Outsourcing cyber power: Why proxy conflict in cyberspace may no longer pay

Abstract

A sizable literature implies that states can achieve military and foreign policy objectives “on the cheap” by outsourcing covert operations to willing non-state proxy actors, be they mercenaries, patriotic zealots, pranksters, or simply enemies of enemies. By outsourcing, a host government can claim plausible deniability while all the while cashing in on strategic gains. Attribution is notoriously difficult in cyberspace, so outsourcing should especially prevalent. Puzzlingly, strategies of cyber outsourcing have not widely diffused, even in countries where hackers are both highly capable and ideologically sympathetic to host state objectives. This article leverages a formal analytical model to hypothesize about why it might no longer pay to outsource to cyber proxies. Default explanations, including principal-agent problems, are neither sufficient nor necessary to explain recently observed patterns. Instead, I argue, new attribution technologies, particularly the willingness of states to make allegations about informal state-proxy links on the basis of circumstantial and cumulative rather than legally admissible evidence, mean that outsourcing carries no real added benefit to offset its risks. Normative momentum regarding the international law on state responsibility should only reinforce this trend as international audiences come to more fully accept nontraditional forms of attributive evidence.