Insider: Short of War

Resilience and Resistance Post-Raisi: A Data-Centric Approach to Iran
June 27, 2024
 
By Dr. Robert S. Burrell and Dr. David R. DiOrio
 
The sudden death of Iranian President Ebrahim Raisi in a helicopter crash on May 19, 2024, may provide an opportunity to usher in a new destiny for the Iranian people. Many considered the hard-liner to be the Supreme Leader Khamenei’s enforcer in consolidating the clerics’ power through the executions of dissidents and the jailing of political prisoners. He mobilized America’s rivals by pursuing a military alliance with Russia and economic ties with China to weaken the grip of Western political and commercial dominance in the region. The former president was the mastermind of a proxy-based militarization campaign to make a Western presence in the Middle East so costly that the United States and its allies would withdraw. Despite the recent escalation of hostilities against Israel and the West, the United States remains committed to maintaining a forward presence to strengthen regional partnerships and protect vital trade routes.
 
The Islamic Republic of Iran will choose a new President on June 28, 2024. Iran’s Guardian Council, a conservative 12-member oversight board, chose six candidates: 5 far-right hardliners and one moderate, Masoud Pezeshkian, who is open to renewed diplomacy with the United States. The high popularity of Pezeshkian is a sign of the Iran people’s desire to seek less stringent Islamic codes and friendlier relations with the West. The election outcome is uncertain. The Supreme Council’s biased support toward and election of a far-right candidate may widen the prevalent trust gap and ignite widespread protest. Still, the successful election of the moderate may present a renewed opportunity to reduce historical tensions and establish a pro-Western partnership. This election presents an excellent opportunity to review our foreign policy stance and strategize our approach no matter the election’s direction.
 
Considering the considerable sea change in Iranian politics, we advise the DoD to take a fresh look at its analysis of one of America’s long-standing adversaries. Since 2021, two events have dramatically shifted the subject of irregular warfare within the Department of Defense. The first was House Resolution 5130, Consortium to Study Irregular Warfare Act of 2021. Congress mandated a more data-centric (not theoretical) analysis of irregular war. The second was the change of the irregular warfare definition released in Joint Publication 1: Volume 1, Joint Warfighting in August 2023, which expanded irregular warfare to encompass activities taken before conflict and during competition. The upcoming election and forming of a new government present an opportune time to design and implement a comprehensive operational plan to advance our national interests. We recommend utilizing a fact-based methodology (leveraging analytical data from top universities, financial institutions, governmental agencies, and nongovernmental organizations) to analyze the resilience of and resistance to current Iranian governance systems. Such an assessment can better inform DoD activities, force posture, and interagency collaboration to achieve U.S. national objectives, not just in the case of war but in competition.
 
The Islamic Republic has been a destabilizing force in the Middle East since its ascension to power after the Iranian Revolution in 1979. The Iranian leadership has provoked violent conflict and destructive activities to assert its hegemonic aspirations. Iran’s government is a complex blending of theocratic and political elements that pursues expanding Islamification in conformity with “Khomeinism,” a radicalized ideology to reassert Shi’ism as the dominant Islamic moral authority. Tehran views the United States and Israel as their main threats and focuses their foreign policy on eliminating their regional influence. With a relatively small regular military, the regime relies on specialized forces to lead a network of proxies that engage in surrogate terrorism, political agitation, and paramilitary violence as the main instruments of power projection. The best strategic approach to stabilize the political situation and curtail Iranian hostilities needs reconsideration.
 
The 2022 National Security Strategy delineates the current U.S.-Iranian policy initiatives. The U.S. is presently pursuing diplomacy backed by limited sanctions to dissuade Iran from threatening U.S. personnel and developing a nuclear weapon but stands prepared to use other means should diplomacy fail. The policy provides a commitment to stand with the Iranian people, striving for human rights and dignity. Strategic decision-makers should assess the resilience of the Islamic Republic by examining its perceived legitimacy by the Iranian people, who have demonstrated a significant measure of resistance against the abuses and corruption of the Tehran regime.
 
Given their ethnic, cultural, and, to a lesser extent, religious diversity, the Iranian people and the Muslim Shi’a community at large have mixed views on the regime’s strategic goals. The clerics profess that the Islamic Republic is the only righteous governance path within the Islamic world. Theocratic truth-seekers advocated a sociopolitical sect based upon traditional Shi’a jurisprudence, believing that global liberation movements against colonialist oppressors were a justified obligation. Many Iranians are skeptical of the regime’s professed commitment to jihad against the West because the policy has degenerated the country’s social conditions and heightened fears of unleashing external aggression. The Muslim World generally views Iran negatively, believing that a Shi'a worldview is not a legitimate moral authority and that Tehran's strategic approach does not contribute to peace and stability in the region.
 
The following chart utilizes governance metrics from the World Bank (accountability, stability, effectiveness, regulation controls, rule of law, and controlling corruption), along with fragility metrics from the Fund For Peace, to illustrate the Islamic Republic’s resiliency in comparison with Egypt, Turkey, and Saudi Arabia. The illustration provides a relative governance scale where a higher level of governance indicators represents a more capable, less corrupt, and more stable government. Lower governance metrics imply the regime is fragile and susceptible to violent or nonviolent social movements.
 
Contributing to the Islamic Republic’s perceived illegitimacy includes significant human rights abuses, lack of religious freedom, corrupt judiciary, and poor social conditions. Governance indicators improve to the right on this comparison with countries that espouse transparency, combat corruption, and enforce the rule of law, which is more apparent in the regimes of Turkey and Saudi Arabia. The Erdogan government remains effective and enforces regulations, but nearly all its metrics remain lower than those of Saudi Arabia. Both Saudi Arabia's and Egypt's regimes remain unaccountable to their people, yet the House of Saud wields considerable strength in regulation control and the establishment of law and order. Compared with its near competitors, the Islamic Republic's governance indicators demonstrate that it is dramatically unsuccessful on all fronts, causing instability and fragility that a unified social movement or violent rebellion may exploit.
 
A lack of public confidence undermines the strength of the Islamic Republic. Iran's resiliency emanates from the people's perceptions and motivations, and poor governance performance erodes public trust. Iran's authoritarian system failed to produce meaningful political reform or social development. Severe restrictions on personal freedoms and a violent suppression of dissenting views diminish popular support for Tehran. These abuses foster resentment within the population and significantly degrade national morale and confidence in Iranian leadership. In a globalized world where information travels at the speed of the internet, social media exposes many Iranians to alternate political views and alluring social policies that make them question the efficacy of the cleric’s hard-line approach to the West.
 
Tehran’s low governance ratings and high fragility assessment pose a significant dilemma for the Islamic Republic and a considerable opportunity for the United States. The Iranian election process and new government formation may yield some valuable insights to steer our Iranian foreign policy. Should the United States promote: (1) a more resilient Iranian theocracy, (2) support external and internal resistance activities to collapse the regime, or (3) actively shape the strategic environment and defer to a future opportunity? A comprehensive assessment of the resilience metrics and exploring resistance strategies may lead U.S. policymakers to a more effective approach.
 
In conclusion, a fact-based methodology for analyzing the resilience and resistance of the Islamic Republic of Iran may inform U.S.-Iranian foreign policy decisions. The U.S. joint operational planning process and conventional war plans have not adequately addressed the competition domain in the Middle East. Current DoD force posture and activities appear merely reactive to current events. Utilizing a data-centric analysis, the DoD can measure the potential resistance within Iran, as well as identify the many nonviolent and violent groups opposing the Islamic Republic. The United States wields many instruments of national power – diplomatic, information, military, and economic – that can influence Iran’s resilience or support resistance to inspire and lead governance reforms. Making such choices requires an interdisciplinary approach and a thorough understanding of the operational environment.
 
Dr. Robert S. Burrell is a resilience and resistance interdisciplinary scholar using data-driven and human-centric methodologies to analyze intrastate conflict ranging from nonviolent protest through belligerency. He is a Senior Research Fellow at the Global and National Security Institute of the University of South Florida. From 2020-2024, he taught irregular warfare at Joint Special Operations University and was the former editor-in-chief of special operations doctrine from 2011-2014.
 
Dr. David R. DiOrio (CAPT Ret.) is a National Security Professional with a Doctor of Philosophy degree in Public Policy and Administration from Walden University. He served as the Deputy Director at the Joint Forces Staff College of the National Defense University and is currently Adjunct Faculty at the Joint Special Operations University.
 
The views expressed are those of the author(s) and do not reflect the official position of the Irregular Warfare Initiative, Princeton University's Empirical Studies of Conflict Project, the Modern War Institute at West Point, or the United States Government.
 
If you value reading the Irregular Warfare Initiative, please consider supporting our work. And for the best gear, check out the IWI store for mugs, coasters, apparel, and other items.

Cyber Attacks in Perspective: Cutting Through the Hyperbole
June 25, 2024 by Tom Johansmeyer
 
This article is part of the Irregular Warfare Initiative's Project Cyber, which explores and characterizes the myriad threats facing the United States and its allies in cyberspace, the information environment, and conventional and irregular spaces. Please contact us if you would like to propose an article, podcast, or event environment. We invite you to contribute to the discussion, explore the difficult questions, and help.
What would the most destructive and costly cyberattack in history look like? 
The Department of the Treasury is exploring a federal mechanism for providing relief capital to the insurance industry in the event of a major cyber catastrophe. While the prospect of a cyber incident sinking the insurance industry and leaving society exposed is intensely remote, it highlights an underlying problem with our understanding of the destructive capacity of cyberattacks—hyperbole. If the terror attacks of September 11, 2001, represented a failure of imagination, then the fear we have of a significant cyberattack represents a failure to keep our imaginations under control.
History shows that it is easier to imagine a catastrophe than to produce it, but it fails to explain why. The last twenty-five years of economic loss data suggest cyberattacks aren’t nearly as costly as the annual hurricanes and hailstorms we experience. 
So why are we so afraid?
In many ways, our fear can be attributed to the relative newness of cyber risks in human history, meaning they need to be better understood by the public and with many precedents. Additionally, our misunderstanding is related to the thin historical data we have on them and, more critically, that our historical data relies heavily on a few specific, recent cases—the most prominent being the 2017 NotPetya attack. With a $10 billion price tag and impacts across 65 countries,NotPetya was called “the most destructive and costly cyberattack in history.” But the numbers tell a different story, and relying on NotPetya as our catastrophic example may mean researchers and analysts are staring down a paper tiger. 
By exaggerating the effects of past attacks and framing them as but a taste of what’s to come, the cyber domain inspires fear in policy-makers, commanders, and the general public that is normally reserved for the most severe forms of kinetic warfare, such as nuclear strikes. As a result, cyber capabilities have become difficult tools to use, simply due to a fear that has not materialized which is based on hyperbolic claims. A misguided belief in their destructive power has effectively stifled innovation at all echelons—despite plenty of research suggesting the contrary. If there were ever a time for a hard reset on how cyber operations and their implications are perceived, this is it. If anything, cyber operations have proved to be de-escalatory, and by perpetuating a myth to the contrary, we lose access to an important alternative to traditional war. By setting the record on cyber straight, we take a step toward making the world a safer place.
How it started
NotPetya was born of war. Released three years after the start of hostilities in eastern Ukraine in 2014, NotPetya was one of several efforts by Russia to attack Ukraine in cyberspace. From 2014-2016, other Russian cyberattacks were operationally successful but often fell short of their desired impact. For example, the 2015 attack on the Ukrainian power grid is among the most effective attacks against an energy infrastructure. Still, only 230,000 people lost power for six hours—far short of what even a minor hurricane routinely achieves. 
What happened in 2017 was different. A tool developed by the Russian defense intelligence agency (GRU), NotPetya, was deployed after GRU hackers gained access to the servers of a small Ukrainian software company. The exploit relied on a Windows vulnerability and was embedded into the company’s software products, like the Ukrainian accounting software MeDoc, and intended to cause damage to large swaths of the Ukrainian economy. Made to look like its ransomware predecessor, Petya, NotPetya locked the systems it encountered and demanded a $300 payment. However, the ransomware “face” of NotPetya was another case of maskirovka—the attackers had little interest in collecting ransom payments but instead used the feature to confuse forensic analysts, making it harder for them to divine who was behind the attack. 
Although NotPetya has been attributed to Russia’s GRU, the code was derived from a leaked National Security Agency (NSA) tool called EternalBlue. A proverbial skeleton key of an exploit, EternalBlue, was used as part of the 2010 Stuxnetattack on the Natanz nuclear facility. After the tool was leaked, it was used in both the WannaCry and NotPetya attacks during the first half of 2017 and later in BadRabbit. Throughout 2017, therefore, waves of attack came with “roots [that] can be traced to the US.” The impact of those attacks underscores why the NSA sustained heavy criticism over hoarding zero-day vulnerabilities and developing powerful cyber tools that can be difficult to control. And it’s easy to see why. 
NotPetya quickly spread beyond Ukraine to cause an estimated $10 billion in economic damage worldwide. The United States, France, Denmark, and Germany were among the 65 countries affected. The attack’s costs mounted quickly. According to its two insurance policies, pharmaceutical company Merck sustained nearly $2 billion in damage. Maersklost $300 million, and the newly merged FedEx/TNT lost roughly $1 billion. The insurance industry experienced nearly $3 billion in losses, indicative of the attack’s scale. 
Meanwhile, the effects on NotPetya’s intended targets were far more modest. NotPetya is estimated to have impaired 0.5% of Ukraine’s gross domestic product (GDP). That amounts to $560 million, a significant but manageable cost. 
Further, in a twist of poetic justice, Russia also fell victim to NotPetya. After losing control of the malware, two of Russia’s largest companies, the energy company Rosneft and the financial institution Sberbank, joined several Russian companies, including banks, travel agencies, and telecommunications providers, on NotPetya’s list of victims. Although the source of the list of Russian victims is suspect (as a blog post comment that looks like it came from a troll farm), the effects on several of the named Russian companies are reported elsewhere—including The Independent, cyber security firm Group-IB, and of course TASS. 
Context is crucial
The global impact of NotPetya led the U.S. government to call it “the most destructive and costly cyberattack in history.” The declaration has since been amplified across the popular and academic press, cementing NotPetya’s place at the top of “most destructive cyberattack” lists and ingraining it into the still-early study of “cyber catastrophes.” The result is that NotPetya’s prominence in the literature has skewed our understanding of the threats associated with cyberattacks.
Based on my calculations and categorization, there have been 21 cyber catastrophes since 1998 and up to $310.4 billionin losses, adjusted for inflation. And among them, NotPetya is not the worst. Sure, the attack was significant, but adjusted for inflation, its $11.9 billion price tag is roughly 30% below the 25-year average for cyber catastrophe economic impacts. 
When the U.S. government announced NotPetya as “the most destructive and costly cyber-attack in history,” it kicked off a narrative disconnected from the reality of NotPetya and our understanding of catastrophic cyber events. Everyone—researchers, scholars, security professionals, journalists … etc. —heard “the most destructive” and ran with it. There are several reasons why.
Cyber warfare—and cyber operations conducted by nation-state actors—are already shrouded in hyperbole. Whether you look at the 2015 attack mentioned above on the Ukrainian power grid or turn to the more recent cyber activity that preceded the 2022 invasion of Ukraine (and persisted after), the answer is the same. Cyber weapons, in practice, are more bark than bite. And it’s not just Russia. Operation Glowing Symphony offers a rare case of the US military confirming its offensive cyber operations against ISIS targets online. The operation was an interesting, clever, and successful case of offensive cyber activity until the offense stopped. In the end, cyber operations are most impactful when prosecuted, but their effects taper over time, and recovery and reconstitution often come quickly after an operation is finished.
None of this makes for great storytelling, but great stories about cyberattacks do exist—take Cliff Stoll’s Cuckoo’s Egg, for example—but they also rely heavily on exaggeration and hyperbole to describe cyber threats and impacts. Part of this is simply reader engagement—cyber or otherwise. Everyone loves a bit of excitement, and the real-world implications of cyberattacks, real or imagined, get your heart pumping. 
The NotPetya story—rather than the NotPetya attack—is revealing. In late 2018, Wired Magazine published “The Untold Story of NotPetya, the Most Devastating Cyberattack in History,” which bakes hyperbole into the headline and never lets up. Throughout the piece, the author amplifies complex issues with nuance and considerable finesse to give a true-crime story feel. In many ways, reporting on cyberattacks reflects how reporting on bullets and bombs is more accessible than reporting on bits and bytes the human eye can’t see. Incorporating exaggeration and hyperbole makes a story interesting. 
The Wired article has gone on to feed academic journal articles and news stories worldwide. In many ways, the article did not contribute to the NotPetya narrative but became it. The article also amplified the original 2018 White House announcement about NotPetya, further entrenching the hyperbolic interpretation of the attack into the public psyche. 
A more context-appropriate reading of the 2018 White House announcement would convey that NotPetya was an attack of global importance worthy of the “international consequences” that followed, including sanctions and indictments. NotPetya was undoubtedly the costliest single cyberattack in more than a decade, and to date, it was the last cyber catastrophe event to exceed even $1 billion. The fact that NotPetya fails to live up to the exaggerated claim of being the costliest cyberattack in history does not diminish its importance, and a context-appropriate reading of the 2018 announcement would still drive that message home. 
The lesson
The NotPetya attack is an excellent example of why words matter. At face value, calling NotPetya “the most destructive” cyberattack set a benchmark for how we think about future cyberattacks on US systems and how policy-makers think about future cyber operations against adversary systems. It categorized the nexus of economic security and cyber catastrophe risk into a false and misleading model, which could lead to years of missed opportunities to refine how the US researches, develops, and employs offensive and defensive cyber capabilities. 
Understanding the accurate scale of NotPetya (and the broader history of economic losses from cyberattacks) will help to reset expectations and breathe new life into cyber operations at all echelons simply by giving a relatable sense of the destruction caused. This only works for the set of targets, though, where the economic impact is the consequence. Not all attacks are about money. 
Nation-states are also highly vulnerable to cyber espionage, theft of intellectual property, and other efforts to gain and use private information. Events like the SolarWinds cyberattack have shown the significant societal implications of espionage. SolarWinds exploited a vulnerability in the Orion network management system, which is used by nearly 30,000 public and private organizations—including local, state, and federal agencies to manage their IT resources. Despite having devastating national security implications for SolarWinds, the total economic impact fell short of $200 million, making it more than 90% smaller than the Equifax breach alone. Nonetheless, the attack caused a loss of trust in government-run cybersecurity efforts—an essential national and societal security impact. 
Because of measures like “loss of trust,” it’s difficult to estimate the total cost of cyber espionage campaigns. While it’s prudent to make “economic impact” one measure among a collection of measures used to gauge the severity of a cyberattack, non-financial implications must be contemplated, too. 
Why this matters for US military cyber operations
The enduring lesson of NotPetya and the US government’s public statements about the attack is straightforward: hyperbole constrains military cyber operations. Overstating NotPetya’s impact adds to the “cyber Pearl Harbor” myth and fosters a misguided understanding of offensive cyber capabilities as decisive weapons of mass destruction. Helping the public (and government stakeholders) understand how cyber operations can be—and have been—used for de-escalation will not only reduce the temperature of cyber fears but could provide new flexibility in a domain of limited action. Despite the expanded authorities granted to US Cyber Command in the 2018 NDAA, offensive cyber operations continue to be constrained by the mistaken belief that cyberattacks will precipitate an escalation ladder similar to nuclear strikes. However, research continues to demonstrate otherwise.
Unfortunately, operational use of the cyber domain is also impeded by relatability. We understand concepts like “lethality.” When I walked through Sarajevo a few years ago, its 30-year-old battle scars possessed intuitive meaning—I could see the impact of war. A similar, tangible representation of cost or loss doesn’t exist for cyberspace operations. Therefore, without something concrete to touch, see, feel, or see, an aura of novelty remains around cyberattacks and cyberspace operations that leave the door open to storytelling and hyperbole—with it, the exaggerated claims that make for a click-able headline. The first step, therefore, is presenting a clear and accurate representation of the damage caused by past cyberattacks. 
In addition to improving our reporting on cyber operations’ impacts and data collection efforts, we must find ways to make cyberspace more relatable. While a good story can solve the relatability problem when it is accurate, inflated accounts and hyperbole only give commanders and policymakers pause. Whether by comparing the damage caused by cyberattacks to natural disasters (which are much worse) or to the effects of kinetic warfare (also much worse), providing reference points for understanding the consequences of cyberattacks is long overdue for what was identified as a domain of warfare back in 1993. Analogous impacts on other domains may be imperfect. Still, they offer a first step toward eventually making the impacts of cyberattacks as intuitively relatable as bomb craters and war ruins.
Moving forward, researchers, journalists, government officials, and the public need to recognize how hyperbole is shaping the discussion about cyberattacks. Even seemingly gold-standard sources benefit from healthy skepticism and a grain of salt. Doing so could lead to a shift in US cyber strategy by enabling a more accurate assessment of risk and allowing for more aggressive pursuit of malicious cyber actors around the globe without the risk of escalation more common in traditional warfare. 
Tom Johansmeyer is a Ph.D. candidate at the School of Politics and International Relations at the University of Kent, Canterbury, researching the role of insurance at the nexus of cyber and economic security. 
The views expressed are those of the author(s) and do not reflect the official position of the Irregular Warfare Initiative, Princeton University’s Empirical Studies of Conflict Project, the Modern War Institute at West Point, or the United States Government.
If you value reading the Irregular Warfare Initiative, please consider supporting our work. And for the best gear, check out the IWI store for mugs, coasters, apparel, and other items.

Chinese Unconventional Threats in the Era of Great Power Competition
https://irregularwarfare.org/articles/chinese-unconventional-threats-in-the-era-of-great-power-competition/
June 18, 2024 by Leo Matthews, Kevin Hoerold
Would China ever take a page from Iran’s playbook and cultivate relationships with violent extremist organizations (VEOs)?
 
Despite its seeming improbability, the increasingly assertive actions of the People’s Republic of China (PRC) in Southeast Asia raise this compelling question. This article explores when, where, and how the PRC might use VEOs to further its political, military, and economic goals. An analysis of Southeast Asia identifies an intersection of the PRC’s goals with those of violent non-state groups in Myanmar, the Philippines, and the Indian border regions. In each case, the PRC could plausibly advance its national interests via a partnered or proxy relationship with select VEOs. The same method of analysis identifies when and where the PRC’s collaboration with VEOs would be unlikely due to competing financial and political interests.
 
Understanding China’s potential tactics and likely flashpoints for irregular warfare is vital for preparing effective countermeasures. Most importantly, the discussion of China’s unconventional levers of power serves as a warning against the complete separation of counterterrorism efforts from strategic competition with China.
 
Where Does the PRC Already Cooperate with Proxy Groups?
In perhaps the defining example of PRC engagement with armed non-state groups, Myanmar has been a testing ground for China’s emerging strategy. In the absence of a stable, effective central government in neighboring Myanmar, the PRC maintains mutually beneficial relationships with both the military government and a complex web of ethnic armed groups. PRC collaboration with the military government of Myanmar and numerous ethnic opposition groups demonstrates President Xi’s willingness to arm and fund non-state actors in the pursuit of economic and military interests.
 
The PRC’s interests in Myanmar are largely focused on the development of the 1,700-kilometer China-Myanmar Economic Corridor. First proposed as a standalone project by Beijing in 2017, the project includes oil and gas pipelines, road and rail links, and a deep-sea port located in the coastal city of Kyaukpyu. Upon completion of the corridor and Kyaukpyu Port, the PRC will obtain direct access to the Bay of Bengal and the wider Indian Ocean. This will secure an alternative energy and trade route through Myanmar, open up an easier passage to global markets for the PRC’s landlocked Yunnan-based industries, and help reduce Beijing’s vulnerable reliance on maritime energy imports through the Straits of Malacca. In addition to the economic dimensions of the Belt and Road Initiative (BRI) in Myanmar, there is a budding element of great power competition at play in Kyaukpyu. The port will grant the PRC another outpost in its “string of pearls” strategy to encircle India, intimidate neighbors, and challenge US naval hegemony in the Indian Ocean.
 
The PRC’s expansive BRI projects in Myanmar traverse a country embroiled in ethnic conflict and tenuously led by a military junta. Beijing’s strategic priority is the completion of the economic corridor and unimpeded flow of commerce, irrespective of the internal politics of Myanmar. Consequently, the PRC funds and arms multiple sides of the conflict to protect its investments, simultaneously engaging with violent non-state actors and the military government.
 
In lieu of an effective government partner in Myanmar to maintain order, particularly along the Chinese border states, Beijing works through various ethnic armed organizations (EAO), the local power brokers. The largest EAO, the twenty-thousand-strong United Wa State Army (UWSA), has enjoyed a close relationship with the PRC’s security services since its founding in 1989. The UWSA emerged in 1989 from the splintering of the Communist Party of Burma (CPB), which the PRC had supported with weapons and military equipment since 1968 to combat the nationalist Kuomintang forces that fled into northeastern Myanmar after the Chinese civil war.
 
In recent years, PRC weapons shipments to the UWSA have included heavy machine guns, HN-5A Man-Portable Air Defense Systems (MANPADS), artillery, armored fighting vehicles, and other sophisticated communications equipment. The UWSA further benefits from access to cross-border markets for Chinese currency, rubber and mining industries, construction technology, and communication networks. Although the PRC does not publicly endorse the political goals of the UWSA, Beijing employs the group as a proxy force to protect ongoing BRI projects, stem the flow of drugs into China, and crack down on cyber scam centers operating in remote areas near the Chinese border.
 
When necessary, the PRC leverages its relationship with the UWSA and other armed groups to exert pressure on the military government of Myanmar to concede contested territory near PRC investments. Meanwhile, the military government of Myanmar maintains diplomatic ties with Beijing and has purchased over $1 billion in arms and military equipment since 2021 for its war against the UWSA and other EAOs. In recent months, Beijing has pressured both sidesof the conflict into (short-lived) ceasefire agreements to reduce the violent interruptions of trade and construction.
 
The PRC is not picking sides in Myanmar but rather protecting its strategic interests and investments. Beijing’s demonstrated willingness to arm and fund ethnic armed organizations in Myanmar leads us to question what other regions present similar conditions for PRC collaboration with violent, non-state actors.
 
Where is China Most Likely to Leverage VEOs?
The Philippines and the India/Kashmir border present two such possibilities. The PRC’s interest in the Republic of the Philippines is two-fold. First, the PRC seeks to undermine the re-emergence of security ties between the Philippine government and the United States. Manila has recently undertaken strategic steps to deepen its relationship with the United States, marking a significant evolution in its foreign policy. This is underscored by the recent expansion of the US-Philippine Enhanced Defense Cooperation Agreement. Second, the PRC has actively pursued territorial claims in the South China Sea (SCS), employing a strategy that combines economic leverage and the enhancement of its soft powerwithin the Philippines. This multifaceted approach aims to sway Manila into acknowledging the PRC’s territorial assertions, highlighting a sophisticated blend of diplomacy and economic influence to advance its geopolitical interests in the region. In a recent escalation of tensions, the PRC has intensified its assertive actions in disputed maritime territories by deploying both coast guard vessels and civilian fishing fleets. The PRC’s use of VEOs as a proxy force would allow for plausible deniability on the international stage while weakening the Philippine government’s maritime operations in the SCS and straining US-Philippine relations.
 
The two most likely VEOs for the PRC to leverage are the New People’s Army (NPA) and the Islamic State East Asia (ISEA). The New People’s Army (NPA), the armed wing of the Communist Party of the Philippines (CPP), has a documented history of engaging in actions against US personnel and interests within the Philippines. Their violent history includes deadly attacks on US servicemembers, underscoring the significant threat the NPA poses to both national and international security interests in the region. The NPA’s stated aims are to overthrow the Philippine government and eliminate US influence in the Philippines, highlighting its ambitious objectives against both the central government and foreign presence. Formed in the image of Maoist revolutionaries, the NPA received direct funding and military suppliesfrom the Chinese Communist Party from 1969 until the 1976 normalization of Chinese-Philippine relations. This demonstrates the NPA’s predisposition to collaboration with the PRC as the Chinese Communist Party’s genesis serves as the inspiration behind the NPA’s movement.
 
ISEA also holds both the capability and intent to attack American and Philippine government interests. The ongoing conflict instigated by ISEA in the southern islands of the Philippines demands extensive efforts from the Philippine government in terms of time, manpower, and resources. This continuous engagement diverts Manila’s focus and resources from other national security priorities, potentially benefiting the PRC’s strategic position. However, the PRC’s longstanding campaign against Uyghur Muslims in Xinjiang, under the pretext of combating Islamic extremism, might make the PRC cautious about associating with a violent Islamist group like ISEA. The PRC would go to great lengths to keep a proxy partnership with ISEA highly confidential.
 
When evaluating the potential for future PRC engagement with VEOs in the Philippines, several indicators could signal an escalation of involvement. A noticeable enhancement in the weaponry and capabilities of these groups could serve as an early warning of increased support. Additionally, a rise in both the frequency and intensity of their attacks, particularly if these occur in tandem or close succession with PRC assertive actions in the West Philippine Sea, could suggest a level of coordination between these organizations and the PRC.
 
PRC support for certain VEOs in Kashmir, meanwhile, could provide strategic, economic, and security advantages to Beijing. The PRC’s primary regional interests are the protection of nearby BRI investments and the disruption of the Indian military presence along the Line of Actual Control (LAC). Pursuant to these interests, the PRC supports Pakistan’s territorial ambitions and stands to benefit indirectly from the actions Pakistan takes to exert its power in Kashmir via conventional and unconventional means.
 
Periodic PRC military incursions into Indian Kashmir, including a 2020 clash in the Galwan Valley that resulted in 120 Indian casualties, underscore the PRC’s willingness to violently escalate tensions in the region. In addition to conventional military engagements along the LAC, Beijing provides financial support to Pakistan, whose military occupies a second front with India along the Line of Control (LOC). Should the PRC wish to employ unconventional methods in its simmering conflict with India, Beijing may consider working with or through Kashmir-based VEOs.
 
Within Indian Kashmir, Pakistan exercises varying levels of control over a network of Islamist VEOs opposed to Indian rule in the region. The jihadi organizations offer an alternative to conventional military force, operating within urban environments and conducting guerrilla warfare against the Indian government. Pakistan provides jihadists, via its Inter-Services Intelligence (ISI), with funding, weapons, equipment, and a safe haven to train for their perennial struggle against Indian rule in Kashmir.
 
The primary organizations directly associated with Pakistan are Jaish-e-Muhammad (JeM) and Lashkar-e-Taiba (LeT, renamed Jamaat-ud-Dawa in 2022), as well as Harakat-ul Jihad Islami (HUJI), and Hizbul Mujahideen (HM). ISI does not enjoy the same relationship with ISIS or al-Qa‘ida-affiliated groups whose global vision for Kashmir as part of a worldwide Islamic caliphate are at odds with the secular Pakistani state.
 
Beijing is unlikely to engage directly with Islamist VEOs but could work through existing ISI channels to indirectly fund or arm groups such as JeM or LeT. Using Pakistan as an interlocutor builds upon decades-old relationships between the ISI and select VEOs while providing a level of deniability to the PRC, publicly committed to opposing radical Islamist movements. In fact, from September to December 2023, multiple Indian media outlets reported on alleged evidence of PRC support to Pakistan-backed militants in Kashmir. Although uncorroborated in Western reporting, the stories claim Chinese military technology, including drones, encrypted communications devices, and advanced weaponry, have been supplied to LeT and JeM via the ISI. While far from definitive proof of PRC engagement, the news stories reveal an existing Indian narrative of Chinese involvement with Pakistan’s network of jihadist groups in Kashmir.
 
Where China is Unlikely to Leverage VEOs
The conditions identified in South Asia, which may accommodate a relationship between the PRC and VEOs, are not replicated in South America or Africa. From the Revolutionary Armed Forces of Colombia–People’s Army (FARC) in Colombia to the plethora of VEOs across Africa, both regions offer vectors for VEO engagement, but the PRC’s extensive economic and diplomatic investments suggest such a partnership would be highly unlikely.
 
The PRC will work with and through partner governments or institutions to pursue its economic and strategic interests whenever possible. The emphasis on infrastructure development, economic growth, and fostering long-term partnerships under the BRI framework (as opposed to geographic ambitions) suggests a strategic preference for stability and cooperative engagement over the contentious and unpredictable nature of VEOs. To this end, the PRC has fostered relationships with governments across Africa and South America and voiced support for local counterterrorism efforts.
 
Engagement with a VEO is an inherently high-risk endeavor, only likely to happen when the PRC lacks a cooperative, effective government partner and does not jeopardize its regional investments.
 
Conclusion
In examining these key geopolitical hotspots, it is clear that China acts based on its own self-interest. This analysis suggests that the PRC might go beyond traditional forms of international engagement, employing unconventional methods to further its strategic national objectives. Specifically, the PRC may work with VEOs as a novel approach to increase its regional influence. VEOs are appealing because they can disrupt, subvert, or distract. Therefore, China’s potential use of VEOs to project power indirectly requires a coordinated counterterrorism response. Understanding Beijing’s possible future tactics is crucial for developing effective countermeasures against these unconventional threats.
 
Kevin Hoerold is a General Wayne A. Downing Scholar of the Combating Terrorism Center at West Point. He holds a MA in Security Studies from Georgetown University and BS in Management and Financial Economics from Norwich University.
 
Leo Matthews is an instructor at the United States Military Academy’s Social Sciences Department. He holds a MA in Security Studies from Georgetown University and BS in Civil Engineering from the United States Military Academy.
 
Views expressed in this article solely reflect those of the author and do not reflect the official position of the Irregular Warfare Initiative, Princeton University’s Empirical Studies of Conflict Project, the Modern War Institute at West Point, or the United States Government.
 
If you value reading the Irregular Warfare Initiative, please consider supporting our work. And for the best gear, check out the IWI store for mugs, coasters, apparel, and other items.

https://irregularwarfare.org/articles/combatting-russian-lawfare-with-a-cognitive-shield/
June 13, 2024 by Armenak Ohanesian
On February 24, 2022, Putin formally announced Russia’s invasion of Ukraine. In his remarks, Putin attempted to justify his actions in part by citing the UN Charter and the right to self-defense. Putin’s argument was unpersuasive in a legal sense and widely condemned by the international legal community. Nonetheless, his attempt demonstrated Russia’s intent to present distorted interpretations of the law to create an illusion of legitimacy for the invasion. Since his speech, the Russian government has repeatedly abused and weaponized domestic and international law to support its war against Ukraine.
Russia’s weaponization of the law is part of its strategy to satisfy Russian domestic opinion, sow discord between Ukraine and its allies, and maintain international support for its activities. Perhaps most insidious, however, is that Russia’s disregard for the law is also malevolently anthropocentric, intended to both exploit and affect the most vulnerable target: the human being and its cognition. In this respect, Russia’s blatant abuse of the law is meant to degrade Ukraine’s will to fight by undermining justice and flouting accountability.
The essence of Russian lawfare is not the correctness of its legal arguments but how law and facts are used to shape the perception of its invasion of Ukraine among domestic, regional, and international audiences. When it comes to waging lawfare, Russia brazenly crafts and deploys malign narratives by manipulating facts, distorting the meaning of international obligations, passing nonsensical domestic legislation, and rendering ridiculous legal judgments. In this way, lawfare is just one part of Russia’s broader disinformation and propaganda efforts. The typology of Russian lawfare has been well-explored: some researchers distinguish up to 36 types of Russian lawfare, depending on the warfare domain and legal environment. These activities undermine the idea of justice and the rule of law and, in many cases, are presented as justifications for specific Russian military activities and objectives in Ukraine. 
Today, new technologies enhance the threat of Russian lawfare. Russia already abuses social media to spread disinformation about its invasion globally. New tools, such as large language models, make such campaigns easier, cheaper, and more effective. Disinformation campaigns can corrupt legal environments by undermining facts, biasing juries, or otherwise creating evidence-resistant beliefs and amplifying basic instincts like hatred. 
Consequently, effectively countering Russian lawfare requires recognizing human cognition as a battlefield and combatting Russian disinformation more broadly. Governments and the sources of international law—namely customary law, treaties, and statutes of international courts—should be designed to reflect a benevolently anthropocentric approach that prioritizes human cognitive resilience against lawfare and disinformation. Governments, militaries, and civil societies must erect a ‘cognitive shield’ to resist the Russian disinformation efforts that underpin its abuse of the law. This shield should focus on five pillars and be integrated into the grand strategy of multi-domain operations.
The cognitive shield includes the following:
Narrative Analysis: Governments should continuously monitor, gather, and organize sources of malevolent foreign narratives to track their activity and targets. For example, big data processing and sentiment analysis tools could do such monitoring. Indeed, such tools are already being developed, including several by Ukrainian experts directly responding to Russian disinformation campaigns. These tools have been successfully used in Ukraine to uncover and mitigate Russian attempts to promote pro-Moscow insurgencies in Ukraine. Debunking false narratives is central to combatting Russian lawfare, which frequently attempts to distort historical facts. Enhancing these capabilities would strengthen the international legal community’s ability to tell fact from fiction and blame Russia for employing such information campaigns. 
Proactive Information Campaigns, Educational Initiatives, and Civil-Military Cooperation: Governments should start or build upon existing efforts to promote ‘cognitive self-resilience skills’ like critical thinking and fact-checking techniques among all levels of society, cultivating media literacy and the ability to recognize disinformation on one’s own. This strategy paves the way for a pre-bunking approach, preemptively exposing weaponized narratives before they are deployed, including in legal environments. Several national governments and regional bodies are already working on these initiatives and should be considered models for other governments interested in doing the same.
Legislative Efforts to Protect Human Cognition: National and international legislative bodies should pass measures to protect mental health and the integrity of cognitive processes, including perception, memory, and decision-making. These functions should be considered fundamental human rights and principles protected by international humanitarian law. At the same time, legislative bodies must criminalize cyberattacks and AI-enabled disinformation campaigns. Indeed, implementing such protections in international law would require significant efforts within the United Nations, particularly the UN International Law Commission. This would include amendments to the Geneva Conventions and the Statute of the International Court of Justice or Responsibility of States for Internationally Wrongful Acts (2001). Similar provisions must also be reflected in international criminal law, such as the Rome Statute of the International Criminal Court. The goal of these efforts is significant: to introduce a new principle in the law of war that protects human cognition and to hold accountable the states that violate it.
Interdisciplinary Integration: New insights from neurosciences such as neurobiology, psychoneuroimmunology, and psychology will continue to help explain the specific neural mechanisms that must be protected from disinformation. Just as there are mechanisms capable of artificially inducing negative reactions like hatred, there are also mechanisms that can neutralize these reactions. For example, a recent meta-analysis of 42 studies found that psychological “inoculation” (e.g., teaching people about common misinformation strategies) can improve a person’s ability to assess the credibility of new information independently. Government and international legal bodies must maintain awareness of these scientific advances to create new means of protecting citizens against disinformation.
Military Cognitive Strategies: Besides building resilience among civilians, governments need to adopt strategies to combat disinformation in their militaries. A striking example of the importance of such strategies is the Russian attempt to exploit allegations of corruption at the highest levels of power in Ukraine to undermine Ukraine’s will to fight. Indeed, corruption in Ukraine is a long-standing and systemic issue. Many Ukrainians of military age who left the country after Russia’s invasion state that they do not want to fight for a corrupt government. 
From my personal experience—as both a lawyer and a combatant in Ukraine—I am disappointed about the absence of a robust justice system in Ukraine. However, it’s important not to overlook the paradox of ‘perverse transparency,’ when anti-corruption efforts expose previously unnoticed corruption, thereby creating a misleading impression of increasing corruption. Russian intelligence services have leveraged Ukrainian anti-corruption efforts to generate high-profile news stories, which Russian media channels further exploit to discredit Ukrainian authorities to Western and Ukrainian audiences, including Ukrainian soldiers. Military doctrines must account for information campaigns exploiting narratives designed specifically to undermine a population’s will to fight by emphasizing the importance of cognitive resilience among its troops and populations that may be called upon to serve in the future.
Notably, the pillars of the cognitive shield are mutually reinforcing. For example, narrative analysis tools developed by governments or private industry can be improved by incorporating new findings from neuroscience studies. These tools can then be better applied in resilience-building educational initiatives and inform the drafting of legislative and military doctrine.
Whether local or global, conflict remains fundamentally a clash of wills, making it inherently a cognitive battle. Russian attempts to legally justify its invasion of Ukraine are a stark reminder of the vital role of cognitive resilience. Indeed, proactive and creative strategies necessitate relentless political commitment, but they are essential to safeguard the cognitive integrity of individuals committed to the ideals of freedom.
Armenak Ohanesian is Ukrainian lawyer, practiced in litigation, international arbitration, and criminal law. Post-Russian invasion, he served in the Ukrainian Armed Forces, including roles as an infantry soldier, combat medic, and artillery commander, notably in the Izium Counteroffensive and the Battle of Bakhmut. Decorated for his service, he now leads legal studies at IKAR, focusing on international law and cognitive warfare.
The views expressed are those of the author(s) and do not reflect the official position of the Irregular Warfare Initiative, Princeton University’s Empirical Studies of Conflict Project, the Modern War Institute at West Point, or the United States Government.
If you value reading the Irregular Warfare Initiative, please consider supporting our work. And for the best gear, check out the IWI store for mugs, coasters, apparel, and other items.

June 4, 2024 by William Akoto
Original article published on the Irregular Warfare Initiative's website.
Editor’s note: This article is part of Project Proxies and Partners, which explores the promises and pitfalls of security cooperation in war, at peace, and in between. We invite you to contribute to the discussion, explore the difficult questions, and help influence the future of proxies and partners. Please contact us if you would like to propose an article, podcast, or event.
In September 2001, operatives for Procter & Gamble were caught diving in dumpsters outside a Unilever facility in Chicago in search of documents and other discarded items containing confidential information about Unilever’s hair care products business. To avoid litigation and the negative publicity that often accompanies such disputes, the companies quietly reached a negotiated settlement where Procter & Gamble agreed to not use any of the information obtained. This early example illustrates the ongoing vulnerability companies face regarding data security. In today’s corporate environment where digital data storage is the norm, companies now have to be wary of not only paper documents but also discarded storage devices like hard drives, USBs, and even old office equipment that might store digital data. 
Companies also have to worry about the increasing trend of nation-state-backed hackers trying to infiltrate corporate networks. This is part of a worrying shift in state-sponsored espionage from traditional intelligence gathering primarily targeted toward military and political secrets to the targeting of information held by private firms and other commercial enterprises that perform research and produce innovation critical to national economic growth and prosperity. Perpetrators often aim to use this information to leapfrog rivals’ technological advancements and to gain a competitive edge in the global marketplace. This is emblematic of modern interstate conflict, where the lines between economic, military, and political rivalry are blurred. 
In this article, I aim to highlight the rising tendency of states to engage in cyber economic espionage and how cyber proxies—hackers for hire—are playing an increasingly central role in these efforts. Two brief examples illustrate this trend. 
In 2017, APT10—a Chinese state-sponsored cyber proxy group believed to be linked to China’s Ministry of State Security—conducted a massive espionage operation dubbed Operation Cloud Hopper. This group is an example of what are known as Advanced Persistent Threat (APT) groups—hackers that engage in prolonged and targeted cyber campaigns against specific entities such as government agencies, companies, or other strategically important targets to steal information, disrupt operations, or spy on activities. In the Cloud Hopper operation, the group targeted managed service providers (MSPs)—companies that manage IT services for multiple businesses. The techniques used included spear-phishing to gain initial access, followed by the deployment of various malware tools to establish persistence and facilitate the exploration and extraction of valuable data.
The operation, distinctive in its scale and focus on commercial secrets rather than traditional military or political intelligence, was global, affecting countries across Asia, Europe, and North America. It spanned a wide range of industries including technology, telecommunications, and pharmaceutical companies. Targeting such a diverse array of industries highlights the strategic nature of the campaign and its aim to gain economic advantages through the theft of trade secrets and other sensitive corporate information.
The SolarWinds hack, identified in late 2020, is another significant incident that, although primarily seen as an intelligence-gathering operation, had substantial implications for economic espionage. This sophisticated attack involved the insertion of malicious code into the software updates of SolarWinds’ Orion platform, a widely used network management tool. Believed to be conducted by Russian intelligence services, this campaign compromised the systems of numerous US government agencies, top enterprises, and technology firms, allowing the attackers to spy on business activities and potentially steal valuable corporate and technology secrets. The breach not only exposed vast amounts of sensitive information but also revealed vulnerabilities in the software supply chain.
The Strategic Use of Cyber Proxies
These high-profile incidents raise important questions about why states choose to use proxy hackers for such operations. Academic researchers who have wrestled with this question suggest that states often use cyber proxies because it allows them to leverage specialized skills, expertise, tools, and capabilities that the proxies have but which might be missing from state intelligence agencies or are prohibitively expensive to develop in-house. The activities of cyber proxies tend to fall in the gray areas of international law and politics, which makes them very appealing to states that want to reap the benefits of the proxy’s activities while avoiding responsibility if the activities are discovered. 
For instance, despite suspicions and probable cause, the lack of concrete, publicly-disclosed evidence explicitly linking China and Russia to the Cloud Hopper and SolarWinds operations respectively allowed them to deny involvement, thereby avoiding international sanctions, retaliatory cyberattacks, and other diplomatic consequences. Even when criminal indictments are issued for cyber espionage operations, they typically target individual hackers or the organizations directly involved, rather than the states that sponsor them. This separation enables the state sponsors to maintain a façade of non-involvement and continue their cyber operations under the veil of secrecy.
Proxies also serve another very important function: they can help states hide their true cyber capabilities from their adversaries. Even if state intelligence agencies have the necessary tools, capabilities, and personnel to successfully execute a cyber operation, it might still be beneficial to use cyber proxies so that adversaries do not become aware of these capabilities. 
This is an important benefit for states that wish to maintain strategic ambiguity in cyberspace as norms in the cyber realm continue to develop. For example, Fancy Bear—a cyber proxy affiliated with Russian military intelligence (GRU) that uses sophisticated tactics and techniques—has been concretely linked to the hacking of the Democratic National Committee (DNC) during the 2016 US presidential election. However, direct attribution to the GRU remains circumstantial rather than definitive. This potentially allows the GRU to mask its true cyber capabilities.
How States Manage Their Cyber Proxies
States employ a variety of models in their relations with their cyber proxies. For example, the United States uses nontraditional cyber proxies such as defense contractors and security companies like Lockheed Martin and BAE Systems, whose software products, personnel, and services are often employed in the infiltration, degradation, or destruction of adversary computer systems. It maintains a close relationship with these proxies, allowing for strict oversight and control over their targeting choices and operational techniques. Conversely, countries like Iran and Syria tend to maintain more operational distance from their proxies, offering material and ideological backing in exchange for the proxies’ commitment to targeting designated firms, political foes, and other entities. 
Russia maintains an even larger separation from its proxies, often refraining from direct guidance and allowing them free rein regarding targets and methods. In many cases, the only link between the proxy and Russian authorities is that they willingly turn a blind eye to the activities of the proxy despite having the capacity to crack down. This raises the intriguing possibility that some of these hacker groups may be acting as proxies of the Russian state without even being aware of it.
Putin and senior Kremlin officials frequently express admiration for these “patriotic” hackers while denying any knowledge of their activities. Putin has asserted that “Hackers are free people, like artists … ” so if they are patriotically minded will “ … do what they see as their part to fight Russia’s enemies.” In this way, the Russian government can deny knowledge of these proxies while reaping the benefits of their activities without admitting the involvement of government agencies.
Traditional Intelligence vs Economic Espionage
Regardless of whether states use government agents or proxy hackers for cyber operations, the logic that once guided traditional espionage—where information flowed from those who had it to those who needed it—does not appear to apply when it comes to economic espionage. In a recently published research paper, I show that contrary to earlier beliefs, countries with similar economic structures and technological capabilities are more likely to engage in economic espionage against each other (as opposed to those with dissimilar structures and capabilities). The reason? The stolen information is more applicable and immediately beneficial to the perpetrator. For example, it is of little use to steal technology to manufacture solar panels if you do not have factories and a technically capable workforce that can profitably leverage that information.
By focusing on rivals with similar economic structures and technological capabilities, perpetrators can refine their competitive strategies and enhance their own industrial and technological bases. Importantly, this strategy is less about filling gaps in knowledge and more about advancing in an already closely contested field. This dynamic has a profound policy implication for the likely future of interstate conflict: as states continue to develop and closely guard their technological innovations, the arena of interstate rivalry is likely to shift increasingly towards more covert forms of conflict. 
This evolution suggests that except in a few instances, traditional forms of diplomacy and military confrontation may give way to an irregular warfare landscape where subterfuge and indirect aggression increasingly become the norm. In particular, states with similar economic and technological capabilities will increasingly find themselves not only competitors in the global marketplace but also clandestine rivals in a continuous struggle for technological supremacy. This scenario necessitates a reevaluation of national security strategies to prioritize cybersecurity and intelligence in anticipation of these less overt, but equally impactful forms of conflict.
In addition, diplomatic relations will likely become more complicated, as states may publicly adhere to norms of peaceful coexistence and cooperation while privately engaging in aggressive cyber operations. This combination of open cooperation with covert aggressive cyber tactics can strain international trust and cooperation, potentially leading to a more fragmented international system where states are increasingly wary of their counterparts’ intentions.
Confronting Economic Espionage and the Use of Cyber Proxies
If the United States is to respond effectively to the emerging risk posed by the use of state-sponsored cyber proxies, it needs a better understanding of how to mitigate their use and activities. In a research paper, I gathered new data on over 100 hacker groups around the world and their state sponsors to examine which accountability mechanisms are effective in mitigating the use of cyber proxies. My research indicates that the use of proxies is rare in states that have robust domestic accountability mechanisms. This is particularly true in countries where citizens can hold their elected leaders accountable for actions carried out by cyber proxies through vertical accountability mechanisms such as elections and other democratic practices. In contrast, trying to curb the use of cyber proxies using horizontal accountability mechanisms such as congressional and regulatory oversight bodies is significantly less effective. 
These insights have important policy implications aimed at addressing the issue of cyber proxies. Firstly, they suggest that pressure from citizens and civil society organizations could be effective in reducing reliance on cyber proxies in countries where vertical accountability structures are effective. One practical way to implement this is to increase the number of attributions of cyber operations to proxies and their state sponsors. The act of attributing cyber attacks to state sponsors, even when the evidence is not concrete, could prompt pressure from citizens and civil society groups for governments to desist from such operations, potentially deterring future attacks. 
Additionally, my findings imply that reliance on policies that predominantly aim to combat the use of cyber proxies through regulatory and other state oversight mechanisms are ineffective. For instance, despite numerous international agreements aimed at curbing state-sponsored cyber activities like the 2015 agreement between the United States and China to refrain from cyber-enabled theft of intellectual property for commercial advantages, activities attributed to Chinese state-sponsored actors have continued unabated.
With regard to economic espionage, my research holds important lessons for US national cybersecurity policy. For example, the current US National Cyber Strategy emphasizes building a resilient cyber infrastructure, deterring adversaries, and promoting American prosperity by fostering a secure cyberspace that supports US national interests and economic growth. While the strategy recognizes the importance of international cooperation, it primarily focuses on deterring adversarial actions through strength. It does not sufficiently capitalize on the important finding that the primary economic espionage threats are likely to come from nations with similar technological advancements and economic profiles. This includes perennial rivals China and Russia but also allies like France, Germany, and Britain. Given the tendency for similar economies to target each other in economic espionage activities, the US could refine its strategy by fostering deeper, more targeted intelligence-sharing partnerships with countries that are at similar levels of technological and economic development.
As technological advancements reshape the contours of international relations, understanding the strategic calculations that drive states to engage in cyber economic espionage and to use proxies is increasingly crucial. This is important not only to secure states’ economic interests but also to preserve international peace and stability in an increasingly interconnected world.
William Akoto is an Assistant Professor of Global Security in the Department of Foreign Policy & Global Security at American University’s School of International Service. His research is primarily focused on examining how states leverage cyber and other emerging technologies in the pursuit of national security objectives. Details of his past, current, and forthcoming research projects are available on his website at willakoto.com.
The views expressed are those of the author(s) and do not reflect the official position of the Irregular Warfare Initiative, Princeton University’s Empirical Studies of Conflict Project, the Modern War Institute at West Point, or the United States Government.
If you value reading the Irregular Warfare Initiative, please consider supporting our work. And for the best gear, check out the IWI store for mugs, coasters, apparel, and other items.

June 6, 2024 by Jacob Ware, Sam Rosenberg
https://irregularwarfare.org/articles/d-days-bodyguard-of-lies-intelligence-and-deception-in-normandy/
The heroes who stormed the beaches of Normandy on June 6, 1944, eighty years ago today, faced a rainstorm of gunfire as they disembarked from their landing crafts. Over 4,000 lost their lives in the initial landings, which nevertheless succeeded in establishing an Allied beachhead in Adolf Hitler’s Atlantic Wall.
The toll could have been even worse had safer passage not been ensured by a secretive army of spies and decoys that, beginning in 1943, wove an elaborate deception to convince their Axis adversaries that the landing would be later and further north. In the words of Winston Churchill, the front-line soldiers were protected by a “Bodyguard of Lies” that carefully protected the true location and intentions of the landings at five beaches in Normandy.
The D-Day deception operation stands as a powerful example of the essential blend of irregular warfare methods with conventional tactics. As we witness brutal combat in Ukraine and anticipate potential future conflict in the Indo-Pacific, the lessons from June 1944 are more pertinent than ever. Integrating tactical and strategic deception to support traditional warfare, involving civilians alongside the military, and the critical importance of avoiding large-scale conventional war due to its immense costs are lessons that continue to resonate today. 
The D-Day Deception
As the Second World War approached its turning point, an inevitable Allied assault on occupied Europe, Allied leaders gathered at Tehran to devise their strategy. The odds appeared against them: despite Germany’s forces being spread thin across 2,600 kilometers of Atlantic coastline, the Axis held a force advantage, outmanning the landing force in France by an estimated 60 divisions to 37. Cunning and misdirection would need to complement the brute force of men and armor that would be hurled against Hitler’s European fortress. In the words of Jon Latimer, “Deception would play a crucial role in producing a ratio of forces necessary for Allied victory in the battle of the build-up and permitting a break-out.”
Operation Bodyguard was established in 1943 as the overall deception strategy to mislead the German High Command about the timing and location of the inevitable Allied invasion of Europe. Under this overarching plan, the main thrust was Operation Fortitude, which was itself divided into two smaller campaigns: Fortitude North, which would feint at Norway, and Fortitude South, which promised an attack at the Pas-de-Calais in northern France. Fortitude combined both physical deception and signals intelligence to construct the ruse. For example, the Allies invented out of thin air the United States First Army Group, commanded by General Patton, and mustered the paper command in southeast England, supporting the idea that the invasion would strike directly across the English Channel at Calais. Dummy inflatable military hardware was spread across the area, hoping to attract spy planes, while the infamous Ghost Army created fake shoulder patches to accompany and announce the arrival of the phantom units.
The deception was furthered by British intelligence’s exemplary Double Cross system, masterfully recounted in Ben MacIntyre’s Double Cross: The True Story of the D-Day Spies. By 1944, British counterintelligence confidently believed it controlled every German spy in the United Kingdom. Fortitude put this network of double agents to work, steadily feeding handlers in Berlin a diet of false reports that contributed to incorrect beliefs about the Allied order of battle. In one case, double agents “Mutt” and “Jeff” transmitted false reports about a fictitious British Army amassing in Scotland to join the Soviets in an invasion of Norway. The trick worked, with Hitler sending one of his divisions to Scandinavia just weeks before D-Day. The intelligence network was so extensive that stories still emerge today—like the women codebreakers stationed at the US Foreign Service Institute, who stole Japanese diplomatic messages describing German defenses on the French coast, further contributing to the deception’s success. 
The deception plans were joint operations involving multiple branches of the Allies’ armed forces. Operation Glimmer, Taxable, and Big Drum formed the naval component of Operation Bodyguard. Like Fortitude South and the Double Cross system, these efforts aimed to deceive the German forces about the invasion beaches in France. Small fleets, equipped with radar-reflecting balloons and devices simulating large convoys, maneuvered off Cap d’Antifer and Pas-de-Calais to create the illusion of impending naval assaults northeast of Normandy. Confused by the feint, the Germans in Calais reported an invasion fleet and even sent airplanes to investigate. 
Civilians also played a significant role in Allied deception and intelligence operations. By 1944, the French Resistance numbered an estimated 500,000 members in many different groups, most of whom came under the umbrella of the French Forces of the Interior (FFI). Operating in small groups called Maquis, resistance fighters engaged in sabotage, targeting Nazi supply routes and reinforcements. The FFI’s intelligence-gathering efforts also provided the Allies with invaluable information about German troop movements and fortifications, directly supporting the impending landings. In one case, as recounted in Cornelius Ryan’s classic The Longest Day, an FFI sector chief identified an artillery piece sited for Utah Beach and managed to transmit a message to London about the potential threat. On the morning of D-Day, he was overjoyed when an Allied destroyer arrived off the coast and blasted the artillery piece with a precise bombardment. “They got the message!” he cried. 
The Maquis’ coordinated closely with Allied strategy. On June 5, the BBC broadcasted coded messages to alert the French Resistance about the imminent invasion, setting off plans to sabotage railways (the Green Plan), main roads (the Tortoise Plan), and telecommunication networks (the Purple Plan), along with launching guerilla attacks against German troops. More than 90 three-man Jedburgh teams, comprising American, British, and Free French operatives, parachuted into France throughout 1944 to facilitate this coordination on the ground. The first team, codenamed “Hugh” dropped in on the evening of 5/6 June and linked up with the head of the resistance in the Indre area, near Châteauroux. In June and July, the “Jeds” helped disrupt German communications in Normandy. By August, teams worked with the British Special Air Service in Brittany, orchestrating guerrilla attacks and providing intelligence that hastened the Allied advance. These Jedburgh teams, the forerunners of modern special operations forces, provided leadership, training, and communications support, amplifying the impact of the Resistance’s efforts. 
Once the invasion began, the Allies relied on tactical deception to further confuse the German defenders. As part of Operation Titanic, another subcomponent of Operation Bodyguard, the British Royal Air Force and Special Air Service dropped hundreds of dummy parachutists far from the actual landing areas in Normandy. Known as “Ruperts” to the British and “Oscars” to the Americans, these decoys were equipped with noise makers and explosives to simulate an actual airborne assault. British commandos even jumped with some of the dummies and played recordings of gunfire and men shouting to sell the ruse further. The plan had the intended effect, with the Germans sending a division reserve away from Omaha and Gold beaches and the 101st drop zones to search for the suspected paratroopers. When members of the German 7th Army discovered the dummies, General Hans Speidel ordered a decreased level of alert for his soldiers, leaving them less prepared for the actual invasion.
Perhaps the most challenging—and, in turn, impressive—aspect was that the deception could not end when the invasion began. It had to continue, convincing the enemy the true invasion was, in fact, a feint and the initial (deceptive) intelligence remained accurate. Three days after the invasion, Spaniard Juan Pujol García (Agent Garbo) transmitted to his handlers that most companies had stayed behind in England, expanding upon the lie that the main thrust of the assault would cross the Strait of Dover and hit Calais. The Ultra intercepts, made possible by the codebreakers at Bletchley Park breaking the Enigma code, offered invaluable proof that the Germans continued to believe the Fortitude ruse instead of the catastrophic and physical evidence that the invasion was already underway. It would take seven weeks for the German High Command to redeploy resources from Calais to Normandy. By then, the Allied beachhead was secure. Germany’s delay was the ultimate success of Operation Bodyguard. If the element of surprise is essential in war, then the ability to maintain and even extend the element of surprise is perhaps the most impressive triumph. 
Although debates endure about the importance of Bodyguard and Fortitude, largely over skepticism that the inflatable hardware was ever actually seen and insistence that German espionage incompetence was the ultimate culprit, there is little doubt that the deception at least contributed to the tremendous success of the D-Day landings. In the immediate aftermath of Fortitude, the German High Command awarded (Double) Agent Garbo the Iron Cross for his efforts. If nothing else, as Lt. Jason Carminati writes, “Although the Nazi regime had unique institutions that contributed to the operation’s success, the Allies’ planning and execution of various deception techniques were more impactful to the success at Normandy because German weaknesses were discovered and exploited.”
Deception Today and Tomorrow
Deception, of course, remains an integral part of warfare, deployed by both friends and foes. During the first months of Russia’s full-scale invasion of Ukraine, echoing the Rupert dolls of World War II, Ukrainian defenders employed mannequins from local stores to confuse Russian forces. Drone footage captured Russians wasting valuable artillery on a trench system manned only by these decoys. As the war progressed, Kyiv expanded its deception efforts, with civilian companies like Inflatech and Metinvest creating realistic decoys of Ukrainian weapons and vehicles, complete with multispectral signatures, causing further Russian munitions to be squandered on fake targets. 
When preparing for the initial counteroffensive in Kharkiv in September 2022, Kyiv aimed to convince its adversaries that the counteroffensive would target Kherson in the south. Using media leaks, encouraging popular resistance as “shaping” operations, and amassing troops in the south, Ukrainian military planners succeeded in drawing Russian forces to defend Kherson, leaving the Kharkiv salient largely unprotected. The eventual offensive shattered Russian lines, liberating some 12,000 square kilometers, including the strategic crossroads at Izium. (Impressively, Ukrainian forces also liberated Kherson two months later.) 
In contrast, the failed Ukrainian offensive in the summer of 2023 highlighted the challenges of deception. The Ukrainian military failed to mislead Moscow about their intention to penetrate Russian lines protecting Melitopol and the Azov coast. Despite shaping operations along the Russian defensive line, particularly in Bakhmut, the Ukrainian government’s insistence in early June that “Plans love silence” and warnings against rumors did not materially weaken the entrenched Russian defenses.
Just as the French Resistance played a central role in the success of D-Day through deception and intelligence operations, Ukrainian citizens have become crucial to their country’s current conflict. Early in the war, the Territorial Defense Forces, made up of citizen volunteers, were instrumental in repelling the initial Russian assault on Kyiv. As the war progressed, Ukrainian civilians took on various wartime responsibilities, from raising funds for the Ministry of Defense to crowdsourcing military gear and weapons to developing targeting and intelligence for the armed forces. Remarkably, the Ukrainian government even launched an app, Diia, allowing citizens to report on Russian troop movements and defenses directly.  
Deception can also be deployed at the strategic level and is often weaponized by non-state actors. Just four months before Hamas’s October 7 Einsatzgruppen-like thunder run across the Gaza border, a former Knesset member had written that Hamas and Israel enjoyed a “strategic détente” and that “Hamas doesn’t seem to be eager to change the existing equation in order to challenge Israel.” Hamas’s strategic deception contributed to the total failure of the Israel Defense Forces to protect the borderlands near the Gaza strip—they were unable to access many of the kibbutzim until hours after the initial attack. After the fact, deception can reveal not just cunning and secrecy on the part of the deceiver but also complacency and ineptitude among the deceived.
However, the lessons for modern warfare might apply even more strongly to strategic competition. As the US escalates its saber-rattling with China, it fences with an enemy that makes deception a core concept of its strategy, using tactics such as decoy targets and disguising military equipment as civilian vehicles to mislead adversaries and protect assets.  Beijing even employs local militia forces to provide camouflage support for important potential targets.  And yet, ironically, “American dominance in conventional warfare has contributed to perceptions that deception is unnecessary, or is a technique for weaker powers,” as Fabian Villalobos and Scott Savitz observe. “But successful deception activities enhance force protection, preserve combat power, and add complexity for the adversary—facts that are often underappreciated.”
D-Day stands as a stark reminder of the cost of traditional warfare and the importance of avoiding it whenever possible. As the US inevitably ramps up its industrial capability to prepare for total warfare with China, it should also pay equal attention to the range of irregular capabilities—from espionage and intelligence to information warfare and cyberoperations—that will better prepare it to deceive and avoid being deceived by the enemy. As Seth Jones writes in Three Dangerous Men, “Chinese military strategy generally aims to avoid a conventional war. China’s goal is to weaken and surpass the United States without fighting.” 
US success in the coming years will not be defined by victories in conventional military battles with China, Russia, or any other adversary but by avoiding such confrontations through cunning, creativity, and deception.
 
Correction (June 7, 2024): In the article, it was previously stated that more than 90 three-man Jedburgh teams parachuted into France on the night of June 5/6. The correct information is that these teams parachuted into France throughout 1944. The corrected sentences now read: “More than 90 three-man Jedburgh teams, comprising American, British, and Free French operatives, parachuted into France throughout 1944 to facilitate this coordination on the ground. The first team, codenamed ‘Hugh,’ dropped in on the evening of 5/6 June and linked up with the head of the resistance in the Indre area, near Châteauroux.”
Jacob Ware is a research fellow at the Council on Foreign Relations and an adjunct professor at Georgetown University’s Walsh School of Foreign Service and DeSales University. He is also a visiting fellow at the University of Oslo’s Center for Research on Extremism, and the co-deputy editorial director of the Irregular Warfare Initiative. With Bruce Hoffman, he is the co-author of God, Guns, and Sedition: Far-Right Terrorism in America.
Sam Rosenberg is an Army Strategist preparing for an assignment to US Army Europe and Africa in Wiesbaden, Germany, and the co-deputy editorial director of the Irregular Warfare Initiative. Commissioned as an infantry officer in 2006 from West Point, Sam has served in Iraq, Afghanistan, and Eastern Europe. He holds a master’s degree in Security Studies from Georgetown University and a PhD in Public Policy from the University of Texas at Austin. 
Views expressed in this article solely reflect those of the author and do not reflect the official position of the Irregular Warfare Initiative, Princeton University’s Empirical Studies of Conflict Project, the Modern War Institute at West Point, or the United States Government.