Accountability and cyber conflict: examining institutional constraints on the use of cyber proxies

Abstract

As state-sponsored cyber operations have proliferated, some states are outsourcing these operations to non-state cyber proxies. However, given the relative ease of outsourcing cyber operations, it is puzzling why more states are not engaged in this practice. I examine how domestic accountability institutions potentially explain this restraint in the use of cyber proxies. I argue that in cases where the incumbent is likely to be held to account for cyber operations, there is restraint in the use of proxies. Moreover, I distinguish vertical from horizontal accountability and argue that because vertical accountability mechanisms directly threaten the tenure of the incumbent if outsourced cyber operations go wrong, it has a greater constraining effect relative to horizontal accountability. I test these propositions with new data on the activities of several hacker groups and robustly confirm that accountability institutions do place significant constraints on the use of cyber proxies.

Keywords

Accountability cyber conflict cyber proxies institutional constraints state-sponsored cyber attacks

Introduction

States now routinely undertake offensive cyber operations against domestic and foreign adversaries. As these operations have proliferated, some states are increasingly outsourcing them to non-state actors—“cyber proxies”. For instance, analysts at cybersecurity firm FireEye assert that Russia enlisted a hacker collective known as APT28 (also known as Tsar Team) to carry out offensive cyber operations on its behalf against Georgia. This followed a period of rising tensions and worsening relations between Russia and Georgia after the two sides fought a brief war in August 2008. APT28 targeted privileged information relating to Georgia's internal security and political dynamics. It also targeted the Georgian Ministry of Internal Affairs whose systems house sensitive information about the inner workings of Georgia's security forces. The group also staged operations against Georgia's Ministry of Defense along with a US defense contractor providing training to Georgian military forces (FireEye, 2014a). The pilfered information from these attacks could provide the Russian government with valuable intelligence on potential Georgian battlefield strategies and troop movements should another war erupt between the two sides.

Similarly, analysts believe that the North Korean government has enlisted the services of a hacker group known as APT37 (also known as Reaper, TEMP.Reaper, ScarCruft or Group 123). This cyber proxy is primarily engaged in intelligence gathering operations that appear to support the strategic economic, political and military interests of the North Korean regime. APT37 aims a significant proportion of its attacks against targets in South Korea, particularly those affiliated with the government, military and defense industries. The group also targets organizations involved in helping North Korean defectors and those engaged in reunification efforts on the Korean Peninsula (MITRE, 2020).

In essence, these cyber proxies provide technical skills and capabilities that enable states to pursue cyber operations while allowing them plausible deniability for operations that are discovered. The use of cyber proxies has sparked a budding cyber politics literature that explores the relationship between cyber proxies and their state sponsors (see e.g. Akoto, 2021b; Borghard and Lonergan, 2016; Lotrionte, 2015; Maurer, 2018). However, scholars are yet to examine interstate variation in the use of cyber proxies. Exploring these variations is important because the low barriers to entry into cyber operations and the relative ease with which cyber operations can be outsourced to proxies make it puzzling why more countries do not engage in the practice.

In this article, I advance the study of state–cyber proxy relations by examining how domestic accountability arrangements constrain the use of cyber proxies. Accountability in this context refers to domestic constraints on the government's political powers through requirements for the executive to justify its actions and face potential sanctions (Lührmann et al., 2020). I distinguish the effect of vertical from horizontal accountability. Vertical accountability refers to the extent to which the citizens are able to hold the government accountable (e.g. through elections) while horizontal accountability is the extent to which state institutions have the power to oversee the actions of the government (e.g. by demanding information from public officials).

I make the case that where accountability arrangements are strong, incumbents are less likely to use cyber proxies. I also argue that, contrary to what we might expect, vertical and horizontal accountability have differing effects on incumbent incentives to outsource cyber operations to cyber proxies. My argument draws on a branch of the international politics literature that argues that incumbents care mainly about maintaining office (e.g. Bueno de Mesquita et al., 2003; Clarke and Stone 2008). As a consequence, incumbents are incentivized to pursue policies and take actions that will prolong their stay in office or are conversely disincentivized from policies and actions that will shorten their tenure. Within this context, I argue that because vertical accountability mechanisms directly threaten the tenure of the incumbent, increased vertical accountability should have a strong constraining effect on the use of cyber proxies given the risks associated with their use.

In contrast, increased horizontal accountability typically does not directly threaten the incumbent's tenure. Consequently, horizontal accountability should not have much of a constraining effect on the use of cyber proxies. In fact, in cases where there is significant overlap in policy preferences between the incumbent and oversight agencies, increased horizontal accountability might actually increase the use of cyber proxies. I test these propositions in a large-N cross-country framework with new data on the activities of several hacker groups using a variety of estimation approaches and specifications. The results robustly confirm that accountability institutions do place significant constraints on the use of cyber proxies. Importantly, these constraints mainly operate though vertical accountability mechanisms.

Proxy-executed cyber operations

Borghard and Lonergan (2016) define cyber proxies as non-state actors who “conduct offensive cyber operations to achieve political objectives on behalf of a patron state”. Maurer (2018) broadens this definition to include any “intermediary that conducts or directly contributes to an offensive action that is enabled knowingly, actively or passively, by a beneficiary”. Maurer's (2018) work is particularly useful in outlining the principal ways in which states manage their relations with their cyber proxies.

States can keep their proxies relatively close, monitoring and directing their activities in terms of targets and techniques employed (the “delegation” model in Maurer's framework). Others may put a greater operational distance between them and their proxies, providing them with ideational and material support in exchange for the proxy's cooperation in targeting specific political adversaries (the “orchestration” model). Other states may put even more distance between them and their proxies, avoiding any direct input and giving the proxy cart-blanche in terms of targets and techniques (the “sanctioning” model). The support of the state is completely passive and, in most cases, the only link between that proxy and the state is that the state willingly turns a blind eye to the activities of the proxy in spite of having the capacity to crack down. The sanctioning model opens up the intriguing possibility of hackers being unwitting proxies of the state. Our primary concern in this paper is with cases where governments actively enlist proxies for cyber operations (i.e. the delegation and orchestration models in Maurer's framework).

The strategic logic of using cyber proxies

There are strong arguments within the existing literature for why states turn to private non-state actors to carry out cyber operations instead of using in-house cyber operatives. For one, conducting successful cyber operations requires considerable technical and human resource capabilities that may not be readily available in state security agencies. Working with proxies enables the state to tap into specific skill sets, tools and capabilities that state intelligence and espionage agencies may lack or find too expensive to develop in-house (Pawlak and Barmpaliou, 2017). Second, cyber proxies operate in the gray areas of the international system and so offer political cover to governments who may want to deny involvement in offensive cyber operations that come to light. Plausible deniability is particularly important for militarily weak states who fear possible retaliation with conventional kinetic military forces from more powerful states (Valeriano and Maness, 2015). Moreover, by acting through proxies, states can achieve sensitive political objectives (e.g. blackmailing a foreign leader) discretely, with little risk of blow-back. This provides cover for politicians and state officials who may otherwise shy away from pursuing such activities.

Third, working with proxies enables states to avoid revealing their in-house cyber capabilities. The use of proxies leaves adversaries none the wiser about the true state of cyber capabilities within state security agencies. This is an important advantage for states that want to maintain strategic ambiguities regarding their cyber capabilities owing to evolving norms in the cyber domain. Fourth, the use of proxies is particularly appealing in times of international disputes as the supply of proxy hackers tends to rise in times of political crisis. Chinese hackers, for instance, are known to quickly mobilize and attack when the Chinese state is involved in an international dispute. In 1999 when the Chinese embassy in Belgrade was accidentally bombed in a NATO airstrike with US precision-guided bombs, Chinese hackers quickly mobilized online to attack numerous US government websites (Gries, 2001). In 2005, members of the Chinese hacker collective known as the Honker Union actively discussed the need to assist the Chinese state to fend off external adversaries, with an expressed desire to “do something meaningful for the motherland” (Maurer, 2018).

In this regard, proxy hackers are useful for a variety of tasks. For instance, they can help governments to avoid costly operations aimed at countering internal threats to the regime. Many regimes frequently keep tabs on domestic political dissidents, enabling the government to monitor their activities. Opposition newspapers, TV and radio stations and online sources that report on government repression, antigovernment protests and electoral fraud are particularly attractive targets for state censorship. Taking direct action to silence such political rivals risks inviting international condemnation, sanctions and energizing domestic opposition to the regime.

By using proxies, the government can shield itself from condemnation while achieving the same ends on the cheap. Cyber proxies have been used to mount intimidation campaigns against such targets to get them to self-censor or limit their opposition to the government, particularly around election time. For instance, several independent news outlets were targeted with distributed denial of service attacks in the run-up to general elections in Russia, Malaysia and Turkey (Jagannathan, 2012; Nazario, 2009). Regimes with access to relatively skilled proxies and sophisticated technology also mount intricate censorship operations that preemptively censor opposition media outlets. For example, China and Saudi Arabia have on various occasions successfully blocked access to selected websites inside and outside of the country with firewalls, preventing users from reaching these websites (Nazario, 2009).

Offensive cyber operations conducted via proxies can also be crucial in helping states to confront external threats. In 2007, for instance, Estonian government websites were targeted with distributed denial of service attacks that took these sites offline. The website of Estonia's biggest bank and those of several newspapers were also targeted. The Estonian government accused the Russian government of using proxy hackers to stage a coordinated cyber campaign against it in response to Estonia moving Soviet-era war memorials from the city of Tallinn. Information gathered via proxies can enable states—particularly militarily weak ones—to gain a competitive advantage and prepare for war. Espionaged information may also be critical in helping states advance their military technologies, disrupt adversary's plans and favorably frame issues of contention (Akoto, 2021b).

In spite of these reasons for outsourcing to private cyber proxies, some analysts note that this trend appears to be waning (Canfil, 2020; Cole and Healey, 2014; Segal, 2016). Canfil (2020) argues that this is because rapid advances in attribution technology coupled with the increasing willingness of victim states to attribute cyber attacks on the basis of circumstantial evidence has eroded the benefits of using cyber proxies.

Beyond this, the use of cyber proxies entails significant risks that may give states pause. Proxy activity can elicit sanctions which can have a devastating effect on the domestic economy. For instance, when Sony Pictures Entertainment was hacked by suspected North Korean proxy hackers in 2014, the American government was quick to impose sanctions on North Korea. Three critical North Korean organizations were sanctioned. These included the Reconnaissance General Bureau, which is North Korea's primary intelligence agency, the Korea Tangun Trading Corporation, which is critical to the regime's defense research program and the Korea Mining Development Trading Corporation. With the North Korean economy already under severe strain owing to existing sanctions related to its nuclear program, these additional sanctions placed even more pressure on the economy. The sanctions also extended to 10 other individuals, some of whom the USA admits were not directly involved in the Sony hack but were sanctioned for other offenses (BBC, 2015).

The activities of Russian proxy hackers have also resulted in severe sanctions on Russia and the operation of its firms and institutions. In 2018, the US Treasury department imposed sanctions on five Russian companies and three individuals for contributing to the cyber operations of various Russian military and intelligence agencies. These sanctions effectively prohibit these firms and individuals from any transactions involving the US financial system and also bars American companies from doing business with them. It also freezes the assets of the targeted entities that are subject to US jurisdiction (Chiacu, 2018). These measures were on top of existing sanctions imposed by the USA for other offenses. These sanctions cause enormous disruption to normal economic life and business of the targeted entities and could prove devastating for the domestic economy (Akoto, 2013; Akoto et al., 2020).

In many cases, states often endow their proxies with significant benefits in exchange for hacking for the state. States could for instance furnish proxies with cutting-edge computer software and hardware to enhance their activities. They could also provide unfettered access to the internet, particularly in authoritarian settings where such access might be restricted. States could also transfer military and state intelligence personnel to train, work with or provide intelligence to proxies to enhance their activities. In endowing proxies with these benefits, states risk empowering “chimera proxies” who may put their own interests before those of the state. States also face a “Promethean dilemma” where their proxies could turn their skills, capabilities and tools against them. This is particularly likely when the state forms loose ad-hoc relationships with its proxies. Such associations decrease the incentives that proxies have to cooperate with and abide by the directives of the sponsor owing to the shifty nature of the relationship (Borghard and Lonergan, 2016).

How accountability matters for cyber operations

Following Lührmann et al. (2020), I conceptualize accountability as “de facto constraints on the government's use of political power through requirements for justification of its actions and potential sanctions.” This conceptualization of accountability goes beyond mere electoral democracy, where citizens use elections to hold politicians accountable. This is useful because incumbents—democrats and authoritarians alike—are accountable to citizens to varying degrees.

With regards to who the incumbent (the agent) is accountable to, I focus on accountability to the citizens of the country (the principals). The principal–agent framework is useful in capturing the dynamics of cyber operations because the preferences of those with formal and actual powers to authorize cyber operations may significantly differ from those of the citizens who elected them. The dynamics of cyber operations differ from conventional military and intelligence tactics in ways that magnify the gap in preferences between principals and agents. In the case of drone strikes, for instance, there are strict protocols to be followed for authorization to be granted for a strike. In contrast, it is a core function of a nation's cyber defenders to constantly probe adversary networks and to develop one-click options for launching attacks to limit the lag between offense and defense. This reduces the bureaucratic friction that would limit the propensity of agents to stage cyber operations that might differ from those of their principals (Junio, 2013).

In terms of what the regime is accountable for, I view accountability as a mechanism for preventing illicit behavior and evaluating the outcomes of cyber operations sanctioned by the incumbent. In this vein, accountability helps citizens to ensure that the incumbent is responsive to their preferences regarding the use of cyber operatives.

What are the preferences of citizens regarding the use of cyber operatives? Prior research shows that citizens care about and have strong preferences about the use of offensive force in cyberspace. Kreps and Schneider (2019) conduct experiments to test public support for cyber retaliation and escalation and find that people are significantly less likely to support retaliation in cyberspace relative to a comparable response to a conventional or nuclear attack. Their results underscore the general reluctance of the public to respond aggressively to cyber provocation. This restraint is absent in choices around responding to conventional assault by adversaries. This provides support for assertions that the cyber domain is perceived as qualitatively different by citizens in ways that encourage a preference for incumbents who exercise restraint in the use of cyber force.

In survey experiments conducted in the USA, UK and Israel, Shandler et al. (2021a) test whether public exposure to destructive cyber attacks diminishes their preference for cyber strikes. They show that public support for deploying cyber weapons diminishes significantly for respondents exposed to news reports of lethal cyber attacks. This suggests that any public preference for the use of offensive cyber operations is fragile at best. In a different study, they also show that even where the public supports retaliatory strikes, this only comes in response to lethal cyber terror incidents (Shandler et al., 2021b). This suggests that any public support for the use of cyber weapons may be tied to the public anger immediately following cyber attacks.

Given the surreptitious nature of cyber attacks and the selectivity inherent in victim and media reporting of cyber breaches, some analysts have called into question how truly aware citizens are of state-sponsored cyber operations. For instance, De Bruijn and Janssen (2017) report that although most people are familiar with the concept of cybersecurity, their behavior does not reflect a high level of awareness of cyber breaches. While this may be true, the work of Shandler et al. (2021a) suggests that once citizens are made aware of cyber breaches, they tend to prefer a measured response that limits the potential for conflict escalation. Gomez and Whyte (2021) also demonstrate that long-term exposure to cyber attacks tends to mitigate the emotional responses associated with it. This has the effect of normalizing cyber threats over time, reinforcing the public's preference toward cyber restraint.

Based on these findings, we can expect that given the choice, citizens prefer restraint in the use of cyber operations. In this regard, mechanisms exist that facilitate citizens awareness of state-sanctioned cyber operations. The two primary means are public announcements by government officials or information obtained through domestic and foreign media sources. There are strong incentives for government to keep cyber operations discreet but increasingly, public officials announce active state cyber operations. For instance, in November 2020, British prime minister Boris Johnson announced the government's plans to take more offensive steps in its approach to cybersecurity (Corera, 2020). The prime minister also announced the formation of a National Cyber Force to monitor both domestic and foreign threats with a mandate to disrupt, degrade and destroy the cyber capabilities of actors who pose a security threat.

Since then, the British media has regularly reported on operations carried out by the unit, which had apparently been in operation since April 2020. It has reportedly mounted cyber operations against the Taliban in Afghanistan and against the Islamic State group in Iraq and Syria. There have also been reports of operations targeting entities in Russia in the wake of the poisoning of dissident Sergei Skripal, a former officer of the Russian military and double agent for British intelligence, and his daughter, Yulia Skripal (Corera, 2020).

Even in the absence of government acknowledgment or where domestic media sources are stifled, the foreign press can be an important source of information on state-sanctioned cyber operations. For example, the US media frequently reports on cyber operations carried out by Russian, Iranian and Chinese hackers. These reports eventually make their way to citizens in these countries, who get a peak into the kind of cyber operations that their government is allegedly involved in. Even where access to foreign news sources is restricted, the often vociferous denials mounted by government officials in these countries ensure that these reports (and the denials) receive some coverage in domestic media sources (Sudworth, 2013).

The existing literature shows that targets of cyber attacks are increasingly willing to assign blame for cyber attacks even in the absence of strong evidence that holds up to legal scrutiny (Canfil, 2020). These accusations often come with threats of retaliation. For instance, in the wake of the “SolarWinds” espionage breach where Russian operatives allegedly infiltrated more than 250 federal agencies and private firms, President Biden issued strong condemnatory statements with threats of sanctions and potential retaliatory cyber strikes (Akoto, 2021a).

In April 2021, the USA made good on these threats, imposing sanctions on Russia's sovereign debt arrangements. This makes it more difficult for the Russian government to raise money for public services and to support its currency, increasing the economic pain that Russian citizens are already facing given the myriad other sanctions for the errant actions of their government (Brandom, 2021). Furthermore, cyber operations that are met with conventional military strikes by victims could have additional devastating effects on public infrastructure and could escalate into all-out war that costs countless lives. Citizens could therefore bear significant costs if government-sanctioned cyber operations are discovered.

Given this, it is in citizens' interest to incentivize restrained use of cyber operations by the home government, particularly against economically or militarily strong opponents. Increased accountability of the incumbent to the citizens has the effect of bringing the behavior of the incumbent in line with the interests of citizens. Indeed, prior research shows that leaders are more responsive to the interests of citizens when they are likely to be held accountable for the outcomes of their actions (Carlin et al., 2015, Larsen, 2019, Schwindt-Bayer and Tavits, 2016). Accountability is thus a potentially important constraint on the action of incumbents but one that has received little consideration in the cyber politics literature.

Vertical and horizontal accountability

How are incumbents held to account? There are two general mechanisms—vertical and horizontal accountability.¹ As conventionally understood, vertical accountability represents a relationship between unequals (such as governments and citizens). The active involvement of the public in elections is one of the main modes of vertical accountability. If we assume that the incumbent's overriding desire is to remain in office, then an important factor in their calculus is how constituents with power to terminate them from office will react to cyber operations should they go wrong. Incumbents who repeatedly green-light cyber operations that invite sanctions, international shame and other punitive measures are likely to do poorly at the polls. Consequently, as the likelihood of citizen backlash grows, incumbents who must account for failed cyber operations become increasingly hesitant to authorize such operations.

Nevertheless, elections are not the only means of asserting vertical accountability. The public can demonstrate its disapproval of the incumbent and his or her policies by taking to the streets to protest, strike or riot. These modes of vertical accountability are particularly pertinent in authoritarian settings where weak legal frameworks allow considerable scope for opposition intimidation and electoral manipulation. In such settings, protest mobilization and social advocacy by civil society groups and concerned citizens can be very effective in constraining incumbent behavior.

For instance, widespread public protests in the early 1990s was instrumental in getting several authoritarian regimes in Africa and elsewhere to make numerous concessions which eventually paved the way for new constitutions and multiparty elections, reminiscent of the struggle against colonialism in the 1950s and 1960s. More recent protest mobilizations, this time facilitated by the explosion in social media, spurred the Arab Spring of 2011, which led to the fall of several authoritarians, such as Libya's Muammar Gadhafi, Egypt's Hosni Mubarak and Tunisia's Ben Ali. The results of these protest movements demonstrate that even in authoritarian settings, the vertical accountability mechanism can be employed to great effect, even where dictatorial tendencies of incumbents prevent the proper functioning of electoral mechanisms (Fombad, 2020; Stuppert, 2020).

On the other hand, horizontal accountability mainly relates to how government institutions are accountable to each other. Horizontal accountability mechanisms largely require governments to render account for decisions and outcomes to agencies within the public sector or other branches of government. Importantly, many horizontal accountability agencies lack formal sanctioning powers. This makes them comparatively weak in terms of restraining undesirable cyber behavior. Some of this might be due to the power the incumbent has to appoint the heads of government oversight agencies who have authority to question, investigate or exercise oversight powers over the incumbent. Such agencies include the attorney general, special prosecutors and ethics commissioners. In many cases, aggressive oversight by these bureaucrats could potentially cost them their jobs. As such, where the incumbent and other public servants with the power to authorize cyber activities do not fear negative repercussions from oversight agencies, they are unlikely to exercise restraint in their use of cyber proxies.

If the incumbent enjoys broad support among the electorate, government oversight institutions might be overly deferential to the judgment of the incumbent as to the appropriateness of offensive cyber operations. Horizontal accountability institutions might interpret the broad support enjoyed by the incumbent as implicit support for his or her choices regarding state cyber operations.

In some instances, in addition to directly holding the incumbent to account for cyber operations, voters could also hold parliamentarians to account. Parliamentarians could in turn pressure the incumbent to exercise cyber restraint. In this case, horizontal accountability could reinforce vertical accountability. In other instances, increased horizontal accountability might actually encourage proxy-executed cyber operations. For example, this is the case if there is significant overlap in interests and preferences between those sanctioning cyber activities and those supposed to exercise oversight. In many parliamentary systems, for instance, executive authority is derived directly from the legislative assembly. Voters elect members of the legislature who then select a chief executive. In many cases, the chief executive doubles as the head of the majority party in parliament. Within this context, single-party control of the legislature generates a “fusion of powers” problem, where the interests and preferences of the executive and the legislature strongly align (Bagehot, 1963).

This leads to a concentration of power in the executive branch, what Rhodes (2006) referred to as “executive dominance”. In such cases, there is little constraint on the use of cyber proxies by the chief executive because he or she has little to fear from a removal from office should cyber operations go wrong. In fact, the chief executive might be encouraged to use cyber proxies if that view is shared by the parliamentary majority. Even in presidential systems where the incumbent is directly elected by citizens, horizontal accountability might not be very restraining on the use of cyber proxies if the incumbent enjoys broad support among the electorate. In this situation, government oversight institutions might be overly deferential to the judgment of the incumbent as to the appropriateness of using cyber proxies. Horizontal accountability institutions might interpret the broad support enjoyed by the incumbent as implicit support for his or her choices regarding state cyber operations.

Based on these considerations, I contend that where accountability is effective in restraining an incumbent's use of cyber operations, it is likely to operate through vertical (as opposed to horizontal) accountability mechanisms. Thus, we expect that vertical accountability arrangements will have a greater constraining effect on restraining cyber operations. I test these propositions in the next section.

Analytical framework

I examine how accountability mechanisms constrain the outsourcing of cyber operations to proxies. I aim to show that increased accountability has a negative effect on incumbents’ propensity to use proxies and that the bulk of this effect comes through vertical accountability mechanisms. To achieve this, I leverage a new dataset on government use of hacker groups that draws on a global sample of 151 countries over the period 1995–2014.²

Cyber proxies

Studying cyber proxies is challenging. For one, while the existing literature suggests a clear delineation between cyber agents working within the state apparatus and private contractors on the outside, the reality is less well defined. The secrecy and covertness of the bulk of state cyber operations means that it is never truly clear who is responsible for what cyber operation, let alone their exact relationship to the state. Second, proxies may or may not be part of state security and intelligence agencies and may be criminal syndicates or private cybersecurity companies. They may also simultaneously hack on behalf of the state, out of an individual sense of patriotism, for profit or for revenge.

To complicate matters, some states are known to assign military and state intelligence personnel to train, work with or provide intelligence to proxies to enhance the proxy's activities (FireEye, 2014b). States may furnish proxies with computer software and hardware and provide unfettered access to the internet, particularly in authoritarian settings where access to the internet might be restricted (FireEye, 2018). Furthermore, some groups may start off as private hacker collectives that are then absorbed into state security agencies or vice versa.

This difficulty in delineating private hackers from state cyber agents (i.e. government employee tasked with cyber operations) has crippled efforts to study these agents. This difficulty is inherent to our field of study and one that is difficult to surmount but we must persevere. Thus, a primary task of this analysis—and one of its contributions to the emerging cyber politics literature—is to compile a dataset of cyber proxies, their activities and relations with nation states.

In compiling my dataset, I began by searching publicly available sources of information such as google search, cybersecurity and intelligence reports and online news sources for incidents of cyber attacks, intrusions or breaches. I cataloged the hacker groups believed to be behind these attacks and collected information on approximately 120 hacker groups linked to various offensive cyber operations. I then eliminated duplicate groups from my dataset, for example, instances where the same group had multiple names. The final dataset used in this analysis includes 102 unique hacker groups.³ I then code whether a group is affiliated with a state sponsor or not.

To be coded as a cyber proxy, a hacker group must meet three basic criteria. First, the group must be identified by the source as being sponsored by or acting on behalf of the government (either national or subnational).⁴ It is insufficient for a group to be considered a proxy simply because it is ideologically aligned with the government, shares a common enemy or does not oppose the government. There must be strong evidence that a group is acting on behalf of, at the behest of or with the active support of the government. Second, the group must be somewhat independent of the state. This means that the group is not a part of the regular state security forces as documented by official government information sources. However, the group may still operate in concert with military and state security agencies or may even be composed of members of these agencies but must function as an independent unit with its own identity.

Third, the group must have some evidence of organization. Examples of this include having an identifiable leader, a name (given by the group itself or assigned by cybersecurity analysts), clearly defined objectives, organizing principle or ideology. This excludes “flash” or spontaneous groups that may emerge briefly to conduct offensive cyber operations.⁵

The dataset thus captures activity by hacker groups known to act on behalf of nation states such as China's Comment Crew, the Iranian Cyber Army and North Korea's Bluenoroff. The dataset also captures the activities of “non-traditional” cyber proxies such as defense contractors, private military and security companies such as Lockheed Martin, BAE Systems and Raytheon. These companies mainly provide defense contracting services but have expanded their offerings to include the sale of software that can break into and destroy or degrade the computer networks of adversaries. Some of these companies also specialize in software and programs aimed at countering cyber attacks. Maurer (2018) makes a case for the inclusion of such companies as cyber proxies because targets on the receiving end of cyber operations carried out by these firms often perceive them as such, informing how targets respond to these attacks.

Once a group has been identified as state-sponsored, I code when its association with the government is believed to have started, i.e. the earliest report of cyber activity by the group on behalf of the government.⁶ Using this information, I am able to identify which countries use cyber proxies and when their association with these proxy groups started.

I then construct a state-year dataset which I use for the analysis for this paper. I create a variable—proxy onset—coded 1 (0 otherwise) if the state initiated a new relationship with a new proxy group in the relevant year.⁷ This variable is our dependent variable and captures outsourcing of state cyber operations to proxy groups.

In addition to the challenges noted earlier, there are a few other caveats to note. Offensive cyber activities are by nature conducted largely surreptitiously, regardless of whether they are carried out by individuals or state-sponsored groups. Given this, we can only hope to capture those that do come to light. Our broad internet search approach should help to significantly reduce the likelihood of missing publicly available information on groups’ activities. Nonetheless, it is likely that we may have missed information pertaining to some groups. The data collected is thus likely an under-representation of the true state of cyber proxy activity.

Moreover, there are still considerable challenges involved in attributing malicious cyber activity to particular state sponsors and doing so promptly and in a manner that is independently verifiable. Attribution capabilities also vary across states and cybersecurity companies may be biased in their reporting on the activities of proxy hacker groups (Maschmeyer et al., 2021). Relying on multiple sources to code proxy relationships should mitigate this problem, but it is possible that some proxy relationships may be mis-specified by the various sources. Where different sources contrast each other in their classification of the relationship between a proxy and the government, more information is sought from academic research and country-specific sources where available.

Accountability

To capture accountability, I draw on the accountability index created by Lührmann et al. (2020). This index closely approximates the conceptualization of accountability in our theoretical framework. Recall that Lührmann et al. (2020) view accountability as constraints on the government's political powers through requirements for the executive to justify its actions and face potential sanctions. Within this framework, they create a vertical accountability index that captures the extent to which the citizens of a country are able to hold the government accountable. They focus on two key mechanisms of vertical accountability—citizen's formal political participation (e.g. being able to freely organize in political parties) and their ability to participate in free and fair elections.

They account for the quality of elections, the percentage of the population that is enfranchised and whether the chief executive is elected directly or indirectly. They also account for factors such as the accuracy of the voter roll, intimidation of political opponents and the extent to which elections are truly multi-party. The index ranges from 0 to 1, with higher numbers indicating polities with more vertical accountability. I adopt this as my measure of vertical accountability.

Lührmann et al. (2020) conceptualize horizontal accountability as the extent to which state institutions have the power to oversee the actions of the government by demanding information, questioning public officials and punishing improper behavior. The key agents in horizontal accountability are legislatures, judiciaries and special oversight bodies such as ombudsmen, controller generals and special prosecutors. Within this context, they capture the extent of horizontal accountability in a polity by examining the oversight authority that the legislature, judiciary and oversight bodies have. They account for factors such as the existence of formal processes that facilitate judicial and legislative scrutiny of the actions of government officials and the feasibility of punitive actions in the event of irregularities. They also account for the degree to which the legislature routinely questions the executive, the likelihood that the legislature and special prosecutory agencies investigate allegations of impropriety and the likelihood that these investigations produce a decision that is unfavorable to the executive. The index ranges from 0 to 1, with higher values indicating polities with stronger horizontal accountability arrangements. I use this index as my measure of horizontal accountability.

Controls

Apart from the level of accountability, there are a number of other factors that could potentially affect government propensity to outsource cyber operations to proxies. I include controls to account for major confounding factors. First, some states such as the USA, China and Russia have a higher capacity for in-house cyber operations than others. These states are less likely to resort to outside proxies in the conduct of cyber operations, favoring the use of existing capacities within their militaries and intelligence agencies. These states tend to have a highly skilled and tech-savvy workforce, cyber-ready infrastructure with advanced computer networking capabilities and high-speed broadband internet access. Prior research shows that these factors are highly correlated with the wealth of the country (see e.g. Lotrionte, 2015; Maurer, 2018; Valeriano et al., 2018). To account for varying cyber capabilities across states, I include controls for gross domestic product (GDP) per capita and the fraction of the population that have access to broadband internet access. Data on GDP per capita and internet access is taken from the World Development Indicators database (World Bank, 2018).

Proxy-executed cyber attacks might also vary systematically by regime type. As highlighted earlier, non-democracies have loser accountability mechanisms and so to the extent that accountability acts as a restraint on the use of proxies, non-democratic incumbents are more likely to use proxies relative to democrats. In essence, we would expect that increased democracy is correlated with a lower propensity to use proxies. However, the effect could also be positive, as prior research shows that democratic states tend to have a larger supply of hacker groups (Lotrionte, 2015; Maurer, 2018). As highlighted earlier, democratic states tend to have highly developed technological and networking infrastructure and a highly educated populace with easy access to the internet. These conditions facilitate the formation and mobilization of hacker groups that can act as proxies. To account for regime type difference in state propensity to engage proxies, I include the Polity IV scores that track how politically competitive a polity is. This index ranges from −10 for full autocracies to +10 for fully democratic states. Polity data comes from Marshall and Jaggers (2016).

A country's foreign policy orientation may also be an important factor in its decision to outsource cyber operations to proxy actors. Countries like Russia, China and Iran who are dissatisfied with the global hegemonic status quo characterized by American dominance may be more inclined to use cyber operations against Western targets. Additionally, they may be more inclined to use proxies for these operations because of the plausible deniability that this offers and the opportunity to avoid retaliation from targets. I capture states’ foreign policy preferences using the Idealpoint index developed by Bailey et al. (2017). Their index draws on a state's voting record in the UN General Assembly to make inferences about its general foreign policy preferences in relation to that of the USA. Higher values of this index indicate greater alignment with US foreign policy preferences.

Countries are also more likely to use cyber operations when they are involved in a militarized interstate dispute. In such cases, proxy-executed cyber attacks may just be an alternative form of warfare pursued by the attacker state against the target. To account for this, I include a dichotomous variable coded 1 (0 otherwise) for years in which the target state is engaged in an interstate militarized conflict. Conflict data comes from the UCDP/PRIO Armed Conflict Dataset (Gleditsch et al., 2002; Pettersson et al., 2019).

Countries frequently targeted for cyber attacks may also use proxies to stage retaliatory cyber operations. To account for this, I include a variable that tracks whether a country has experienced at least one state-sponsored cyber attack in a particular year. Data on state-sponsored cyber attacks comes from the Dyadic Cyber Incident and Campaign Dataset version 1.5 compiled by Maness et al. (2019). The use of proxies may also be influenced by public pressure to take action in response to previous cyber attacks. Government decisions to use proxies may also depend on the likelihood of the public learning about these operations. To account for public access to information about cyber operations, I include a variable that tracks domestic press freedom within a state. This variable ranges from 0 (most free) to 100 (least free) and comes from Freedom House (Freedom House, 2017). The Online Appendix has descriptive statistics for selected variables along with a correlation matrix that tracks correlation between our analytical variables.

Analysis

I use panel logistic regression models to examine the propensity to outsource to cyber proxies. This serves as our baseline model. However, advancements in computer technology, improvements in access to the internet and increased computer literacy rates mean that the supply of proxies has probably increased over time. Thus, in addition to the baseline logistic models, I also estimate mixed-effects models which include year fixed-effects to account for changing temporal dynamics that affect the availability and supply of cyber proxies.

The mixed-effects models also help to account for potential interdependencies in country-year observations inherent in the time series–cross-sectional structure of our dataset. I also estimate rare events logistic models to adjust for potential under-reporting of state-sponsored cyber events. The rare events and mixed-effects models serve as an important check on the robustness of the baseline logistic models.

Results

We start by examining how accountability affects the use of cyber proxies. The results of this analysis are presented in Table 1. I estimate six different specifications. In the first set (Models 1, 2 and 3), I use indicators for accountability along with a restricted set of controls. Models 1–3 are the logistic, mixed-effects and rare events models, respectively. All three models show that increased accountability significantly reduces the propensity of states to outsource to cyber proxies. In the second set of models (Models 4–6) I estimate the effect of accountability along with the full set of controls. This allows us to test how robust the accountability coefficient estimates are to the inclusion of additional variables. As before, Models 4–6 represent the logistic, mixed-effects and rare events models, respectively. In this second set of results, increased accountability maintains its significant negative effect on the use of cyber proxies across all three models. These results are in line with our theoretical expectations.

Table 1.

Accountability and use of cyber proxies.

	Dependent variable: proxy onset
	Logistic	Generalized linear mixed effects	Rare events logistic	Logistic	Generalized linear mixed effects	Rare events logistic
	Model 1	Model 2	Model 3	Model 4	Model 5	Model 6
Accountability index	−9.16* * * (−11.55, −6.76)	−11.58* * * (−14.33, −8.83)	−9.06* * * (−11.45, −6.66)	−6.03* * * (−8.80, −3.26)	−8.44* * * (−11.86, −5.03)	−5.93* * * (−8.70, −3.16)
Regime type	0.13* * * (0.04, 0.23)	0.23* * * (0.13, 0.34)	0.13* * * (0.04, 0.22)	0.16* * * (0.07, 0.26) 0.01*	0.25* * * (0.13, 0.37)	0.16* * * (0.06, 0.26)
Internet access	0.02* * * (0.01, 0.03)	−0.03* * * (−0.04, −0.01)	0.02* * * (0.01, 0.03)	0.01* (−0.002, 0.03)	−0.01 (−0.03, 0.02)	0.01* (−0.002, 0.03)
log(GDP per capita)	0.68* * * (0.44, 0.92)	1.32* * * (0.98, 1.66)	0.67* * * (0.43, 0.91)	0.94* * * (0.65, 1.23)	1.41* * * (1.04, 1.79)	0.93* * * (0.63, 1.22)
Interstate conflict	2.88* * * (2.28, 3.47)	4.80* * * (3.70, 5.90)	2.83* * * (2.24, 3.43)	2.66* * * (2.01, 3.31)	4.15* * * (3.05, 5.25)	2.61* * * (1.96, 3.25)
Press freedom				0.10* * * (0.07, 0.13)	0.12** * (0.08, 0.15)	0.10* * * (0.07, 0.13)
Cyber attacked				1.76* * * (1.19, 2.33)	1.84* * * (1.14, 2.53)	1.73* * * (1.16, 2.30)
Idealpoint				0.92* * * (0.53, 1.31)	1.13* * * (0.65, 1.61)	0.90* * * (0.51, 1.29)
Constant	−6.58* * * (−8.55, −4.61)	−12.25* * * (−15.39, −9.10)	−6.49* * * (−8.46, −4.52)	−16.76* * * (−20.71, −12.82)	−22.17* * * (−27.38, −16.97)	−16.47* * * (−20.42, −12.53)
N	3675	3675	3675	3675	3675	3675
Log Likelihood	−346.42	−281.88	−346.42	−286.82	−239.77	−286.82
AIC	704.85	577.77	704.85	591.64	499.54	591.64
BIC		621.23			561.63

Coefficients with 95%confidence intervals in parentheses. *** p < 0.01; ** p < 0.05; * p < 0.1.

AIC, Akaike information criterion; BIC, Bayesian Information Criterion.

To get a better sense of the relative effects of accountability on proxy use propensity, I standardize the coefficients estimates by subtracting the accountability variable from its mean and dividing by its standard deviation. I do this for all of the other variables in the model as well. This allows us to directly compare the effects that a 1 standard deviation increase in each variable has on the use of cyber proxies. The results are presented in Figure 1. The figure is based on the coefficient estimates presented in Table 1. The panel on the left is from Model 4 while the panel on the right is from Model 5. All of the points on the neutral line (the vertical line at point 1) have no effect on cyber proxy use. Points to the left of the neutral line decrease the propensity to use proxies while points to the right increase the propensity.

Figure 1.

Relative effects of Table 1 variables on odds of proxy use. This plot shows the relative effects of the model variables (Table 1). Panels on the left and right present estimates from Models 4 and 5, respectively. For a 1 standard deviation increase in the relevant variable, points to the left of the neutral line at 1 decrease the odds of proxy use while points to the right of the line increase the odds. The bars represent the 95% confidence intervals. Across the estimated models, accountability has the biggest effect in constraining the use of cyber proxies.

The panels show that a 1 standard deviation increase in accountability decreases the odds of outsourcing to proxies by 0.21 and 0.11 points, respectively. Both of these represent statistically significant decreases. Importantly, the analysis shows that accountability has the biggest effect on decreasing the use of cyber proxies relative to all the other variables included in the models. With regards to these other variables, their effects as depicted in the figure are largely in line with theoretical expectations.

I also examine the substantive effect of a one unit increase in accountability on the probability of using cyber proxies. This analysis is presented in Figure 2. The x-axis tracks increasing accountability while the y-axis shows the predicted probability of using cyber proxies. The panels on the left and right are based on Models 4 and 5 from Table 1, respectively. For this analysis, all other variables are set to their mean levels (dichotomous variables are set to 1). The analysis shows that the likelihood of using cyber proxies decreases as accountability arrangements are strengthened. The shaded region represents the 95% confidence interval. Collectively, these estimates lend strong support to our theoretical assertions—domestic accountability measures are a significant factor in placing restraints on incumbents’ use of cyber proxies.

Figure 2.

Substantive effects of increased accountability on proxy use. This plot shows the substantive effects of increasing accountability on the predicted probability of using cyber proxies. For this analysis, all other variables are set to their mean levels (dichotomous variables are set to 1). The shaded region represents the 95% confidence interval. The results show that increasing accountability decreases the probability of using cyber proxies.

Next, I repeat the above analysis but decompose accountability into its vertical and horizontal components to examine how each component affects proxy use. The results of this analysis are presented in Table 2. The first three models with the restricted set of controls show that increased vertical accountability significantly reduces the propensity of states to outsource to cyber proxies. In contrast, increased horizontal accountability has no significant restraining effect on the propensity to use cyber proxies. In fact in Models 1 and 3, its effect is positive, although insignificant.

Table 2.

Vertical and horizontal accountability and use of cyber proxies.

	Dependent variable: proxy onset
	Logistic	Generalized linear mixed effects	Rare events logistic	Logistic	Generalized linear mixed effects	Rare events logistic
	Model 1	Model 2	Model 3	Model 4	Model 5	Model 6
Vertical accountability index	−6.21* * * (−8.08, −4.34)	−8.37* * * (−10.87, −5.87)	−6.09* * * (−7.96, −4.22)	−9.15* * * (−11.66, −6.64)	−12.78* * * (−16.67, −8.88)	−8.95* * * (−11.46, −6.44)
Horizontal accountability index	0.08 (−1.42, 1.59)	−0.64 (−2.10, 0.83)	0.08 (−1.42, 1.59)	2.92* * * (1.14, 4.70)	4.08* * * (1.67, 6.49)	2.86* * * (1.08, 4.64)
Regime type	0.03 (−0.05, 0.11)	0.16* * * (0.06, 0.25)	0.03 (−0.05, 0.10)	0.31* * * (0.19, 0.43) 0.01*	0.45* * * (0.29, 0.62)	0.30* * * (0.19, 0.42) 0.01*
Internet access	0.02* * * (0.01, 0.03)	−0.04* * * (−0.06, −0.02)	0.02* * * (0.01, 0.03)	0.01* (−0.002, 0.03)	−0.002 (−0.03, 0.03)	0.01* (−0.002, 0.03)
log(GDP per capita)	0.50* * * (0.27, 0.72)	1.30* * * (0.96, 1.65)	0.49* * * (0.26, 0.71)	1.04* * * (0.72, 1.35)	1.62* * * (1.19, 2.06)	1.01* * * (0.70, 1.32)
Interstate conflict	2.48* * * (1.90, 3.06)	4.69* * * (3.55, 5.82)	2.44* * * (1.86, 3.01)	2.45* * * (1.80, 3.10)	4.39* * * (3.10, 5.69)	2.38* * * (1.73, 3.03)
Press freedom				0.15* * * (0.12, 0.19)	0.20* * * (0.15, 0.25)	0.15* * * (0.12, 0.18)
Cyber attacked				1.42* * * (0.80, 2.04)	1.36* * * (0.59, 2.13)	1.39* * * (0.77, 2.01)
Idealpoint				1.21* * * (0.71, 1.70)	1.57* * * (0.91, 2.24)	1.18* * * (0.69, 1.68)
Constant	−6.21* * * (−8.11, −4.31)	−13.07* * * (−16.38, −9.75)	−6.12* * * (−8.02, −4.22)	−20.58* * * (−24.58, −16.57)	−29.24* * * (−35.36, −23.11)	−20.08* * * (−24.08, −16.08)
N	3675	3675	3675	3675	3675	3675
Log likelihood	−345.67	−278.59	−345.67	−260.63	−213.60	−260.63
AIC	705.34	573.17	705.34	541.26	449.19	541.26
BIC		622.85			517.50

Coefficients with 95% confidence intervals in parentheses. *** p < 0.01, ** p < 0.05, * p < 0.1.

In the second set of models with the full set of controls, increased vertical accountability maintains its significant negative effect on proxy use. The effect of increased horizontal accountability is now robustly positive and significant across all of the estimated models. We can thus surmise that while increased vertical accountability robustly restrains the use of cyber proxies, increased horizontal accountability is correlated with an increased propensity to use proxies. Again, these results are in line with our theoretical expectations.

As before, I standardized the variables in the model as described earlier and compare their relative effects. This is presented in Figure 3. The panel on the left is from Model 4 while the panel on the right is from Model 5. All points on the neutral line (the vertical line at point 1) have no effect on cyber proxy use. Points to the left of the neutral line decrease the propensity to use proxies while points to the right increase the propensity.

Figure 3.

Relative effects of Table 2 variables on odds of proxy use. This plot shows the relative effects of the model variables (Table 2). Panels on the left and right present estimates from Models 4 and 5, respectively. For a 1 standard deviation increase in the relevant variable, points to the left of the neutral line at 1 decrease the odds of proxy use while points to the right of the line increase the odds. The bars represent the 95% confidence intervals. Across the estimated models, vertical accountability has the biggest effect in constraining the use of cyber proxies while horizontal accountability increases the odds of proxy use.

The panels show that a 1 standard deviation increase in vertical accountability decreases the odds of outsourcing to proxies by 0.11 and 0.05 points while an increase in horizontal accountability increases the use of proxies by 2.37 and 3.34 points, respectively. All of the estimates are statistically significant. Importantly, the analysis shows that vertical accountability has the biggest effect on decreasing the use of cyber proxies relative to all of the other variables. With regards to these other variables in the model, their respective effects are largely in line with theoretical expectations.

I also examine the substantive effect of a one unit increase in vertical and horizontal accountability on the probability of using cyber proxies. This analysis is presented in Figures 4 and 5 respectively. As before, the x-axis tracks increasing accountability while the y-axis shows the predicted probability of using cyber proxies. For this analysis, all other variables are set to their mean levels (dichotomous variables are set to 1). Figure 4 shows that the likelihood of using cyber proxies decreases sharply as vertical accountability arrangements are strengthened. On the other hand, Figure 5 shows that increasing horizontal accountability is associated with a steady increase in the likelihood of using cyber proxies. The shaded region represents the 95% confidence interval.

Figure 4.

Substantive effects of increased vertical accountability on proxy use. This plot shows the substantive effects of increasing vertical accountability on the predicted probability of using cyber proxies. For this analysis, all other variables are set to their mean levels (dichotomous variables are set to 1). The shaded region represents the 95% confidence interval. The results show that increasing vertical accountability sharply decreases the probability of using cyber proxies.

Figure 5.

Substantive effects of increased horizontal accountability on proxy use. This plot shows the substantive effects of increasing horizontal accountability on the predicted probability of using cyber proxies. For this analysis, all other variables are set to their mean levels (dichotomous variables are set to 1). The shaded region represents the 95% confidence interval. The results show that increasing horizontal accountability is associated with a steady increase in the likelihood of proxy use.

In the Online Appendix (Tables S3 and S4), I re-estimate all the models while lagging the accountability variables by a year to account for potential delays in public discovery of cyber operations. The results remain robust. I also estimate additional models with terms to account for interaction effects between accountability, internet access and regime type (Online Appendix Table S5). The results remain substantively unchanged. Overall, our empirical analysis lends strong support to our theoretical assertions—accountability is a significant factor in restraining the use of cyber proxies. Furthermore, any constraints that accountability mechanisms place on the use of cyber proxies operate mainly though vertical accountability arrangements.

Conclusion

Some states are outsourcing offensive cyber operations to non-state cyber proxies. However, the study of this phenomenon is still relatively new within the cyber politics literature. This article advances the study of state–cyber proxy relations by examining how accountability and its vertical and horizontal components constrain states’ use of cyber proxies. My argument is that where there is strong accountability, cyber proxies are less likely to be used. In addition, because vertical accountability mechanisms directly threaten the tenure of the incumbent should outsourced cyber operations go wrong, increased vertical accountability has a strong constraining effect on the use of cyber proxies. On the other hand, horizontal accountability mechanisms often pose little threat to incumbent tenure. As a result, in most cases, increased horizontal accountability should not have a meaningful constraining effect on proxy use. The results of the analysis lend robust support to these assertions.

These results are important for three reasons. First, it sheds new light on how domestic accountability arrangements matter for the use of cyber proxies. This is an area that is largely unexplored in the cyber politics literature, so this paper starts new conversations and potentially opens new lines of inquiry into the link between government accountability and state-sponsored cyber operations. Second, limiting state-sponsored cyber operations and the use of cyber proxies has been an enduring challenge for the international community. The current approach to dealing with this problem is public condemnation in the hope that state sponsors will be shamed into desisting from future attacks. Examples of these include statements by senior government officials, diplomatic protests (e.g. expelling diplomats), indictment of proxy hackers and punitive actions like sanctions and asset freezes. These deterrence measures are designed to change the cost–benefit calculus of state sponsors of cyber attacks, with the aim of making the use of cyber proxies painful enough to discourage their use. Our analysis here suggests that perhaps concerted effort by the international community toward increasing or strengthening vertical accountability mechanisms within countries suspected of using cyber proxies might have greater promise of deterring these states’ use of cyber proxies.

Third, this study demonstrates the utility of employing large-N analysis to answer some of the most vexing questions in cyber politics. Current analysis of cyber issues in the political science literature relies mainly on studies of a few limited cases. Expanding our analytical toolbox to include large-N quantitative approaches has the potential to unlock valuable new insights, as demonstrated in this paper. Studies such as this one have the potential to become an important complement to the more established qualitative approaches.

For future researchers, several questions remain to be explored. Future research could more deeply explore how the accountability effects highlighted in this paper affect proxy use under various political regime arrangements (e.g. military, presidential, parliamentary systems). Furthermore, our theoretical model suggests that as democratic incumbents near the end of their terms in office, their propensity to pursue aggressive cyber operations should increase. There is suggestive evidence to back this up. For instance, during his first term in office, US President Barack Obama issued Presidential Policy Directive 20 (PPD-20) outlining the principles and processes for US cybersecurity operations. This directive advocated for a measured approach to US cyber operations. The directive designated certain types of cyber operations as ones that require direct presidential approval before execution. This included operations with the potential to elicit retaliation, negatively impact intelligence-gathering efforts or have serious adverse economic or foreign policy consequences. The directive also restricted the conduct of cyber operations within the USA unless with the direct approval of the president (Greenwald and MacAskill, 2013).

However, in the waning years of his administration, the president moved to loosen these restrictions, particularly in relation to the Pentagon's Cyber Command, which is heavily involved in US cyber operations. He began the process of separating the Cyber Command from the National Security Agency to give it greater autonomy and flexibility in conducting cyber operations and proposed an increase in its budget (Strobel, 2016). Explorations of the varying propensities of incumbents—democrats and non-democrats alike—to pursue cyber operations as a function of their anticipated tenure in office holds significant promise for future research.

Also, explorations of how institutional accountability influences the timing of state-cyber proxy associations hold promise. Researchers could explore which specific state agencies form these associations and how states manage their relations with proxy groups. There is already very promising scholarship by Maurer (2018) that seeks to examine the modalities by which states control their cyber proxies. Future work could combine the insights from that work and this paper to explore currently opaque aspects of state–cyber proxy relations such as how states protect their proxies from international prosecution and the conditions under which these relations break down.

Supplemental Material

sj-zip-2-cmp-10.1177_07388942211051264 - Supplemental material for Accountability and cyber conflict: examining institutional constraints on the use of cyber proxies

Supplemental material, sj-zip-2-cmp-10.1177_07388942211051264 for Accountability and cyber conflict: examining institutional constraints on the use of cyber proxies by William Akoto in Conflict Management and Peace Science

Footnotes

Acknowledgements

Thanks to Elizabeth Romanov for excellent research assistance. My appreciation also goes to colleagues at Fordham University and the Sie Cheou-Kang Center for International Security and Diplomacy (Korbel School) at the University of Denver. Thanks also to the editor and anonymous referees for helpful comments which significantly improved the final manuscript.

Declaration of conflicting interests

The author declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding

The author received no financial support for the research, authorship and/or publication of this article.

ORCID iD

William Akoto

Supplemental material

All data, replication materials, and instructions regarding analytical materials upon which published claims rely are available online through the SAGE CMPS website and the author's website at .

Notes

References

Akoto, W (2013). Debt Relief under the HIPC Initiative: Why Some Countries Complete the Programme Faster Than Others. Economic Research Southern Africa, Working Paper 346.

Akoto,W (2021a) Espionage attempts like the Solarwinds hack are inevitable, so it's safer to focus on defense not retaliation. The Conversation. Available from: https://bit.ly/3puaHOW. accessed 22 October 2021.

Akoto, W (2021b) International trade and cyber conflict: Decomposing the effect of trade on state-sponsored cyber attacks. Journal of Peace Research 58(5): 1083-1097.

Akoto

Peterson

Thies

(2020) Trade composition and acquiescence to sanction threats. Political Research Quarterly 73(3): 526–539.

Bagehot, W (1963) The English Constitution: With an Introduction by RHS Crossman. Las Vegas. Nevada: ICON Group International.

Bailey

Strezhnev

Voeten

(2017) Estimating dynamic state preferences from united nations voting data. Journal of Conflict Resolution 61(2): 430–456.

BBC (2015) Sony cyber-attack: North Korea faces new US sanctions. BBC, Available from: https://bbc.in/37HPnKF

Borghard

Lonergan

(2016) Can states calculate the risks of using cyber proxies? Orbis 60(3): 395–416.

Brandom, R (2021) US Institutes New Russia Sanctions in Response to Solarwinds Hack. The Verge. accessed 22 October 2021, 2021. Available from: https://bit.ly/3m7MqM8

10.

Bueno De Mesquita, B, Smith, A, Siverson, RM, et al. (2003) The Logic of Political Survival. Cambridge, MA: MIT Press.

11.

Canfil

(2020) Outsourcing cyber power: Why proxy conflict in cyberspace may no longer pay. Available from: https://bit.ly/3kFGyqE.

12.

Carlin

Love

Martinez-Gallardo

(2015) Security, clarity of responsibility and presidential approval. Comparative Political Studies 48(4): 438–463.

13.

Chiacu

(2018) US sanctions Russians over military intelligence hacking. Reuters. Available from: https://reut.rs/3chCBU0

14.

Clarke

Stone

(2008) Democracy and the logic of political survival. American Political Science Review 102(3): 387–392.

15.

Cole

Healey

(2014) United States should discourage patriotic hackers from attacking North Korea. Atlantic Council. Available from: https://Bit.Ly/37Jekre

16.

Corera

(2020) UK's national cyber force comes out of the shadows. BBC. Available from: https://bbc.in/3wQcNsH

17.

De Bruijn

Janssen

(2017) Building cybersecurity awareness: The need for evidence-based framing strategies. Government Information Quarterly 34(1): 1–7.

18.

Fireeye (2014a) Apt28: A window into Russia's cyber espionage operations? Available from: https://bit.ly/2CMzFmI

19.

Fireeye (2014b) Beyond the breach. Available from: https://bit.ly/306oAFA

20.

Fireeye (2018) Apt37 (Reaper): The overlooked North Korean actor. Available from: https://bit.ly/39HaIoz

21.

Fombad

(2020) Taming executive authoritarianism in Africa: Some reflections on current trends in horizontal and vertical accountability. Hague Journal on the Rule of Law 12(1): 63–91.

22.

Freedom House (2017) Freedom of the Press Index. Available from: https://Freedomhouse.Org/Report-Types/Freedom-Press

23.

Gleditsch

N. P.

Wallensteen

Eriksson

., et al. (2002) Armed conflict 1946–2001: A new dataset, Journal of Peace Research 39(5), 615–637.

24.

Gomez, MA & Whyte, C (2021) Breaking the myth of cyber doom: Securitization and normalization of novel threats. International Studies Quarterly. Online First. p.1-14. Available from: https://doi.org/10.1093/isq/sqab034

25.

Greenwald

Macaskill

(2013) Obama orders U.S. to draw up overseas target list for cyber-attacks. The Guardian. Available from: https://bit.ly/34vUSvW

26.

Gries

(2001) Tears of rage: Chinese nationalist reactions to the Belgrade embassy bombing. The China Journal 46: 25–43.

27.

Jagannathan

(2012) DDoS attacks disable independent news sites during Russian protests, Herdict Blog. Available from: https://Bit.Ly/34vusvw

28.

Junio

(2013) How probable is cyber War? Bringing IR theory back into the cyber conflict debate. Journal of Strategic Studies 36(1): 125–133.

29.

Kreps, S & Schneider, J (2019) Escalation firebreaks in the cyber, conventional, and nuclear domains: Moving beyond effects-based logics. Journal of Cybersecurity 5(1): 1-11.

30.

Larsen

(2019) Is the relationship between political responsibility and electoral accountability causal, adaptive and policy-specific? Political Behavior 41(4): 1071–1098.

31.

Lotrionte

(2015) Countering state-sponsored cyber economic espionage under international Law. North Carolina Journal of International Law and Commercial Regulation 40(2): 443–541.

32.

Lührmann

Marquardt

Mechkova

(2020) Constraining governments: New indices of vertical, horizontal, and diagonal accountability. American Political Science Review 114(3): 811–820.

33.

Maness

Valeriano

Jensen

(2019) Dyadic Cyber Incident and Campaign Dataset. Version 1.5. Available from: https://bit.ly/2F6UABm

34.

Marshall

Jaggers

(2016) Polity IV Project: Political Regime Characteristics and Regime Transitions, 1800–2015. Available from: https://bit.ly/3lQ1nQT

35.

Maschmeyer

Deibert

Lindsay

(2021) A tale of two cybers—How threat reporting by cybersecurity firms systematically underrepresents threats to civil society. Journal of Information Technology & Politics 18(1): 1–20.

36.

Maurer, T (2018) Cyber Mercenaries. Cambridge, UK: Cambridge University Press.

37.

MITRE (2020) Apt37. Available from: https://bit.ly/3g8sIKN

38.

Nazario

(2009) Politically motivated denial of service attacks. The Virtual Battlefield: Perspectives on Cyber Warfare 3: 163–181.

39.

Pawlak

Barmpaliou

P-N

(2017) Politics of cybersecurity capacity building: Conundrum and opportunity. Journal of Cyber Policy 2(1): 123–144.

40.

Pettersson

Högbladh

Öberg

(2019) Organized violence, 1989–2018 and peace agreements. Journal of Peace Research 56(4): 589–603.

41.

Rhodes

(2006) Executives in parliamentary government. The Oxford Handbook of Political Institutions 2: 323. Oxford, UK: Oxford University Press.

42.

Schwindt-Bayer, LA & Tavits, M (2016) Clarity of Responsibility, Accountability, and Corruption. Cambridge, UK: Cambridge University Press.

43.

Segal, A (2016) The Hacked World Order: How Nations Fight, Trade, Maneuver, and Manipulate in the Digital Age. New York, NY: Hachette Book Group.

44.

Shandler

Gross

Canetti

(2021a) A fragile public preference for cyber strikes: Evidence from survey experiments in the United States, United Kingdom, and Israel. Contemporary Security Policy 42(2): 135–162.

45.

Shandler, R, Gross, ML, Backhaus, S, et al. (2021b) Cyber terrorism and public support for retaliation—A multi-country survey experiment. British Journal of Political Science. Online First. p.1–19. Available from: https://doi.org/10.1017/S0007123420000812

46.

Strobel

(2016) Obama prepares to boost US military's cyber role: Sources. Reuters. Available from: https://reut.rs/3wYSjxS

47.

Stuppert, W (2020) Elections without democratization: How African electoral authoritarianism survived. In: Political Mobilizations And Democratization in Sub-Saharan Africa, 11–37. New York NY: Springer.

48.

Sudworth

(2013) China denies cyber attack allegations. BBC News. Available from: https://bbc.in/2RvLMfb

49.

Valeriano, B & Maness, RC (2015) Cyber War Versus Cyber Realities: Cyber Conflict in The Internationalm System. Oxford, UK: Oxford University Press.

50.

Valeriano, B, Jensen, BM & Maness, RC (2018) Cyber Strategy: The Evolving Character of Power and Coercion. Oxford, UK: Oxford University Press.

51.

World Bank (2018) World Development Indicators. Available from: https://bit.ly/3gSIgSN

Supplementary Material

Please find the following supplemental material available below.

For Open Access articles published under a Creative Commons License, all supplemental material carries the same license as the article it is associated with.

For non-Open Access articles published, all supplemental material carries a non-exclusive license, and permission requests for re-use of supplemental material or any part of supplemental material shall be sent directly to the copyright owner as specified in the copyright notice associated with the article.

0.27 MB

0.00 MB