'Cyber Mercenaries: The State, Hackers, and Power' by Tim Maurer

The author of the book, Tim Maurer, explores the secretive relationships between states and hackers. While writing this book, a process which took three years, he spoke with over four dozen experts from more than a dozen countries on three continents, who shared their thoughts, experience, and expertise. Cyberspace has become the new frontier for geopolitics, says Maurer, and states have started using hackers as proxies to project power. More and more states are using supposedly independent hackers as proxies to project power both at home and abroad. According to some, more than 30 countries are now pursuing offensive cyber capabilities.

Identifying the adversaries behind a cyberattack is often the toughest part of cybersecurity. Not only are hackers skilled at covering their tracks, but they can plant evidence that implicates an innocent party. This inability to identify an attacker makes it almost impossible to stop them or, more importantly, prevent such attacks. Nation states are increasingly exploiting this challenge by conducting cyber operations through third-party groups—so-called cyber mercenaries. But despite this growing threat to national security for policymakers, military leaders and businesses alike, Maurer feels we have not done enough to protect against it.

The problem also lies in the fact that such modern-day mercenaries and privateers can cause significant harm, undermining global security, stability, and human rights. Also, hacker networks can be active and grow long after a nation state ends its sponsorship, and they can move from country to country to evade criminal prosecution.

The author explores how different countries pursue different models for their proxy relationships, with all of them facing the common challenge of balancing the benefits of these relationships with their costs and the potential risks of escalation.

Maurer's book is divided into three parts, and examines case studies in the United States, Iran, Syria, Russia, and China for the purpose of establishing a framework to better understand and manage the impact and risks of cyber proxies on global politics. In the first part of the book, the author focuses on proxies and the significant harm they can cause. He explores cyber proxies' power and what their capabilities are likely to be used for, as well as the problem of attributing a malicious cyber action to its source. He also outlines the analytical frameworks helpful in the study of cyber proxies, including a review of the various manifestations of proxy relationships throughout history. 

Maurer further provides an overview of the geopolitics of cyber power and the different perspectives of Russia, China, Iran, and the United States. He uses these countries as the focus of case studies, which describe in detail the different types of proxy relationships. This part underscores the second main argument of the book, that how states use cyber proxies is not very different from how states have used conventional proxies. What proxies do helps tell us how their state sponsors think about cyberthreats and how they try to project power online. Moscow, Beijing, Tehran and other governments think in terms not of cybersecurity but of information security — a more expansive concept, including content and the control of information.

The third main take-away from this book is the diffusion of reach, which allows state and non-state actors to cause effects remotely across vast distances through offensive cyber operations. In the third and final part of the book the author deals with the implications of cyber proxies and how to effectively manage them. Ensuring that proxy hackers do not escape their masters and countering their malicious behaviour poses major policy challenges. Maurer reviews the utility of international law and its nuanced distinctions for taking action against malicious activity by a cyber proxy, and discusses the different approaches for managing proxies held on a tighter leash as well as those on a loose leash.

If you are interested in reading the book, it is available at the Library.

• Drop in and take a look or borrow it

Tim Maurer is the co-director of the Cyber Policy Initiative and a fellow at the Carnegie Endowment for International Peace. He is the author of numerous security analyses, and his work has been published by Foreign Policy, CNN, Slate, Lawfare, Jane’s Intelligence Review, TIME, and other academic and media venues. Maurer has been focusing on cybersecurity, human rights in the digital age, and Internet governance, currently with a specific focus on cybersecurity and financial stability.

• The Council library is located in the Justus Lipsius building, at JL 02 GH, Rue de la Loi/Wetstraat 175, 1048 Brussels (Froissart entrance) – opening hours Monday to Friday 10.00 – 16.00.
• It is open to all staff of the Council of the European Union and the European Council, trainees, permanent representations of member states, staff of other EU institutions and bodies, and researchers and students upon request. Access to some library holdings may be restricted to on-site consultation.