The following is an excerpt from Cyber Mercenaries: The State, Hackers, and Power by Tim Maurer, co-director of the Cyber Policy Initiative at the Carnegie Endowment for International Peace. Parts of this excerpt also appear in Cyber War in Perspective: Russian Aggression against Ukraine, edited by Kenneth Geers and published by NATO CCD COE Publications.
At first glance, Kiev in the summer of 2015 seemed like an odd place to investigate the relationship between hackers and the state. It was a beautiful July weekend and people were out on the streets and in the parks. You could hardly tell that the country was at war. Not the old kind of war, the one with a declaration of war and soldiers in uniform. This was a war of the twenty-first century, where “little green men,” as the locals called the unmarked foreign agents, had appeared in the country to exploit local tensions and to escalate them into a bigger conflict. Over a year had passed since the eastern part of Ukraine had fallen into the hands of pro-Russian fighters, but the capital was relatively peaceful except for occasional violence, such as the deadly clashes in front of parliament that occurred in between my two research trips to Kiev. Nevertheless, the situation felt a bit surreal when I arrived at what looked like an old industrial complex a few miles south of the center of town to meet Eugene Dokukin, the self-declared commander of the Ukrainian Cyber Forces, one of Ukraine’s most prominent hacktivist groups. In contrast to the pro-Russian fighters in eastern Ukraine, who were an old kind of proxy, Dokukin and his cadre of followers were a new kind of proxy, adding a new dimension to an already intricate conflict.
Originally, my plan was to meet Mr Dokukin at a cafe near my hotel in central Kiev. However, a few days prior to our planned meeting, he changed his mind. He said that he had been planning to go to a classical concert and suggested we meet there instead. Based on our previous exchanges online, it seemed probable that he would cancel if I did not accept his change of plans, so I ventured to the location he provided. What looked like an old industrial complex turned out to be the historical Dovzhenko Film Studios, created in 1928 and named after one of the most important Ukrainian filmmakers, Alexander Dovzhenko. Once I had found my way through the maze of old buildings, I eventually got to an amphitheater of sorts where some 200 people, mostly families, had gathered to listen to classical music in the afternoon sun. After watching this scene at the birthplace of Ukrainian cinema for several minutes, I noticed a man making a movie of a more modern sort – standing with his back turned to the orchestra, he held an iPod in his hand, recording me on video as he passed by. A text message a few minutes later confirmed my suspicion that it was Dokukin. We spent the next hour walking in circles around the concert site with the classical music playing in the background, while Dokukin explained why he decided to form the Ukrainian Cyber Forces a year earlier, how they were structured, and his relationship with the government.
The 32-year-old Dokukin shared with me how he had used social media to start recruiting a group of (unpaid) volunteers angered by the Kremlin’s aggressive actions. Over the previous months, their number had fluctuated from several dozens to a few hundred, and primarily included ordinary people without a technical background. They were based not only in Ukraine but also abroad – for example in Germany and the UK, highlighting the transnational character of many of these hacktivist groups. Together, they carried out a series of activities, ranging from the unauthorized monitoring of CCTV cameras and troop movements in eastern Ukraine, to reporting separatist activities to Web companies such as PayPal in an effort to shut down the separatists’ accounts, to launching distributed denial of service (DDoS) attacks against websites and leaking sensitive documents from the Russian Ministry of the Interior that revealed details about separatists in eastern Ukraine being paid by Russian authorities.
Why did I become interested in proxy actors in the first place? When I started working on this book in 2013, the debate over whether there could be a cyber war was in full swing. But there was something puzzling: the debate was state-centric, while the media was full of reports about the significant role non-state actors play in this field, including private companies such as Gamma International and Vupen, hacktivist groups from Anonymous to the Syrian Electronic Army, and cyber criminals operating with impunity from different hotspots around the world. These reports were telling a different story in the shadow of the debate about whether cyber war will or will not take place, a story in which non-state actors have become increasingly active in cyberspace. States are only one subset of a larger group of actors with significant offensive cyber capabilities. In fact, the US Secret Service agent Ari Baranoff stated in 2014 that “Many of the [non-state] actors that we look at on a daily and weekly basis have capabilities that actually exceed the capabilities of most nation-states.”
I became particularly interested in the capabilities of these actors and the dynamic relationship between them and the state in peacetime, in wartime, and in the increasingly blurry space in between. How have these new global coercive cyber capabilities become organized? How do states use actors detached from the state to project power? And how do states that aspire to a monopoly over the legitimate use of force pursue these efforts in the context of offensive cyber operations? Looking back, my conversation with Dokukin was more than a bit surreal. Yet it was similar to other stories I experienced during the three-year research for this book, which took me to more than a dozen countries around the world, including China, South Korea, Mongolia, India, Israel, France, and the United States.
Between the origin of this book and its release, a lot has changed. The last twelve months alone have been full of noteworthy events that have raised greater awareness of this dynamic field generally and of proxies specifically. In March 2016, the US government unsealed two indictments against seven Iranian hackers and three members of the Syrian Electronic Army with details about their relationship to the Iranian and Syrian governments respectively. A year later, another indictment shed light on the relationship between the FSB and hackers in Russia. Meanwhile, in May 2016, US Cyber Command awarded a contract of USD 460 million to six private security companies that included assisting with offensive cyber operations. In China, the government has been actively supporting cyber militias at universities and companies during the past several years. A member of Russia’s State Duma has openly acknowledged that the Nashi youth movement was mobilized to support the DDoS attack that flooded and crashed the websites of the Estonian government in 2007. A hacker in a Colombian prison boasted in an interview with Bloomberg Businessweek that he had been hired by political campaigns in various Latin American countries, and the hack of the Italy-based company Hacking Team shed light on a globalized market of cyber capabilities.
These examples not only illustrate how states outsource certain functions to non-state agents but also shed light on the much murkier reality in which states cultivate loose relationships with actors that are not formally part of the state, yet work to its benefit. This is an under-appreciated phenomenon.