In June 2017, Russian president Vladimir Putin told reporters that “patriotic” civilian hackers from his country may have meddled in U.S national elections. Putin clarified that these were not Russian government-affiliated hackers but rather patriotic citizens of Russia who were defending the dignity of the nation in cyberspace. “If they are patriotic, they contribute in a way they think is right, to fight against those who say bad things about Russia,” Putin said about Russia’s patriotic hackers. This situation illustrates the strategic ways in which authoritarian governments increasingly utilize “patriotic” civilian hackers as a means of denying their own complicity in cyberattacks on foreign entities. The governments of Russia, China, and Iran view these “patriotic hackers” as a useful tool in their cyber arsenal against Western targets and as a means to place blame for attacks on non-state parties.

According to the laws of war, patriotic hackers operate in a legal gray zone, as they are neither explicitly civilians nor combatants. This ambiguity is useful for authoritarian governments since they can shift responsibility for cyberattacks on Western targets to patriotic hackers. In reality, the centralized cyber institutions of authoritarian governments have control over civilian hackers, but they choose to not assert that control if the civilian hackers’ actions align with the state’s objectives. Despite being reckless and unwieldy at times, patriotic hackers are ultimately a net benefit for authoritarian governments that worry about reprisals from Western governments after major cyberattacks.

Chinese state security services and military entities have increasingly contracted civilian hackers to carry out cybercriminal activity abroad. In a July 2021 press conference, a senior Biden administration official told reporters that China’s Ministry of State Security “is using, knowledgeably, criminal contract hackers to conduct unsanctioned cyber operations globally.” Civilian-state cooperation has long been a core facet of Chinese cyber doctrine. In a 2010 paper on China’s hacking culture, China analyst Ethan Gutmann wrote, “To imply that Chinese officials cannot control patriotic hackers is laughable.” The Chinese government contracts domestic universities and private cybersecurity companies to carry out state-sanctioned cyberattacks abroad.

While the links between the Chinese government and cybercriminals are fairly clear-cut, Russian patriotic hackers operate more freely and often do operate on their own accord. The U.S government has long pressured Putin to crack down on ransomware gangs and cybercriminals operating inside Russia. As Justin Sherman writes, “Putin does not control literally everything in Russia, and many cybercriminals do as they please so long as they attack foreign targets and don’t undermine the Kremlin’s objective.” Prior to the Russo-Ukrainian War, the U.S government had actually made some gradual progress on establishing a common understanding of responsible cyber activity with Russia. In October 2021, Washington and Moscow jointly signed a cyber norms agreement, which laid out general cyber principles that both nations would adhere to. However, since the beginning of Russia’s invasion of Ukraine, it seems that all progress on the cyber front has ceased and that patriotic hackers inside Russia have been given the green light by the Kremlin to attack Western targets. For instance, in March 2022, a Russia-based hacker group known as COLDRIVER attacked NATO’s Centres of Excellence with phishing campaigns.

While actors from China and Russia present the primary threat to U.S cyber defenses, Iran has increasingly encouraged civilian hackers to defend its national dignity in cyberspace. After the devastating Stuxnet cyberattack on Iran’s nuclear program, Tehran invested heavily in developing its state-sanctioned cyber capabilities and recruited thousands of volunteer patriotic hackers to defend Iran’s national image online. For example, in January 2020, Iranian nationalists hacked into the website of the U.S Federal Depository Library Program and defaced the website with a tribute to Maj. Gen. Qassim Suleimani, an Iranian military commander who was killed by a U.S drone strike. The defacement also featured an image of President Donald Trump with blood dripping from his mouth after being punched by a fist representing Iran. While this was a low-level cyberattack, it demonstrates the active presence of patriotic hackers operating inside Iran.

It is now an established fact that cyber warfare will be a permanent part of international conflict in the twenty-first century. In order to decrease the risks of major fallout and potential civilian casualties, nations need to establish clear international norms and rules concerning the activities of patriotic hackers. Authoritarian governments cannot hide behind the anonymity of pseudo-civilian hackers—they must take responsibility for their actions as well. If cyber conflict spills over into the physical world, it is unclear under international law whether patriotic hackers can be seen as representatives of their respective governments. Clarification on this issue should take precedent in international cybersecurity forums and multilateral talks concerning cyber activities. Bilateral agreements between nations should also take into account the presence of patriotic hackers and the unique threats they pose to financial and political institutions.

Benjamin R. Young is an assistant professor of homeland security and emergency preparedness in the Wilder School of Government and Public Affairs at Virginia Commonwealth University. He is the author of the book Guns, Guerillas, and the Great Leader: North Korea and the Third World, and his writing has appeared in a range of media outlets and peer-reviewed scholarly journals. Follow him on Twitter @DubstepInDPRK.

Image: Reuters.