force. However, Tadic is still referred to in several international legal standards). For a thorough discussion of the Tadic Test and its applicability, see Cassese, supra note 76.

78. Cassese, supra note 76, at 653. See also Payne & Finlay, supra note 73, at 548–49 (2017) (discussing the general framework of international wrongful acts and varying standards of proof).

79. Military and Paramilitary Activities in and Against Nicaragua (Nicar. v. U.S.), Judgment, 1986 I.C.J. 14, ¶ 115 (June 27).

80. Id.

81. Eichensehr, supra note 8, at 577. See also Payne & Finlay, supra at note 73, at 558–60 (discussing the various levels of proof used by the ICJ when determining attribution standards).

82. Payne & Finlay, supra note 73, at 558 (discussing various cases brought before the ICJ and the differing standards of proof required articulated by the court in each case).

83. Eichensehr, supra note 8, at 561 (quoting James A. Green, Fluctuating Evidentiary Standards for Self-Defence in the International Court of Justice, 58 Int’l & Comp. L.Q. 163, 164 (2009)).

84. Cassese, supra note 76, at 652–57.

85. National Cyber Strategy, supra note 10, at 21.

86. Koh, supra note 63.

87. Banks, supra note 71, at 1505 (quoting Brian J. Egan, Remarks on International Law and Stability in Cyberspace at Berkeley Law School 19 (Nov. 10, 2016), https://www.justsecurity.org/wp-content/uploads/2016/11/Brian-J.-Egan-International-Law-and-Stability-in-Cyberspace-Berkeley-Nov-2016.pdf).

88. Vincent-Joël Proulx, Babysitting Terrorists: Should States Be Strictly Liable for Failing to Prevent Transborder Attacks?, 23 Berkeley J. Int’l L. 615, 643–45 (2005) (suggesting the burden should shift to the accused state would be a new approach for the United States in countering cyber aggression, but such a burden shift has been suggested in other areas of conflict such as international terrorism).

89. Id. at 637–45 (a similar approach of burden shifting has been seen in the literature regarding indirect state-responsibility for terror activities occurring within their borders).

90. Id. at 642–49.

91. Banks, supra note 71, at 1510.

92. Id. See also National Cyber Strategy, supra note 10.

93. James Andrew Lewis, Indictments, Countermeasures, and Deterrence, Ctr. for Strategic & Int’l Stud. (Mar. 25, 2016), https://www.csis.org/analysis/indictments-countermeasures-and-deterrence.

94. Id. (generally discussing reigning in the “Wild West” of cyberspace).

95. Banks, supra note 71, at 1509 (citing Brian J. Egan, Legal Advisor, U.S. Dep’t. of State, Remarks on International Law and Stability in Cyberspace at Berkeley Law School, (Nov. 10, 2016), https://www.justsecurity.org/wp-content/uploads/2016/11/Brian-J.-Egan-International-Law-and-Stability-in-Cyberspace-Berkeley-Nov-2016.pdf) (generally discussing the process of establishing norms in international legal norms).

96. Cory Welt et al., Cong. Rsch. Serv., R45415, U.S. Sanctions on Russia 4 (2020).

97. Id. at 4.

98. Id. at 3.

99. Id. at 3, 50.

100. Id.

101. Greg Depersio, How Does the Price of Oil Affect Russia’s Economy?, Investopedia, https://www.investopedia.com/ask/answers/030315/how-does-price-oil-affect-russias-economy.asp (Apr. 11, 2019).

102. From Where Do We Import Energy?, Eurostat (last visited Nov. 12, 2021), https://ec.europa.eu/eurostat/cache/infographs/energy/bloc-2c.html#carouselControls?lang=en.

103. Angelo M. Codevilla, Do Economic Sanction Work?, Hoover Inst. (Mar. 29, 2018), https://www.hoover.org/research/do-economic-sanctions-work (arguing against the use of sanctions because they can be too heavy-handed to achieve desired policy objectives. However, he does recognize that the United States is uniquely positioned to enforce and impose sanctions based on its economic scale and reach.).

104. Ariel Cohen, Russia’s Oily and Gassy Crony Capitalism: The Path to Kleptocracy, Forbes (May 31, 2019, 9:38 AM), https://www.forbes.com/sites/arielcohen/2019/05/31/russias-oily-and-gassy-crony-capitalism-the-path-to-kleptocracy/?sh=351a94f83b97.

105. Alissa de Carbonnel, Hackers for Hire: Ex-Soviet Tech Geeks Play Outsized Role in Global Cyber Crime, NBC News (Aug. 22, 2013, 4:49 PM) https://www.nbcnews.com/technolog/hackers-hire-ex-soviet-tech-geeks-play-outsized-role-global-6C10981346.

106. Lewis, supra note 93.

107. The Landmark Thucydides: A Comprehensive Guide to the Peloponnesian War 352 (Robert B. Strassler ed., 1998).