Home / Latest Articles / The Rise of Cyber-mercenaries

The Rise of Cyber-mercenaries

15 May, 2021

By Ataa Dabour – Research Assistant

Mercenarism is a practice that dates to the classical world. But this practice declined in the nineteenth century with the development of conscription or compulsory military service. The use of mercenaries only re-emerged with the wars of decolonization and ensuing civil wars. This phenomenon came back once again after the end of the Cold War.

Following the surge in mercenary activity, the phenomenon had subsided but then again re-emerged in a somewhat different form through the growth of private military companies (PMCs). A 2016 analysis of the market of the PMCs in armed conflict shows that more than 1,500 PMCs operate nowadays in conflict areas, from Africa to the Balkans to the Middle East.

Although mercenaries are often originally experienced military soldiers, their main objective is to meet the mission given by the client who has contracted them. In other words, they are less likely than members of national armies to be asked to consider the implications of their behavior – be it on local communities, human rights, or on their state of origin – and instead, are led by the need to satisfy a client in exchange for financial reward.

Generally, mercenaries provide support for military operations – most often in the form of defensive security, training for national forces, and technical support. The UN Working Group on the use of mercenaries has identified cyber mercenaries as one category of actors that can generate mercenary-related activities. This entails a wide range of military and security services provided in cyberspace, including data collection and espionage.

A warning over cyber mercenaries can be found in an annual report published in 2013 by Britain’s Intelligence and Security Committee, a watchdog body of senior lawmakers that oversees Britain’s spy agencies. The report described the mercenaries as skilled cyber professionals undertaking attacks on diverse targets such as financial institutions and energy companies. When state actors employ cyberweapons, there is at least the prospect of regulation and accountability, but when private companies are involved, things get more complicated.

State’s Cyberoperations

The cyber domain is increasingly becoming a battleground among nation-states. We can mention the cyberattack committed by Russia against the Estonian banks, newspapers, and servers, the one faced by Georgia one year later, or the US-Israeli Stuxnet virus that has been sent to spy on and reprogram Iranian industrial, hydroelectric, and nuclear systems.

Cyberwarfare has indeed been recognized as a method of warfare that can infiltrate, disrupt, damage, or even destroy military or civilian objects, and cause serious human harm. Thus, it must comply with international humanitarian law. Even though a large part of the operations described as cyberattacks take place outside the framework of armed conflict, explains Cordula Ddroege, legal adviser to the ICRC, information warfare only concerns computer operations carried out in times of armed conflict and excludes all those carried out in peacetime, noted Michael Schmitt, Chair of the Department of International Law at the US Naval War College.

In 2009, an expert group was mandated by NATO to examine the international legal framework for cyberoperations. The question then was how does the international law of armed conflict apply to confrontations in cyberspace? Published in 2013, the Tallinn Manual was the answer to this question and contains some standards and rules that govern interstate cyber actions in times of war.

However, nothing about those operations that take place in times of peace was mentioned in it. This means that the international humanitarian law (IHL) cannot be invoked when a cyberattack occurs in peacetime, since it only considers the ones in armed conflicts whether between states, between states and organized armed groups, or between organized armed groups, as mentioned by Cordula Ddroege.

But, while States are focused on combating cyberattacks from nation-states, the real threat is elsewhere. According to Michael Rogers, head of U.S. Cyber Command, a more dangerous threat (…) comes not from direct cyberattacks by nation-states, but from the growing international marketplace for state-sponsored cyber mercenaries that carry out the surreptitious cyber operations of a government.

Dangers behind Cyber Mercenaries

With 300 private companies covering areas ranging from banking security to critical infrastructure defense, Israel is a world leader in the field of private cyber technology. Some of these companies exploit and profit from the fine line between defensive and offensive cyber capabilities to provide their clients with services that do not fall within the legal framework.

As an example, the privately-held Israeli company – NSO Group, which makes hacking software it sells to foreign governments and law enforcement authorities to track down terrorists and criminals, has since 2019 faced a number of allegations that its customers used its software to target 1,400 WhatsApp users – journalists, government officials, and human rights advocates.

The report on the evolving forms, trends, and manifestations of mercenaries and mercenary-related activities published in 2020 by the UN Working Group on the Use of Mercenaries confirms that states tend more and more to conduct cyber operations through third-party groups, known as cyber-mercenaries/PMCs, to perform various functions such as:

  • Protecting networks and infrastructure;
  • Conducting cyber operations aimed at weakening the military capabilities and assets of enemy armed forces;
  • Undermining the integrity of another state’s territory.

In cybersecurity, identifying the individual, group of individuals, or state behind a cyber-attack is generally the most difficult part. This technical or skill-based inability to identify an adversary makes it impossible to apprehend and prosecute a cyber-attacker. Indeed, that lack of attribution then makes it harder for governments to respond, and the lack of a threat of reprisal makes deterrence difficult, if not impossible.

Additionally, while the private sector may be able to pay its people more, drawing talent, and technological prowess, away from public service, the government still holds one trump card: the law. Indeed, governments may follow treaties, protocols, and norms to maintain positive international relations, but the private sector executes its missions with little regard for legal standards. After all, privateers are driven by ideologies or financial gain. They do not care about the effect of their actions on international relations and do not consider laws.

From a legal perspective, the fact that cyber-related activities can escape regulatory control, accountability mechanisms, and move across borders is a serious concern. Not only is it rarely possible to attribute responsibility to a cyber attacker and their agent/client, but the potential for human rights violations is even greater. Moreover, the development of offensive cyber capabilities requires appropriate policy and regulatory responses by states to ensure that they are consistent with international human rights standards and principles of international humanitarian law.

In 2018, the UN General Assembly adopted a resolution called Advancing responsible State behavior in cyberspace and established two groups to discuss issues of security in the information and communications technology field and could potentially guide in this respect: the Open-ended Working Group on Developments in the Field of Information and Telecommunications in the Context of International Security, and the Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security.

In conclusion, these facts point to several elements related to cyber mercenaries’ activities that need to be considered. First, the development of cyber mercenary activities and their subcontracting by states is worrying at various levels as mentioned above. Therefore, the examination and evaluation of the impact of the UN resolution on states, and consequently, on cyber mercenaries is fundamental. However, it seems too early to do so today.

Finally, it seems that the status of PMCs must be clarified: are they considered armed groups or not? If they are armed groups, then the norms of international humanitarian law must be applicable and applied, beyond the question of state responsibility. If they are not, then the question of state responsibility should be reinforced.

About Ataa Dabour

Ataa Dabour is the founding President of Security and Human Rights Association based in Geneva. She obtained a first Master’s degree in Humanities and in Transnational History from the University of Geneva. She then obtained a Master of Advanced Studies in Global Security and Conflict Resolution at the Global Studies Institute. She is also certified in Human Rights from the University of Leiden. Her professional career allowed her to specialize in contemporary issues relating to armed conflict, defense, security, new technologies, and international humanitarian law. In 2018, she became editor for the Swiss Military Review (SMR).