Because the finding of the source of an attack is aggravated, the attackers gain the possibility of plausible deniability. While there are normally some indicators where the attackers are based, they regularly try to hide behind a network of intermediate servers and purposely add false information in their code and actions to blur their traces. The time of activities or the naming of variables is for example circumstantial evidence in finding attackers. The problem is that attackers know this as well. In most cases, real progress in investigating the root of the attack is only made by intelligence services that use other methods besides analyzing the code. However, even if state actors concluded who was behind the attack and sanction those attackers, they will still dispute those actions and use this “injustice” as an argument for putting themselves in the victim role or for countermeasures.

While such covert actions by state actors are nothing new (assassinations, secret service, etc.), the effectiveness of deniability increased because of physical contact being unnecessary for most of these attacks. For the same reason, attacks are also more likely to stay undetected and can therefore be executed over a longer time. This results in a big problem for cybersecurity research: Only attacks that were found can be analyzed but the news show over and over that attackers can stay in a system for multiple years without being detected and are sometimes found only by accident. Therefore, we need to expect that for every found attack there are many more that are still happening and may never be detected. 

Being found on the other side, is also a strategy in itself. Appearing in a critical system can be seen as a warning signal: “We can get here if we want to and we want you to see us”. This can be used to intimidate the enemy and spread distrust in the state about the own defense capabilities (Cormac and Aldrich 2018). 

It is important to highlight that different agendas result in different targets for cyber attacks. While the attack on ‘soft goals’ like airports and general infrastructure can have a big effect on the trust of the public in their government (and the fear of another state), an attack against governmental institutions are normally made to access secret information and to collect intelligence against an (potential) enemy. Like normal “war”, there is not one single goal to destroy the enemy physically but many different ones (Iasiello 2015). 

Less mentioned are attacks on private individuals in the context of state security. Attacking and accessing the system of the right person can be used to gain information either about the person or about their role in a company or government. If attackers find something which can be used to blackmail the person they have the leverage to bring this person to work in their interest. If they may find out that the person uses the same USB stick both on their private and their company device, they have a perfect entry point without the need to penetrate the system from outside. 

The focus of defense policies is still critical infrastructure though, which is basically “all systems and assets whose incapacity or destruction would have a debilitating impact on the national security and the economic and social well-being of a nation.” (Dunn Cavelty 2015, 439). An attack can lead to whole cities (for example if multiple hospitals are without their IT system) or even the whole country (it is an open secret that the weapon developments of North Korea are manipulated by foreign state actors which lead to many failed rocket starts) being impacted.

In the realm of national security, just over a decade ago, cyberattacks were “missing entirely” from global threat assessment reports prepared for the US Congress; today, cyber risks dominate national security concerns (Sanger 2018, xii). There is an observable dispersion of offensive cyber capabilities: states do not hold a monopoly of this class of weapons; in fact, they largely depend on the private sector to develop such capacities. (Seligman 2018, 51) This fact is set in the wider phenomenon of the empowerment of non-state actors.

Despite the advantages that private actors hold in cyber technology, states remain the dominant global actors. (Kello 2017, 161)  One reason for this is that they can flexibly and effectively harness other sectors for their objectives.

Lucas Kello argues in his book The Virtual Weapon that cyber politics exhibits two primary conditions: the traditional state’s system, and the “chaotic ‘global’ milieu” of non-traditional actors, (Kello 2017, 12)  and he attempts to explain “how these two universes converge and collide”. (Kello 2017, 12) When we see cases of governments collaborating with criminal organizations to further their policy goals, this is an example of a convergence of these two realms. An important consequence of the rise of cyber technologies is a heightened state of global anarchy, comparable to the seas in the age of privateering. (Egloff 2015) 

The main advantage of cyber warfare is that it uses an asymmetric strategy. The higher the technology of a potential enemy is advanced, the higher is the risk that there are security flaws in the system because of its complexity. Contrary to the traditional military field, a nation-state is more likely to be a good target the better equipped he is (Iasiello 2015).

While cyber weapons have many features that make modern warfare more dangerous and less assessable, there is a low chance that there will be a war in its full form with cyberspace as its only battlefield. Realistically, it will be one of many battlefields next to traditional military attacks and information propaganda to achieve a broader goal (Iasiello 2015). 

This also means that it is highly unlikely that state actors who concentrate a large part of their resources on cyber capabilities would try to start a war with a state stronger in traditional military tactics. Because even if they succeed in sabotaging for example the electric grid, a counter-attack via drone strike or a missile would inflict longer lasting and more fatal damage on them. Fittingly, most of the observed cyber activities executed against state targets have come during times of diplomatic tension and conducted largely by non-state actors operating as state proxies. They are therefore more of a tool to keep the enemy on its toes but not to go in full war mode (Iasiello 2015).

What is a common cyber-attack? 
Difficult to give one single answer to this question. It depends on what the attacker wants to achieve. Let’s say I’m interested in you as a person, it’s probably quite different trying to attack a whole company or even a governmental department. There are basically two ways, one is more technical. You will try to find vulnerabilities in the system, some entry point: a weakness or exploit. The other point of entry is people, either because you want them to do something that benefits you or you want to gain access to a system via this person. For example, here in the Netherlands, we have had a case with the cinema chain Pathé where they used scamming and phishing techniques to get the chain to transfer 19 million euros to the scammers which is quite a nice profit margin. For whatever the effort was worth, still, the only thing to do is to get those people to transfer the money so they don’t necessarily need full access to their financial systems. They actually used the employees there. For technical attacks, you want more access to the system so you can actually implement new code and benefit that way.

Did something change in the approach to cybersecurity in the past years? 

There has been a bit of a transition from attacking the technical side of cybersecurity by trying to figure out where software developers have made mistakes to more human-based attacks. It doesn’t mean that it didn’t happen at all 20 years ago, there were always social engineers who could get access by pretending to be someone you know, but I think nowadays we’re much more aware that even if your system is technically fine, the people have to work with it are still of value from the attacker’s point of view. Let’s say you design a system perfectly well to be completely cyber-secure. If a person then just gives their username and password to anyone who asks for it, people can get in that way, so I think there’s more understanding nowadays about this human factor in cybersecurity 

Do you think that the state itself can produce laws that can defend against something like that? Do you think there can be a state-level law that says you need to do this and that training or are those computer systems so different that you basically can’t do anything about that?

I think the issue with laws is that it takes quite a while to get them implemented and updated. Technology goes at such a quick pace that it’s difficult to really say you have to have that or that. You could, of course, start looking a bit more into who we hold accountable if something goes wrong. For example, in the UK some organizations were taking physical health and safety very seriously because they knew that the CEO itself could end up in jail if someone died on the job and they could have prevented it. You have to provide a safe work environment and it’s your responsibility not just as a company but also you can be personally liable apparently to some extent. With cyber that generally doesn’t seem to be the case so in that sense you could argue that if you would make people more personally liable higher up in the chain of command when things do go wrong that perhaps that might make a difference. The downside of course is that it might also mean that organizations are less likely to report if something has happened because they’re worried about their own well-being and their own liability. I think that it’s difficult but you do see states doing more and more often running campaigns and setting up services to help organizations. Both the UK and the Netherlands have what we call a national cybersecurity centre which is basically a part of a governmental department. That provides help to for example critical infrastructure organizations when it comes to cybersecurity. If they realize that a new attack is coming or that a new way of attacking is becoming more and more popular they can inform those organizations. 

How could companies themselves do better? How many days should they spend on cybersecurity defence and is there a best practice right now?

Most people still think cybersecurity is not their problem right and so in an organization you need to get everyone. The technical people need to make sure that the infrastructure is as secure as possible. That also includes, for example, not giving everyone access to all systems but only to systems that you really need for a job you’re currently performing. On the other side, it’s about getting everyone on board and understanding that everyone has information that you preferably would not want out on the streets. For me, for example, I don’t have a lot of that kind of information in my job but what I have of course are student grades. Those shouldn’t get out into the public. You could imagine that it’s not very nice for people who maybe didn’t do very well. Other people might even don’t want the world to know what they’re studying. It’s my responsibility to try and make sure that that data will never be leaked. In organizations, people need to have that understanding and that’s difficult to achieve because most people prefer to consider cybersecurity an IT problem and let the IT department sort it out.

Could the IT department do it any better? I know there’s some kind of training sometimes from an IT department where they try to trick the other ones to be scammed. Is that a good solution?

I think it makes sense to do so in the sense that you want to get a bit of an idea of how well we are doing. You want to have some baseline. The issue with that is, I think, that they usually then offer additional training to the people who did take on the phishing email but that assumes that the other people all consciously avoid clicking. They might have been too busy or they might have already heard from someone else that it was a phishing email rather than they actually know how to recognize one, so you would ideally run training for everyone. The other thing we see is that it works better when you can make the training personally relevant, so with phishing, this is relatively easy because everyone also has an email address at home or some form of accounts that you don’t want people to get into necessarily. What is already more difficult, is to get people for example to lock their screen when they leave their desk. I trust the people around me but people in organizations don’t realize that sometimes people might get in who you don’t necessarily want in. For example, you saw this last week with the attack on the capitol in the US. People had to be evacuated ASAP but it also meant that a lot of people did not lock their screens and suddenly the insurgents or whatever the official wording should be by now had access to systems and could just kind of go into the emails. 

What are common misconceptions?

We had already a few points. Many people still see it as a complete technical problem which also kind of gets people to avoid responsibility, so if I click on a phishing email, am I ready to be blamed because shouldn’t the IT department prevent this from getting to my emails in the first place? The second thing is that people don’t realize their own importance. Many people in an organization are not relevant to a hacker on a personal level but attackers do know that these are the people that might have access to quite a lot of systems and that they are instrumental in that sense. If I want to get to a higher level in the organization, it helps if I first can get any organizational account with admin privileges to create an email address and password for me. Then, I can move up the ladder and start sending emails around from within the organization. Some organizations for example have these warnings if you get an email from outside your organization which you can then bypass.

Where do you see improvements in policymaking? What are the next steps?

It would be helpful if organizations are more open about what’s going on but they are in many cases still quite reluctant to share if stuff has gone wrong. There are updated laws that say if you’ve got a data leak you have to report it. One other thing which you see now happening as more of a discussion is what do you do with ransomware attacks? Do you pay them? Yes or no? On an individual level, you pay them because then you at least have access back to your systems and you can continue where you were. In a lot of cases, the amount is set at such a rate that it’s a lot of money but it’s cheaper than having to rebuild your whole infrastructure. On a more global scale or on a national level, paying them actually means you give more resources to people who know how to carry out ransomware attacks meaning that even though you might not be attacked any more others might be and the attackers get more sophisticated through their gained resources. In a way, you’re funding criminal activities. It’s really difficult to see what is the best solution? Is it better to be kind of idealistic and say we don’t pay, end of the story, or is it the more pragmatic way of okay but if we pay at least we can quickly move on? 

Russia has been a fast and keen adaptor to cyberspace as a new domain for competition and conflict in the international arena. “While ranked sixth in latent cyber capacity, Russia is the second most active state when it comes to going on the offence in cyberspace.” (Valeriano et al., 2018, p. 110) The Kremlin has made extensive use of this kind of operations as support in military campaigns and also in broader political objectives internationally. Valeriano et al (2018, p. 112) highlight the importance of non-state actors for the country’s success in this domain asserting that Russia’s entire cyber ecosystem is “…integrated into an extensive criminal network” and that there exists “…a symbiotic relationship between Kremlin cyber operatives and cyber criminals.” In terms of its goals, Russia tends to use cyberspace to disrupt its opponent’s functioning by means such as DDoS (Distributed Denial of Service), trolling and vandalism in general. (Valeriano et al., 2018, p. 159)

Two specific cases stand out regarding Russia’s use of cyber tools for political goals. The first refers to the role of cyber-attacks against its neighbours Georgia and Estonia. During the Russo-Georgian War of 2008, the purpose of the Russian cyber-attacks was to hamper its adversary’s capacity to communicate and mount defence against the invasion, as well as sowing confusion and fear. In the case of the cyber-attacks against Estonia in 2007, the technique was similar – to disrupt communication. Although the latter was not a war, “unsophisticated but intense” cyber attacks were carried out against Estonia’s vital computer infrastructures” (Kello, 2017, p. 212) and the final goal of the cyber operation was similar: the Russian side sought “to weaken the enemy in his own perception”, this being a “refinement of Russia’s century-old doctrine of information warfare”. (Kello, 2017, p. 213) Importantly, Kello notes that the botnet attacks against Estonia and Georgia “were mostly carried out by private actors” in support of Moscow’s objectives. (2017, p. 174)

In a different case of Russia benefiting from sowing confusion abroad, there is the well- known case of the country’s social media meddling during the 2016 elections in the United States of America. The goal here was to exacerbate political polarization across American society with the intention of weakening the country from within instead of mounting an external attack. This use of information is closely linked to the Gerasimov doctrine and the blurring of war and peace. This doctrine recognises that power no longer resides solely in physical space and its main purpose is not to augment war (though this may be so in some cases), but to “circumvent it by opposing the adversary where his vulnerability is greatest and his doctrinal understanding retarded”. (Kello, 2017, p. 219) In the case of democratic countries such as the USA, the target of this doctrine becomes the open information spaces that allow democracies to function.

Although it may be difficult to quantify the level of success that Russia has had with these goals in cyberspace, it is clear that this domain has enabled it to achieve, or at least, come closer, to its goals. However, “despite Moscow’’ s frequent use, not to mention the sheer audacity and high-profile character of targets” Valeriano et al (2018, p. 141) affirm that Russia is not a cyber superpower; there are other countries more capable in this domain.

The case of China with regards to cyberspace is noteworthy for the scale of its activity and the nature of its goals. The East Asian giant has been a key player in cyberspace in recent

years, at once conducting extensive covert cyber operations and also, more recently, seeking to shape an international order around cyberspace. China is considered the “most active cyber state in the international system to date” and has had two main areas of focus: first, using cyber-espionage as a tool for catching up technologically with more advanced countries, and second, employing cyber-surveillance and control as a means for Beijing to maintain political dominance within the country as well as across the broader Asia-Pacific region. (Valeriano et al., 2018, pp. 142–143)

The main goals that China pursues in cyberspace can actually be recognised within the December 2016 C“ hinese National Cyberspace Security Strategy.” This document is organized around three g“ rave threats:” political stability, economic progress, and culture solidarity. (Creemers, 2016) Technological development is essential for economic growth, and this, along with the country’s extensive cyber-surveillance systems are instrumental in maintaining the current political order. When it comes to China’s use of cyber tools in the international arena, whether this be for theft or for defence purposes, in general, Beijing’s “cyber doctrine specifically focuses on three tasks: (1) identify vulnerabilities and exfiltrate data, (2) target communications networks to constrain the adversary, and (3) serve as a force multiplier”. (Pollpeter, 2015, p. 157)

One of the most infamous cases of Chinese theft of intellectual property carried out through cyberspace was that of the American F-25 fighter jet. Throughout the 2000s Chinese attacks against American targets were increasing. In particular, an important goal was to gain access to military hardware secrets that could be used by China to replicate the technology without first having to go through the arduous process of developing it themselves. By 2008 Chinese hackers had got into Lockheed Martin’s supposedly confidential networks and stolen plans related to the F-35 fighter jet. This impressive victory for the Chinese predictably caused outrage and even lead the head of the National Security Agency to aver that that operation constituted “the greatest transfer of wealth in history”. (Sanger, 2018, pp. 18, 203)

Throughout its history with cyberspace, China has been renowned for its espionage and theft. However, nowadays the country seems to be adding a new trait to the mix, presenting itself as a responsible actor, focusing more on stability than on quick gains. Valeriano et al observe that currently “China is not an aggressive actor” and is instead acting in a more restrained manner since the 2015 diplomatic agreement between Obama and Xi, a moment these academics believe to be a likely watershed moment in international cybersecurity relations. (Valeriano et al., 2018, p. 147)

As mentioned in the interview with Prof. Dr. Choucri, China practically has no non-state actors in the cyber domain. Interestingly, though, China has made use of the plausible deniability characteristic of cyber-attacks in an attempt to mask its direct responsibility for some attacks, albeit without much success. Thus, to carry out its operations, China has consistently relied on state-connected actors with a semi-independent appearance over the past years. This has allowed Beijing to obtain the information it seeks, whilst having a way of denying official involvement, although it has not been very plausible. An important case of this are the groups of hackers who work for Unit 61398, the cyber force of the People’s Liberation Army (PLA). Although these hackers have “clear ties to the PLA”, they are known to operate from private addresses rather than official buildings. Furthermore, these “prodigious thieves” have multiple employers in Chinese companies, blurring the origin of their orders, but nonetheless making it easy to conclude that there is state involvement. (Sanger, 2019, p. 102-103)

As is mentioned in the interview with Prof. Dr. Choucri, in the long term the goals that states pursue in cyberspace are the same goals they pursue in more traditional domains, because the fundamental goals remain the same (e.g. security, well-being, preservation). Thus, there is a convergence in the long run of ultimate goals. With regards to the short term, it is possible, however, to differentiate amongst sub-goals in particular domains.

In this project we have identified three broad categories of short-term goals that states pursue in cyberspace. The first and best understood category concerns the expansion of the technology itself and its integration within a country. This is pursued because of the economic benefits that digital technologies bring to business, such as efficiency and access to larger markets. The second and third goals relate directly to cybersecurity, each one reflecting the two sides of the security coin: defence and attack. Thus, the second category focuses on defending a nation’s information and the infrastructure that houses and/or depends on it, whilst the third category relates to aggressive (often illicit) actions that involve breaching other actors’ private cyber systems in order to gain an advantage. Given this project’s topic, we will focus on the latter two categories concerning cybersecurity-related goals.

The digital domain and its insecurities provides states with unique opportunities to pursue and fulfil a large array of policy objectives, both licit and illicit. Focused on the manipulation of information and the technology that processes it, cyber operation applications range from the ideological to the infrastructural, and from domestic policies to grand strategy. Furthermore, the way cyber operations are conducted also provides unique advantages; as Valeriano et al put it, “the ambiguity of cyberspace shields decision makers from hawks, who will demand higher rates of escalation, and doves, who will demand appeasement.” (2018, p. 78) The versatility of cyber tools is due to some of the characteristics already mentioned, including low costs, anonymity and a low risk of reprisal through plausible deniability.

In order to understand how states can pursue such varied goals in the digital domain, one should be aware of the main security aspects of cyber technologies. The security challenges (or, from the attackers perspective, opportunities) of cyberspace are typically summarized in what is know as the CIA triad of cybersecurity. This acronym stands for Confidentiality, Integrity, and Availability, and each of these concepts are defined by the authors Hoffman and Zahadat as follows:

Confidentiality: “The protection of information from unauthorized or unintended disclosure. Threats to confidentiality can include data exfiltration, spyware, or network snooping, among others.” (2018, p. 120) When it comes to confidentiality, the attacker’s goal tends to be focused on gaining access to data, whether the motivation be disclosure or intelligence. The common way in which confidentiality is protected, is through encryption, however, depending on its sophistication, the attacker could still gain access.

Integrity: “The integrity prong of the CIA triad refers to the protection of information against

unauthorized alterations.” (2018, p. 121) When an actor attacks the integrity of a target’s data, the goal is to change, delete or otherwise corrupt valuable assets. This kind of attack is typically carried out via malware, which can use such techniques as buffer overflows, taking advantage of how computers’ memories work to overwhelm them, compromising the integrity of sensitive data.

Availability: “The availability prong of the CIA triad refers to ensuring that the information can actually be accessed by the appropriate parties. Availability is important because there is no point to securing information systems if that information cannot be accessed.” (2018, p. 122) When availability is compromised, it means the attacker is seeking to prevent legitimate users from accessing the data. In other words, it is a malicious blocking or unauthorized denial of access to resources. A typical example of this is a Denial of Service attack (DoS), which is achieved by disrupting services to a host connected to the internet by flooding the targeted machine with superfluous requests in an attempt to overload the system.

These are the traditional three components of the CIA triad of cybersecurity. However, it is worth mentioning that Edward Amoroso (2013) adds a fourth element to the triad, Fraud as a separate item. Thus including a fourth element, we may refer to the group as the CIA triad + F. Fraud involves the malicious theft or unauthorized use of services without payment. In this case, the greatest motivation for the perpetrator is financial gain.

The following table summarizes these key characteristics of cybersecurity.

When states pursue covert objectives in cyberspace they are usually directly related to the security challenges of the CIA triad + F, as well as their motivations. In the case of defence goals, the overarching purpose is to protect all four elements from any kind of malicious access, modification, corruption, compromise or theft. Regarding goals involved in the attack perspective, spying in cyberspace fits with the confidentiality category, destruction of information or even of hardware comes under integrity, blocking access to internet-based information or services is a violation of availability, and, to include the fourth element, any kind of theft, for example that of intellectual property, comes under the fraud category.

Having explored this, let us look at the nature of cyber attacks themselves. The types of vulnerabilities and motivations are made clear by CIA triad + F, but what type of goals predominate? It is important to stress that what we witness in cyberspace is a limited kind of conflict and it is not war. This conflict “…mainly falls in the domain of limited coercive operations and actions designed to alter the balance of information as well as manage escalation risks in long-term competitive interactions.” (Valeriano et al., 2018, p. 2) According to the same authors, in general terms, the cyber strategy of states regarding “attacks” includes the following activities and/or goals in the international arena: disruption, espionage, and degradation.

These goals are pursued with varying degrees of success and intensity by different states, but in all cases, the cyber attacks do not come within the range of provocation of what would traditionally constitute an act of war. These dampened weapons “…are now used by nations every day, not to destroy an adversary but rather to frustrate it, slow it, undermine its institutions, and leave its citizens angry or confused. And the weapons are almost always employed just below the threshold that would lead to retaliation.” (Sanger, 2018, p. xvii)

In addition to these goals, Valeriano et al also note that cyber technologies aid states in achieving goals related to covert power-signalling and sometimes even coercion. Although the use of cyber operations to attain goals related to compelling other actors does occur, the authors state that they are more often used to “…signal and steal as a means of shaping long-term competition”. The breadth of scope that cyber operations provide also makes them useful as part of “crisis bargaining strategies” amongst states. (2018, pp. 9–10) Similarly, Joseph Nye identifies four strategies in cyberspace that states follow as forms of deterrence: punishment, denial, entanglement, and norms: “…entanglement and norms are restraining factors, while punishment and denial are traditional coercive options where costs are imposed.” (2017, p. 30)

Although generally cyberattacks are carried out below the conflict level of war, this does not mean that they are not used directly for martial purposes. Indeed, they have already been used in war (see the example of Russia below) and have proven to be a valuable addition to conventional military tools. Some authors aver that, for cyber offensives to have lasting effects in a military setting, the virtual attack must be combined with physical intervention. In other words, rather than referring to an independent domain of “cyberwar” this operations function as part of a broader coordinated military action. (Gartzke, 2013, p. 63)

In order to perform a complementary analysis of the bibliographic references used in this research, a text analysis was implemented using the text mining approach (Silge and Robinson, 2017), with the statistical software R. Taking into consideration this approach, a series of text analyses were implemented at a statistical level, resulting in a series of visualisations projected through the website designed within the framework of this project, in order to identify a series of patterns, relationships between concepts, actors involved, among other elements.

In this way, a network graph was developed, taking into consideration all the bibliographical references used in this project. In addition, this analysis allowed the identification of those concepts that are frequent in each chapter of the document of this research, which were visualised through the word cloud graph. In general terms, the approach used was carried out considering the following information processing and analysis stages (Welbers et. al., 2017):

In this context, for the implementation and vizualization of the network graph, were considered the following steps.

1. All the bibliographic resources used in the research were classified according to the type (paper, article, book, news, journal, among others).
2. All the bibliographic resources were consolidated in one file in order to proceed to its upload in the software.
3. Once the file is uploaded in the software a first step is to consolidate the data in a dataframe, in order to create a table where each word is allocated in each row of the table.
4. Then was applied a clean process of the data, in order to its standardization and remotion of all the elements that nor contribute to the qualitative analysis making it easier to compare or combine the data with other datasets. In order to implement this process, the following steps were taken:
   • Remotion of the punctuation of the data.
   • Becoming all the characters to lowercase.
   • Delete double or more spaces between words.
   • Remotion of the  numbers of the data.
   • Remove stopwords, which are all those words that are frequent in the english grammar, but provide little information about the essence of the text. In this context, these types of words are articles, prepositions, conjunctions, among others that the only function is to provide context and connection among the words that conform the text.
   • Remove all the blank rows as a result of the implementation of the previous steps.
5. Once the text is cleaned, the data is analysed according to the frequency of each word in relation to the text, storing the data in a new table with the frequency number.
6. Then the data is organized into consecutive sequences of words, called n-grams. In the case of this analysis, bigrams were created in order to establish the correlation between a tuple of words.
7. The next step is to extract a sample of the correlated tuple of words of the data, in order to visualise it.
8. Finally, the data is visualized in a network graph, in order to identify not only the correlations among words, but also those keywords related to data analyzed.

In order to visually identify the level of correlation among words, the variables “stronger” and “less stronger” are defined. Based on this, each word was tokenized into consecutive sequences of words, in this case in bigrams as was previously mentioned. According to this definition, it is possible to identify how often the word A is followed by word B, allowing to build a model of the relationships between them (Silge and Robinson, 2017).

Therefore, a network graph is created considering several nodes of relationship, classified by the nature of the word inside this network. In this context, the “stronger” variable is defined for those words which represent the highest rate of correlation among the following words in the graph. On the other hand, the “less stronger” group considers all those words, whose correlation rate is fewer than the stronger ones. However, this does not mean that there is no correlation between a stronger word and a less stronger word, but the correlation rate is fewer.

In addition, based on this approach and according to the information of each chapter a word cloud graph was developed for the purpose of identifying and communicating the key concepts of each chapter of this document (Silge and Robinson, 2017). Thus, once the data processing in step 5 (above) had been completed, a manual cleaning of the collected data was conducted, in order to eliminate all words that were not related to the purpose of this project, and then graphed with the assistance of the statistical software R.

In the last decade, most news around outsourcing cyber activities revolves around Russia. This could be due to the reason that Russian president Vladimir Putin himself served for 16 years in the KGB, Russia’s primary security agency. He is very experienced in the area of international intelligence and espionage. Even though Russian high-executives obviously deny such outsourcing activities, Putin’s tone regarding the issue is quite different:  “If they are patriotically minded, they start making their contributions – which are right, from their point of view – to the fight against those who say bad things about Russia,” he said on the fact that patriotic Russian hackers may have been involved in the DNC hacks in 2016. This shows that some countries do not even consider using a negative tone towards cyber criminals and define them as “patriotic” personages.

Also, in Rossiiskaya Gazeta (government newspaper) a deputy minister of defense, Gen. Oleg Ostapenko, said the science squadrons might include hackers with criminal histories. He claimed that it is a matter of discussion to use scientific potential. There are many more incidents in which we see Russia outsourcing their cyberactivity, but one last noteworthy example is an article from online newspaper Meduza, in which it is stated that “the Russian intelligence community is still actively recruiting hackers in exchange for closing the criminal cases against them”. In July 2018, for instance, a court in Belgorod dropped the charges against a local man accused of committing 545 cyber-attacks against the Federal Security Service (FSB), but the case was dismissed at the service’s request.

The case of China with regards to cyberspace is noteworthy for the scale of its activity and the nature of its goals. The East Asian giant has been a key player in cyberspace in recent years, at once conducting extensive covert cyber operations and also, more recently, seeking to shape an international order around cyberspace. China is considered the “most active cyber state in the international system to date” and has had two main areas of focus: first, using cyber-espionage as a tool for catching up technologically with more advanced countries, and second, employing cyber-surveillance and control as a means for Beijing to maintain political dominance within the country as well as across the broader Asia-Pacific region. (Valeriano et al., 2018, pp. 142–143) 

The main goals that China pursues in cyberspace can actually be recognised within the December 2016 Chinese National Cyberspace Security Strategy. This document is organized around three grave threats: political stability, economic progress, and culture solidarity. (Creemers, 2016) Technological development is essential for economic growth, and this, along with the country’s extensive cyber-surveillance systems are instrumental in maintaining the current political order. When it comes to China’s use of cyber tools in the international arena, whether this be for theft or for defence purposes, in general, Beijing’s “cyber doctrine specifically focuses on three tasks: (1) identify vulnerabilities and exfiltrate data, (2) target communications networks to constrain the adversary, and (3) serve as a force multiplier”. (Pollpeter, 2015, p. 157) 

One of the most infamous cases of Chinese theft of intellectual property carried out through cyberspace was that of the American F-25 fighter jet. Throughout the 2000s Chinese attacks against American targets were increasing. In particular, an important goal was to gain access to military hardware secrets that could be used by China to replicate the technology without first having to go through the arduous process of developing it themselves. By 2008 Chinese hackers had got into Lockheed Martin’s supposedly confidential networks and stolen plans related to the F-35 fighter jet. This impressive victory for the Chinese predictably caused outrage and even lead the head of the National Security Agency to aver that that operation constituted “the greatest transfer of wealth in history”. (Sanger, 2018, pp. 18, 203) 

Throughout its history with cyberspace, China has been renowned for its espionage and theft. However, nowadays the country seems to be adding a new trait to the mix, presenting itself as a responsible actor, focusing more on stability than on quick gains. Valeriano et al observe that currently “China is not an aggressive actor” and is instead acting in a more restrained manner since the 2015 diplomatic agreement between Obama and Xi, a moment these academics believe to be a likely watershed moment in international cybersecurity relations. (Valeriano et al., 2018, p. 147) 

As mentioned in the interview with Prof. Dr. Choucri, China practically has no non-state  actors in the cyber domain. Interestingly, though, China has made use of the plausible  deniability characteristic of cyber-attacks in an attempt to mask its direct responsibility for  some attacks, albeit without much success. Thus, to carry out its operations, China has  consistently relied on state-connected actors with a semi-independent appearance over the  past years. This has allowed Beijing to obtain the information it seeks, whilst having a way of denying official involvement, although it has not been very plausible. An important case of  this are the groups of hackers who work for Unit 61398, the cyber force of the People’s  Liberation Army (PLA). Although these hackers have “clear ties to the PLA”, they are known  to operate from private addresses rather than official buildings. Furthermore, these  “prodigious thieves” have multiple employers in Chinese companies, blurring the origin of their orders, but nonetheless making it easy to conclude that there is state involvement.  (Sanger, 2019, p. 102-103) 

Reports from both Iran and Israeli state officials have claimed that their governments have been under cyberattacks. Even though the two parties do not accuse each other directly, private actors within the borders of the two countries are taking the responsibility. In July 2020, an anonymous Iranian group, Cyber Avengers, claimed to have launched a series of cyberattacks on Israel’s rail infrastructure in retaliation, and warned that “the worst is yet to come”. Iranian Cyberwarfare analyst Hussein Estahdadi claims that Iran themselves face cyberattacks every 15 seconds, but that most of them don’t affect infrastructure, and that “Iran has now revolutionized its cyberspace capabilities which don’t allow adversaries to cross the red line”. In May 2020, an Iranian port suffered a major cyberattack that was linked to Israel and was viewed as a response to Iran’s cyberattack on Israel’s water distribution system earlier.

Due to the complexity in tracing an attack, there is no simple solution to the challenges. However, there are some steps that could be taken. Some Canadian companies like Vineyard Networks and Sandvine have been accused of selling surveillance technologies to foreign governments, in which these private companies also sell private information regarding Canadian citizens, government officials, or military forces. Here, we require a greater transparency in Canadian law with regard to cyber-security breaches, such as stronger data breach disclosure laws.

Besides that, governments must adapt the cyber domain directly in their foreign policy as well. Cyber related issues should be given priority when negotiating bilateral or multilateral arrangements, especially with authoritarian regimes. Here, countries should be pressured to take more responsibility in the cyber domain which originate from their borders. Also, there will be left a void left by the international agencies and rules, which should be filled by NGO’s with tracking, monitoring, and exposure activities. Most likely, they will do a much more transparent reporting compared to the governments themselves.

Even though these suggestions are not entirely demolishing the power of plausible deniability, they could be initial steps. One thing we know is that threats around the cyber domain are growing and getting more complex lately, which shows that we cannot ignore them. States and organizations across the world need to be ready for the possibility of a highly targeted and effective attacks.

It is widespread known that many governments are turning a blind eye to cybercrime as long as foreign governments are targeted. Through outsourcing, states can make use of the deniability regarding being related to the crimes. Today, the practice is seen all over the world – particularly in authoritarian countries, such as China, Russia, Iran, and North Korea. However, this does not mean that other states do not outsource their cybercrime activities; the difference lies in the fact that these countries are more successful in lifting the link between the state and cybercriminals. An example of outsourcing activities, or in other words, government-backed cybercrime, is simple hacking. The private actor works to promote a nation’s interest at home or abroad, which could be ranging from a critical website for a state to financial systems of an entire country. Most of the time, confidential information is being leaked through these activities, and generate revenue, status, and reliability loss for the state at stake.

The impact on the national stage of such outsourcing is immense, with the attacks surrounding the US 2016 presidential elections as an example. In this instance, attackers had gained access to large amounts of sensitive data, showing their ability to influence a national election. Plausible deniability plays the biggest role in outsourcing: We all know the truth, but it cannot be proven. The effect of this ‘unproven’ relationship between the state and cybercriminals has developed a sophisticated and semi-protected criminal industry.

Outsourcing cyber activities to private actors has become so widespread today, that there is a global chess game going on between states. A big motivation behind outsourcing – and not just leaving the activities to the criminal’s nationalist beliefs – is that huge government funding makes attacks noteworthy and effective. With more resources, foreign companies and states can be targeted directly. According to Verizon’s 2019 Data Breach Investigations Report, nation-state attacks have risen from 12% to 23% (rate of state-sponsored cybercrime). This has made it necessary for states to invest in the cyber domain and acquire the necessary expertise to either resist or oppose cyberattacks.  

This is a hover test. Among other elements, the overwhelming role of non-state actors makes the cyber domain distinctive from all the other domains of operations: land, sea, air, and space (on the discussion of cyberspace as a separate domain, see, for example: Allen & Gilbert, 2009; Bunker & Heal, 2014; McGuffin & Mitchell, 2014; Leventopoulos & Benias, 2017). Historically, however, the nexus between the state and non-state actors has been an ever-present concept; their cooperation and the conversation on legitimacy, are not new. In fact, on land and the high seas – as the primary domains of historical warfare and politics – violent non-state actors have played a significant role (Thomson, 1994), extending the power of the state until several geopolitical agreements made their role officially unwanted. 

The subsequent illegitimacy of certain non-state actors made it harder to trace the connection between the state and non-state. These covert actors serve as proxies to a state’s goals without implicating the state in their activities. If well hidden, any proof of the connection is plausibly deniable, and states have used that uncertainty to sponsor activities and achieve policy goals before. This issue of tracing relationships is even larger in cyberspace, where it is already difficult to find out who is behind an attack at all (Clayton, 2005).

Yet as in the physical world, many non-state actors undertake activities of their own accord, aligning themselves – inadvertently or on purpose – with the goals of a state. Taking the existence of militia, vigilantism and crowdsourced naming-and-shaming as examples, individuals sometimes organize in groups to fulfill what they see as a space to further the dominant patriotic or ideological agenda (Hare, 2017), or a metaphorical and virtual vacuum of state capacity and in some cases, blatant state failure (Moncada, 2017; Cheong & Gong, 2010; Seraccino-Inglott, 2017). Because of the daily cases in the cyberspace involving many such actors, it is never easy to ascertain whom the state may sponsor, and whom it does not.

Excerpt from our Interview:
The overwhelming role of non-state actors in cyberspace, Sico van der Meer

Still, many legitimate actors have provided an overall supportive role. Either by helping bolster the security of various states and their citizens, or by engaging in activities that promote the common values, these individuals, groups and organizations have contributed to making the Internet free and open to all. Although more recent trends predict an increasingly fragmented Internet, their contribution needs to be recognized.

Source: p. 8, Thomson, 1994.

Purely looking at the cyberspace, who are the hackers and what are they motivated by? One typology proposed in 2001 provides a general overview (Barber, 2001). According to groups, they are either script-using amateurs (“script kiddies”), capable hackers, and profit-motivated crackers. According to motives, their interests range from curiosity, vandalism and hacktivism, to industrial espionage, extortion and fraud, and information warfare – but also security-building ‘white hats’ (further defined below; p. 3, Barber, 2001). Nonetheless, the typology does not represent the full spectrum of activities that has emerged in the 20 years since the concepts were coined.

Excerpt from our Interview:
Geologic perspective on the behaviors of virtual non-state actors, Larisa Breton

To look at the evolution of non-state actors from the conventional domains of land and sea to the information/cyber domain, we use the common motives as examples to compare upon. Juxtaposing the historical and modern concepts of violence and the virtual of today, we hope to illustrate the variables at play with non-state actors whose alignment with a state actor’s goals is motivated by: profit and personal gain; patriotism and ideology; exploitation, revenge, rebellion and resistance; moral outrage and perceived insecurity; and other sets of parameters.

Excerpt from our Interview:
Various motives of non-state actors, Sico van der Meer

Profit and personal gain were some of the ubiquitous motives throughout history. Across civilizations from Aztecs (Townsend, 2019) to the Celts (p. 56, Chadwick, 1970), violent non-state actors gained resources and reputation by engaging in both own and foreign warfare. However, what differentiated state actors such as soldiers with salaries from non-state mercenaries and profiteers?

Political scientist Sarah Percy (2007) proposes to look at the level of legitimate control and the attachment to a cause, rather than the foreignness or the monetary reward. By putting the focus on the concept of legitimacy in (jus in bello) and behind (jus ad bellum) combat, it is possible to compare different groups and understand the boundary between state and non-state.

Source: Spectrum of private violence, p. 59, Percy (2007)

Inherent to many societies are those who remain on the margins by finding themselves in a foreign, hostile or otherwise unaccepting territory, or operate on the margins and reject the dominant system. In ways defined by the sociologist Robert K. Merton (1938), these so-called “deviants” have five possibilities of adjustment to societal goals and methods:

1. Conform to the goals defined by the dominant culture and the institutionalized means to achieve them.
2. Accept the goals, but reject the traditional or legitimate means to achieve them, and innovate with the methods (including criminal activities).
3. Reject the goals, but engage in ritualistic routines to achieve them.
4. Reject the goals and retreat from ever achieving them.
5. Rebel against both goals and institutionalized means by replacing both with alternatives.
   
   

From the Wild West of North America (Little & Sheffield, 1983) to the contemporary Africa (Pratten, 2008), vigilantism has carried the connotation of disproportional folk justice and citizen defense. With examples of racist (Mortensen, 2018) or jihadist vigilantism (Lo, 2019), it is important to distinguish between the two main drivers of vigilante movements: moral outrage and perceived insecurity.

Coined by the criminologist Stanley Cohen (2011), a moral panic is an irrational public phenomenon that occurs when societal values and interests are threatened, in which a scapegoat (i.e. a folk devil) is identified; a moral outrage is the underlying emotion that emerges when moral norm violations are seen (Crockett, 2017). Molded by the mass media, moral panics create a demand for swift justice and punishment (Cohen, 2011). State judiciaries or executive institutions are scarcely prompt, transparent and aligned enough to satisfy the demand, and in more egregious cases, citizens organize in groups to fulfill this vacuum. In that mobilization, vigilante violence carries “forward panic” (Gross, 2016): process wherein fear and tension is released suddenly, leading to disproportional extreme violence.

Although a concept that may often go in parallel with a moral outrage, perceived insecurity communicates more about the absolute capacity of the state to provide security, than about the ability of its institutions to satisfy the demand for folk catharsis in an outrageous case. Political scientists Wilson & Kelling (1982) posited that state power is communicated by policing: if a proverbial broken window is left unattended for long enough and vandals unpunished, small crimes may evolve into larger crimes in the vacuum of policing. In the context of Max Weber’s (1919) monopoly on legitimate violence, the broken windows theory places the perpetual onus on the state to maintain the monopoly by showing its presence frequently enough. According to a study on state capacity using the spread of the US Postal system as a proxy variable, as state capacity increased, so did decrease the number of duels (Jensen & Ramey, 2019).

Although the theory is controversial today (Harcourt & Ludwig, 2006), it illustrates the way collective beliefs in norms dissipate and change. Philosopher Cristina Bicchieri (2016) proposes a concept of pluralistic ignorance, where actors collectively and ritualistically pretend to believe in a norm for the sake of social acceptance; if this pretense in believing in the legitimacy of state monopoly is eroded, actors may feel collectively insecure. In such situations, actors may decide to retreat to defeatism or – using the aforementioned matrix of social deviance (Merton, 1938) – rebel and replace the vacuum with their own securitization.

Vigilantes fit in the state – non-state nexus when they enforce state policies and laws. While technically outside the monopoly on violence, non-state actors at times provide a complementary role to the cumbersome state bureaucracy, effectively solving some of the emerging issues without the need to engage law enforcement (or otherwise, helping the policing units). Even without condoning such behavior, state actors benefit from occasional self- or citizen-policing initiatives, where crowdsourced civil activity results in more efficient enforcement of state laws. Naturally, in areas where state actors represent less legitimate, the non-state proxy counterparts fulfill the role of inner policing regardless of whether they were officiated by the state (e.g. Oude Breuil & Rozema, 2009).

Across the spectrum of non-state actors, it is important to acknowledge the importance of private and non-state actors whose roles have defined the principles of openness, transparency, internationalism, and security underlying the Internet, despite various attempts to undermine them. Proto-hacker communities (Kirkpatrick, 2002), the hacker ethic (Jesiek, 2003) and the Hacker Manifesto (Furnell, Downland & Sanders, 1999) provided the initial spark that translated into several movements today: the integration of ‘white hats’ into the cybersecurity industry (including the recruitment of capable hackers for either outcome), and the crowdsourcing for help on societal problems.

From a state security perspective, cyberattacks are a completely new way of warfare. Neither proximity nor military budget is a reliable indicator for the capabilities of a state. Attackers can either work on their own, are part of a state operation, or something in between. An attack can be carried out without the victim knowing and the single imminent defence is normally to shut down the whole network which can have further implications. The source of an attack is hard to trace and deliberately obscured, even espionage gets harder because operation centers can be an office building or don’t exist at all because of decentral command structures. In short: cyberattacks are hard to predict, hard to defend against, and hard to trace in the aftermath.

While for a long time, the military spending pretty much decided the position in international relations, those new kinds of attacks are more based on very few very knowledgeable people with access to high-speed internet and some technical resources which are still way less costly than for example a fighter jet. Additionally, once a security vulnerability in, for example, a software which is used in multiple governmental institutions is found, an attacker can target multiple systems at the same time without physical presence. Attacks that are based on overpowering a system are easily scalable through taking over external unsecured devices and, based on the attack, have exponential growth.