The past few weeks have seen a flurry of official Western government statements, media investigations and other reports alleging that multiple foreign countries are increasingly working through proxies to sponsor a wide range of illegal operations, including lethal violence, harassment and intimidation, and cyber threat activity across the West. These operations are setting off alarm bells across North America and Europe as authorities express concern that proxies are becoming bolder and more dangerous.
Among other things, Ken McCallum, the head of U.K. domestic intelligence service MI5, warned in a high-profile public speech on Oct. 8 that the United Kingdom faces a ''staggering rise'' in efforts by Iran and Russia to recruit criminals to ''do their dirty work,'' including assassination attempts and physical sabotage. On Oct. 15, the head of Germany's BfV intelligence agency, Thomas Haldewang, warned that Russian-sponsored attacks ''have reached a new level in recent months,'' which he said now puts ''human lives at risk.'' Meanwhile, multiple major media outlets have published investigations into Iran's use of criminals across North America and Europe to attack dissidents. For their part, on Oct. 14 Canadian authorities accused Indian diplomats of scheming with an organized crime syndicate to carry out a wave of violence and other attacks against dissidents in Canada. The same day, The Wall Street Journal published a front-page investigation about the ''unprecedented scale'' of Chinese espionage against the West, including marshaling the access of university students, researchers and other sympathetic private citizens. Finally, in an Oct. 15 report, U.S. tech company Microsoft said it was seeing ''increasing evidence of the collusion of cybercrime gangs with nation-state groups sharing tools and techniques,'' specifically citing Iran, North Korea and Russia.
Of course, this is not a new phenomenon: governments have worked through proxies to hide their hand when intervening in foreign countries for hundreds of years. But whereas such allegations in the past were often hard to prove (and even if they were, the evidence usually stayed classified), the dynamics have changed. Western intelligence and law enforcement agencies are now increasingly revealing some of their knowledge to the public, while media outlets are becoming ever more capable of reporting (and willing to publish) sensitive stories. Intrepid researchers, investigative groups and private intelligence firms are also increasingly displaying advanced skills to find and reveal information that otherwise would stay in classified channels. The result is an increasing focus on what could be called ''the saboteur's dilemma.''
The Saboteur's Dilemma
By definition, security services like to work in the shadows: their operations in other countries are designed to go unnoticed and, when they are, not traced back to them. But to accomplish their various objectives — whether that is to steal information, carry out physical sabotage, assassinate people or something else — they have a fundamental choice: do their own operatives conduct these attacks or do they rely on others?
On one hand, it makes complete sense to rely on in-house talent. For one, restricting the number of third parties limits the risk that operational details are leaked; after all, if you've gone through the trouble of granting security clearances to people, it may not be worth taking the risk of working with an outsider you do not necessarily trust. Moreover, in many (though admittedly not all) cases, intelligence agencies have greater capabilities in terms of funding, technical expertise, access to weapons and other operational necessities compared with an outside group like an organized crime network, let alone a single individual. Plus, while people assume that security services carry out questionable (if not outright nefarious) activities, operations working with drug traffickers, mafias and other criminals are seen as beyond the pale in many countries, if not illegal. Indeed, while intelligence agencies usually have special legal authorities do certain things on their own, that authority may not extend to activities involving private citizens.
But there are equally compelling reasons to outsource jobs to third parties. Most importantly, going through an intermediary creates an element of plausible deniability; even if tenuous, removing even one link in the chain of attribution can help limit blowback. Moreover, working via proxies is often much cheaper and more efficient; why spend the time and money on preparing an intelligence officer to travel to a location to assassinate someone when a local hitman can do it for a much lower price than what it costs to stage such an elaborate operation? Finally, working with outsiders can help overcome operational constraints; if your security services have trouble operating in a location, locals on the ground, with whom you can easily coordinate online, are a great workaround.
To be sure, this dilemma is not all-or-nothing, nor is it immutable. None of the countries cited in the recent government investigations and media reports is solely using proxies to the complete exclusion of their own intelligence officers; rather, both methods are being used simultaneously, with security services at times elevating the importance of one over the other to fit current needs. This creates a dynamic environment in which intelligence agencies are constantly shifting their strategies to adjust as needed. In some cases, different security services within one country may pursue divergent strategies: one with better access may prioritize its own personnel while another facing various constraints may rely more on proxies. But regardless, the dilemma for intelligence agencies remains: keep in or farm out?
Outsourcing Risks
Judging from recent public statements and media investigations, the pendulum appears to have swung more toward the outsourcing side of the dilemma for some of the West's rivals and adversaries. As mentioned, there are good reasons for this and the countries involved undoubtedly perceive a benefit. But there will eventually be consequences if the current pace of anti-Western proxy attacks continues.
As in business, outsourcing assassinations, acts of sabotage and other operations to civilians — be them criminals eager for a payday, sympathizers motivated by ideological affinity, or individuals who have been coerced — carries risks for both the saboteur and the target. Chief among these is the loss of control. Just as a large business can't keep track of its dispersed and diversified supply chain, neither can an intelligence agency maintain complete awareness of what its proxies are doing. As emphasized by some Western security chiefs, inviting criminals to become part of the spy game often means introducing far less operationally sophisticated individuals who are much more careless with their activities.
For the perpetrating country, this can significantly erode the veneer of plausible deniability. But of greater concern, these individuals are also generally far less experienced. Whereas a trained intelligence officer should be clear on the specific way to build an explosive device and the particular time and location to use it, criminals, let alone average citizens, are far more prone to mistakes, like adding too much explosive material to a device (after all, if you're under pressure and not an expert, you want to be sure your device will work), or not being as targeted in deciding when and where to detonate that device. Something along these lines appears to have happened on June 3, when French authorities arrested a pro-Russian saboteur after he accidentally caused a minor explosion in his hotel room. While no one aside from the perpetrator was injured, in another scenario, the consequences could have been far more serious. In the words of MI5 head Ken McCallum, these are ''dangerous actions conducted with increasing recklessness.''
Or consider the fire that engulfed a major indoor shopping center in Warsaw on May 12, in an incident that has now been linked to pro-Russian saboteurs. Though no one was injured in the fire, which broke out in the early morning hours, it leveled the vast majority of the massive complex and illustrated that what may have been conceived as a targeted act of arson could quickly escalate to torch a much larger area. The same could be said for the drone sightings that temporarily shut down Stockholm's international airport on Sept. 9, which were believed to have been the work of pro-Russian saboteurs. Again, no one was harmed, but putting potential amateurs in control of drones flying near commercial aircraft is a recipe for disaster.
After all, the street gangs and other criminal syndicates that governments use to do their dirty work are generally not known for their discretion — even more so because contractors often use sub-contractors (and so on). Iran, for example, has been accused of working through at least five main criminal groups, including the Hells Angels biker gang. This means that the ultimate perpetrator of an attack may be multiple links removed from the sponsoring intelligence agency and far less professional than the agency originally envisioned. And in what could be a tragic version of the children's game of ''Telephone,'' what starts as a direction from an intelligence agency for a very precise act of intimidation could, three subcontractors later, have turned into a direction for a lethal attack that sends a message far beyond the intended target.
Outsourcing cyberattacks can prove similarly risky. Even if intelligence agencies keep their most sensitive operations for their own hackers, delegating even some of them to cybercriminal groups, who are generally motivated by financial gain and care far less about how their attacks may affect geopolitics, introduces new risks. On Oct. 1, British authorities leveled new charges against Russia for outsourcing a variety of cyberattacks against NATO countries to the Evil Corp cybercrime gang, which the United Kingdom characterized as effectively an appendage of Russian intelligence services. As is often the case with cybercrime gangs, Evil Corp has seen multiple internal splits that have led different members to go their own way, suggesting how advanced technical capabilities, sensitive intelligence or other support that Russian security services provided may have found their way into the wild.
Further, cybercrime gangs can be far less precise in their operations, as evidenced by the 2021 ransomware attack against the U.S. company Colonial Pipeline, which led to days of fuel shortages across the southeastern United States. In that operation, carried out by a suspected Russian group called DarkSide, the perpetrators appear to have believed they were simply targeting the company's information technology system; however, the system's links to the operational technology that ran the pipelines meant that the attack went far beyond what the hackers seemingly intended — so much so that the group actually apologized for its actions. While this incident is an outlier, it is not hard to conceive how it could be repeated, especially because cybercrime often involves groups subcontracting their work, introducing more risks. It is thus easy to imagine how nation-states delegating some operations to cybercrime groups could easily spin out of control in the absence of extremely precise guidance and constant monitoring, which would ultimately defeat the purpose of bringing in third parties in the first place.
When Outsourcing Becomes Policy
Despite the deluge of recent coverage about foreign states' use of third parties to do their dirty work, it remains to be seen whether this is merely a temporary swing of the pendulum in one direction or the beginning of a more sustained strategic shift. But while intelligence agencies will never fully give up control to third parties, there is good reason to think that the more routine use of proxies is here to stay. As Western countries increasingly make it more difficult for Russia, China and other countries to engage in more traditional espionage in which spies pose as diplomats, and as tensions between the West and these states show no sign of de-escalating anytime soon, there will be significant incentives, and in some cases necessities, for the West's rivals and adversaries to find new means of conducting espionage. Already, digital (and often encrypted) communications are eroding the tyranny of distance and making it easier to give directions securely from across the world. And although intelligence agencies will always desire to spy on foreign governments, the information they seek and operations they want to carry out are increasingly directed more at non-government entities like companies in strategic industries — a shift that will also result in a greater emphasis on third-party espionage using businesspeople and other private citizens.
The more this happens, however, the more established spying norms will erode, and the more risky and potentially violent these operations will become. After all, for all the tensions between countries like the United States and Iran or Russia, their intelligence agencies remain one of the few conduits for bilateral communication. Call it old fashioned, but professional spies generally still have begrudging respect for each other and, for all the aggressiveness of certain operations, there are still broad understandings about the way things are supposed to be done. This is why there are still communications backchannels, spy swaps and clandestine meetings between spy chiefs of countries whose governments otherwise do not speak.
But when these links are broken because spying is not being done by the professionals, it increases the likelihood of misunderstandings, miscalculations and accidents — and with it, the risk that sabotage escalates out of control, bringing adversaries, rivals and perhaps even some ostensible friends closer to confrontation than they had intended.
