Hackers, Hoodies, and Helmets: Technology and the changing face of Russian private military contractors

The first time Russia invaded Ukraine in the twenty-first century, the Wagner Group was born. The now widely profiled private military company (PMC) played an important role in exercising Russian national power over the Crimea and portions of the Donbas—while giving Moscow a semblance of plausible deniability. In the near decade since, the Russian PMC sector has grown considerably, and is active in more than a dozen countries around the world. PMCs are paramilitary organizations established and run as private companies—though they often operate in contract with one or more states. They are profit-motivated, expeditionary groups that make a business of the conduct of war. PMCs are in no way a uniquely Russian phenomenon, yet the expanding footprint of Russian PMCs and their links to state interests call for a particularly Russian-focused analysis of the industry. The growth of these firms and their direct links to the Kremlin's oligarch network as well as Moscow's foreign media, industrial, and cyber activities present a challenge to the United States and its allies as they seek to counter Russian malicious activities abroad.The accelerating frequency of PMCs found operating around the world and the proliferation of private hacking, surveillance, and social media manipulation tools suggest that Russian PMCs will pose diverse policy challenges to the United States and allies going forward. This issue brief seeks to offer an initial exploration of these questions in the context of how these PMCs came about and how they are employed today. The section below addresses the origin and operations of PMCs in Russian international security strategy, and also profiles the changing role of technology in conflict and the activities of these PMCs. The last section closes with a set of open research questions

Making Democracy Harder to Hack

With the Russian government hack of the Democratic National Convention email servers and related leaks, the drama of the 2016 U.S. presidential race highlights an important point: nefarious hackers do not just pose a risk to vulnerable companies; cyber attacks can potentially impact the trajectory of democracies. Yet a consensus has been slow to emerge as to the desirability and feasibility of reclassifying elections—in particular, voting machines—as critical infrastructure, due in part to the long history of local and state control of voting procedures. This Article takes on the debate—focusing on policy options beyond former Department of Homeland Security Secretary Jeh Johnson’s decision to classify elections as critical infrastructure in January 2017—in the U.S., using the 2016 elections as a case study, but putting the issue in a global context, with in-depth case studies from South Africa, Estonia, Brazil, Germany, and India. Governance best practices are analyzed by reviewing these differing approaches to securing elections, including the extent to which trend lines are converging or diverging. This investigation will, in turn, help inform ongoing minilateral efforts at cybersecurity norm building in the critical infrastructure context, which are considered here for the first time in the literature through the lens of polycentric governance

Promoting International Cybersecurity Cooperation: Lessons from the Proliferation Security Initiative (PSI)

Global efforts by states to cooperate through international rules in combating cyber threats have generated mixed results, at best. In this paper, we examine the architecture of the Proliferation Security Initiative (PSI) as a possible model for future cybersecurity cooperation among interested states. We identify several features of PSI\u27s architecture (rather than its substantive focus on non-proliferation) for further analysis, including PSI\u27s low entry costs, tiered structure, and flexibility, as well as its leveraging of both territorial jurisdiction and state consent. We conclude that, despite several hurdles visible in the scope of its membership and its legal framework, the PSI still offers worth-while parallels to draw upon, suggesting a new framework that could allow interested states to further cooperate in addressing current cyberthreats.

Ransomware, Cyber Sanctions, and the Problem of Timing

This essay argues that the lack of a federal blanket prohibition against ransomware payments undermines the purpose and effectiveness of the U.S. sanctions regime. The U.S. cyber-related sanctions program suffers from an essential problem of timing: often payments to malicious cyber actors are not prohibited until those actors have been named to the Specially Designated Nationals and Blocked Persons List (SDN) maintained by the Office of Foreign Assets Control in the U.S. Department of the Treasury. Yet those actors generally are not so designated until they have been identified as malicious through a completed or attempted attack. Further, the time between a cyberattack and the designation of a party as an SDN is generally not short enough to prohibit the making of a ransomware payment in response to an attack itself. A blanket prohibition against the making of ransomware payments would supplement the OFAC regulations and remedy a structural shortcoming of that regulatory scheme

Arms Control 2.0: Updating the Cyberweapon Arms Control Framework

This Note analyzes multiple problems with the existing arms control framework for cyberweapons as well as surveillance technology and calls for four specific areas of reform. First, the existing framework does not specifically enumerate the software controlled under existing arms control treaties, which can lead to gaps in international export control compliance. Cyberweapons should be enumerated with greater specificity to prevent confusing and disjointed implementation by states. Second, the divide between Wassenaar and Shanghai Cooperation Organization conceptions of what constitutes a cyberweapon reduces the effectiveness of international control because nations do not share an agreed upon cyberweapon definition. States should form a multilateral treaty utilizing a shared definition to ensure cyberweapon exports are regulated by a treaty and include a greater diversity of countries covering a larger share of this market. Third, the Wassenaar Arrangement, the current treaty regulating many cyberweapon exports, fails to impose strict controls on cyberweapons and surveillance technology. Under the Wassenaar Arrangement, cyberweapons and surveillance technology should be listed as “very sensitive items” and subject to additional control because exports can lead to derivative viruses, which multiply the harm of the original export. Finally, the existing framework is unclear in its differentiation between cyberweapons subject to strict control as weapons and those subject to less control as dual-use items. International control lists should include an addendum to the general rule assigning particular types of software to consistently implement each category across jurisdictions

The U.S. Vulnerabilities Equities Process: An Economic Perspective

The U.S. Vulnerabilities Equities Process (VEP) is used by the government to decide whether to retain or disclose zero day vulnerabilities that the government possesses. There are costs and benefits to both actions: disclosing the vulnerability allows the vulnerability to be patched and systems to be made more secure, while retaining the vulnerability allows the government to conduct intelligence, offensive national security, and law enforcement activities. While redacted documents give some information about the organization of the VEP, very little is publicly known about the decision-making process itself, with most of the detail about the criteria used coming from a blog post by Michael Daniel, the former White House Cybersecurity Coordinator. Although the decision to disclose or retain a vulnerability is often considered a binary choice—to either disclose or retain—it should actually be seen as a decision about timing: to determine when to disclose. In this paper, we present a model that shows how the criteria could be combined to determine the optimal time for the government to disclose a vulnerability, with the aim of providing insight into how a more formal, repeatable decision-making process might be achieved. We look at how the recent case of the WannaCry malware, which made use of a leaked NSA zero day exploit, EternalBlue, can be interpreted using the model