Corbin Stevens is a former intern in the Council on Foreign Relations Digital and Cyberspace Policy program and a graduate student at Princeton University’s School of Public and International Affairs.
This is the second part of a two-part series on cyber and nuclear crisis instability. Part one can be accessed here.
In the first part we discussed the risk of nuclear crisis instability caused by cyber operations and how U.S. cyber doctrine was undermining the two main pathways toward addressing this risk: establishing norms limiting the targeting of nuclear systems and demonstrating unilateral restraint when conducting cyber operations.
U.S. contribution to strategic instability is compounded by Russia’s and China’s cyber strategies. Particularly risky is that both countries incorporate “cyber proxies” as central parts of their cyber doctrines. Broadly defined, cyber proxies are loosely affiliated hacking groups, often times criminal hacking groups, that are called upon by the state to conduct parts of or all of specific cyber operations.
For Russia, it has been longstanding practice for the state security service (FSB) and military intelligence (GRU) to employ cyber criminals for offensive cyber operations in return for implicit legal immunity. This has allowed the state to cheaply leverage technical expertise and, more importantly, facilitate plausible deniability on the part of the Russian government for cyber operations.
For China, while a specific cyber doctrine has never been published, the country is currently in the process of reorganizing its cyber forces into the People’s Liberation Army Strategic Support Force (PLASSF). This centralization of cyber authority provides hope that Beijing will eventually possess an offensive cyber force similar to the United States’ Cyber Command that can better be held to account. However, based on recent reporting, China still extensively uses criminal proxies to conduct cyber operations with plausible deniability, similar to the Russian model.
The usage of cyber proxies contributes to nuclear crisis instability as hacking groups associated with both Russia and China have demonstrated the capability to infiltrate other nuclear armed states’ militaries and their respective defense industrial bases. Given this reach and level of sophistication, decision-makers have likely concluded that these proxies could compromise their nuclear systems, if they haven’t already.
The barriers to addressing this source of instability are high. First, establishing cyber norms for proxies seems to be a non-starter. These groups’ raison d'etre is providing their state sponsor plausible deniability in cyber operations and making proper attribution for cyberattacks difficult. It is unlikely that Russia or China would agree to a norm that would both acknowledge that they have been using cyber proxies, despite their repeated denials, and require their governments to be held directly responsible for actions committed by their respective proxies. Even if they did agree to such a norm, it is doubtful a nuclear-armed state would believe they were acting in good faith, given that proxies are used to skirt acceptable international norms of behavior.
Second, an inherent tradeoff in a state using cyber proxies to enhance plausible deniability is relinquishing control over how the proxy carries out cyber operations, completely undermining any notion of unilateral restraint. To take a prominent example, Russian state hackers and associated proxies used the NotPetya malware to attack Ukrainian businesses and critical infrastructure in Russia’s ongoing intervention in the Donbas region. While such attacks were successful in their objective of crippling Ukraine, they completely lacked precision and the malware spread globally, infecting countless victims, including hospital systems in the United States and a chocolate factory in Australia. In a crisis situation between nuclear armed states, such proxies are divorced from state leaders and their decision-making. An unsanctioned cyberattack could easily precipitate inadvertent escalation and there is no way for a state to demonstrate that it would have sufficient control over its proxies in a nuclear standoff to prevent such a risk.
The only effective option to minimize the strategic instability caused by cyber proxies would be for Russia and China to centralize their cyber operations and abandon the use of such groups. Fortunately, while it is unlikely that either state will stop utilizing proxies completely, there is some evidence that their use of proxies could be decreasing. This is due to improvements in cyber attribution and evolving norms on state responsibility, where governments are now more willing to accuse adversary states of cyber proxy ties based on circumstantial and cumulative evidence rather than legally admissible proof.
Given the shifting landscape on cyber attribution practices and the shared interest in minimizing the risk of inadvertent escalation, now is a prime opportunity for the United States, Russia, and China to renew strategic dialogue on managing competition in cyberspace. Indeed, with President-elect Biden promising that the United States will re-engage with the world, Russia calling for a “reboot” with the United States in the field of information security, and the likely national security soul-searching that will occur as the facts of the SolarWinds hack come to light, the beginning of 2021 could be the best time to address the risks posed by cyber operations and their contribution to nuclear crisis instability.