Cyber Mercenaries: The State, Hackers, and Power

  • Published

Cyber Mercenaries: The State, Hackers, and Power by Tim Maurer. Cambridge University Press, 2018, 246 pp.


Tim Maurer has written an excellent, well-researched book concerning the relationship and effects cyber proxies have on state actors, nonstate actors, and political power. His book, Cyber Mercenaries: The State, Hackers, and Power, misleadingly titled due to the primary focus being cyber proxies, is divided into three distinct sections with an exhaustive notes section. Section one sets the stage by providing the foundation of what cyber proxies are, their types of relationships, and a perspective on how several key nation-state actors view cyber proxy relationships. Section two consists of four case studies that illustrate three different types of relationships the author has proposed exist. Section three covers, among other things, the responsibilities of states within the proxy relationship, how to shape these relationships, and suggested future research areas to expand on the notion of proxies as they relate to the cyber realm.

The major recurrent theme throughout this book is that cyber proxies are utilized in different ways depending on the state employing them while also falling under loosely established normative expectations for how the international community enforces acceptable behavior. The latter is a point of contention for the democratic states as they are held accountable for actions of nonstate actors on a more public scale, whereas more information-controlling societies tend to give leeway to the proxies they employ. Illustrating this is how the United States’ recent response to foreign cyber proxy actions has changed from a relatively closed-book approach to actively calling out host nations as sponsors of the cyberattack. Maurer uses this as an example of an overt attempt to influence more accountability from states that do not enforce established policies to the same standard.

In establishing a thorough foundation for the themes in his book, Maurer uses numerous well-known experts in the field of sociology to establish what societies consider acceptable behavior for both state and nonstate actors. He further covers the current agreed upon, albeit selectively enforced, international accountability guidelines for cyber proxy actions. This coupled with the attribution problem is to say that state-sponsored cyber proxies are handled differently in that they are disciplined as deemed beneficial by the sponsoring state. In comparison, proxies in the context of a traditional mercenary whose effects reside strictly in the physical realm have seen more restrictive and tightly controlled use.

Maurer identifies several notable findings from his two-plus years of research. Of these, projecting cyberpower to influence international agendas is mostly a concert between state and nonstate actors as there is, with a few exceptions, little motivation for a nonstate actor to act independently on this scale. This is partly due to the oftentimes more advanced capabilities of proxies and ability for the state have plausible deniability. Additionally, he identified that proxies are not solely used to influence an international agenda. Some states, usually those that identify as having an information security policy versus cybersecurity policy, utilize cyber proxies to control dissident citizens. Maurer also notes three ways states can control or sponsor cyber proxies to achieve a desired political affect: delegation (state sponsored), orchestration (state supported), and sanctioned (allowing them to operate as long as ideologically aligned and mutually beneficial). He further outlines five types of proxy relationships ranging from state / state to nonstate / nonstate. But Maurer primarily focuses his research on state / nonstate relationships and how states employ this relationship based on their societal expectation for population control and political agendas.

The major case studies Maurer uses illustrate the various degrees and evolutions each state has taken when establishing their proxy relationship. Each case study is thorough and well thought out, and they range from illustrating the delegation relationship the United States has with proxies to outlining how China has evolved its relationships from sanctioning actions to more closely monitoring and using cyber proxies through orchestration.

In summing up his research, Maurer highlights that there are clear problems with the enforcement of cyber proxies and that some recent high-profile arrests and indictments by the United States have been used to force international players to conform to an acceptable norm. He suggests that actions like those the United States used to influence accountability of other nations will become more prevalent moving forward. Thus far the international community has had a difficult time agreeing on the level to which a nation can be held accountable for the actions of nonstate actors. Maurer identifies one particular accountability complication in that one nation may potentially position proxies to launch an attack from a third-party nation that may be unwitting or unable to prevent the action.

With one exception, this is a very well-researched and structured book that builds a solid foundation on which the findings are supported. The expectation going in should be that the reader has previous knowledge of the subject material. If the reader is not familiar with things such as the Westphalia definition of sovereignty, works of Max Weber, or views relating to Machiavellianism, they will need to do additional research to fill gaps left by Maurer’s brief mention of these experts and their views. A recommendation for the next edition would be to expand on the views of his sources in an effort to bolster their value to the position. That being said, anyone interested in the growing influence cyber proxies are having on the global stage will find this an interesting subject. But, if unfamiliar with key concepts of geopolitics, projection of cyber power, or the foundational difference in the way some states view the importance of controlling information, some will likely find this a challenging yet rewarding read.


2nd Lt Brad Worley, USAF


"The views expressed are those of the author(s) and do not reflect the official policy or position of the US government or the Department of Defense."