More often than not, the delegation of national security responsibilities to private actors has generated controversy. Notable cases include the United States’ reliance on private military contractors in the recent conflicts of Afghanistan and Iraq. Hence, it may come as a surprise that the current debate around private sector contribution to national strategies of cyber deterrence has been largely exempt from such controversies.
On the contrary, a steady consensus has grown around the idea that national strategies of cyber deterrence would benefit significantly from the direct participation of actors in the private sector. In particular, there have been repeated calls for tech companies, cyber-security firms, and owners and operators of critical infrastructure to bring their vast resources to the table in order to boost governments’ ability to fend off malicious cyber activity.
Without dismissing the opportunities originating from the contributions of the private sector, a new article written by Eugenio Lilli highlights how such private contributions could also pose significant security, legal, and moral challenges.
The first step to assess the desirability or not of private sector contribution to national strategies of cyber deterrence is to define the concept of deterrence in cyber space. As it is the case with many neologisms containing the prefix “cyber”, cyber deterrence also lacks a universally agreed upon definition. In the article, cyber deterrence is defined as the deterrence of malicious activity occurring within or through cyber space. It is also argued that deterrence in cyber space should be
- Restrictive. It should seek to shape and limit the overall frequency and severity of malicious activity rather than aiming at dissuading all attacks from occurring at all times.
- Comprehensive. It should encompass deterrence by denial, punishment, entanglement, and norms; it should rely on deterrent measures taken in the other operational domains of land, sea, air, and space; it should include the whole range of instruments of national power including diplomatic, information, military, economic, financial, intelligence, and law enforcement (aka DIMEFIL) instruments.
- Dynamic. In response to rapid technological innovation, it should constantly monitor systems and networks, update defenses, improve intelligence sharing, patch vulnerabilities, and renew contingency plans; in response to change in cyber norms, it should implement measures aimed at actively shaping the evolution of norms in cyber space.
- Complemental. It should not be expected to work best as a separate tool in an actor’s toolbox but rather, as complemental to other forms of coercive and non-coercive strategic interaction.
By relying on the RCDC (Restrictive, Comprehensive, Dynamic, Complemental) conceptualization of cyber deterrence, the article identifies specific areas where private sector contribution can be especially beneficial to national strategies of cyber deterrence. For example, there is evidence to support the argument that private actors can be instrumental to hardening cyber defenses and enhancing resilience, to sharing information, to imposing costs to adversaries, to attributing cyber incidents, to creating strategic interdependencies, and to advancing norms of appropriate behavior in cyber space.
Some important benefits of private sector contribution appear to be common to all areas. To begin with, the private sector can offer unique state-of-art-technologies, highly skilled human capital, and critical funding to compensate for a national government’s limited resources. Moreover, while government authority is often geographically limited, private actors’ visibility and reach can extend beyond national borders. In addition, compared to the somewhat cumbersome processes of policymaking characteristic of state bureaucracies, private sector processes of policymaking give these actors more flexibility and speed; key abilities given the fast-changing nature of threats in cyber space.
Given the above, it is not surprising that the number of those people calling for more private participation in national cyber deterrence is steadily increasing. However, as it is often the case, the devil is in the details. The opportunities originating from private sector contributions are apparent, yet these same contributions also have the potential to raise serious security, legal, and moral challenges that need to be thoroughly understood.
For example, contracting a private company to host classified military information can give fast-track access to the latest technologies but it could also endanger national security if the private company is successfully breached by a hostile actor. Similarly, private companies, especially big tech companies, usually employ people from the world over. Where would these employees’ loyalty lie in case of heighten international tensions or an open confrontation? With the country which contracted them or with their country of origin?
Moreover, legal considerations could limit the willingness of the private sector to contribute to activities of intelligence sharing and active cyber defense. In the context of the United States both types of deterrence activities, while beneficial, may in some cases violate domestic law.
There are also instances of contributions which raise moral issues. For example, private sector’s access to government’s sensitive information could lead to the abuse of such information for private gain. Private companies are ultimately responsible to shareholders rather than to the citizenry. How can they be held accountable to the nation’s interest? With regard to attribution of cyber incidents, commercial interests could make private actors somewhat biased in their public attributions. In particular, they could refrain from publicly attributing incidents to specific governments because they do not want to jeopardize their access to these countries’ profitable contracts and markets.
To conclude, these few examples show the need for starting a more nuanced debate on the nature and desirability of private sector contribution to national strategies of cyber deterrence which is not limited to highlighting the opportunities deriving from it but that also considers the related challenges.
Eugenio Lilli is a lecturer at University College Dublin. He is the author of “Redefining deterrence in cyberspace: Private sector contribution to national strategies of cyber deterrence”, Contemporary Security Policy, which is available here.