Can corporations make the digital sphere secure?

Not so long ago, when it came to cyberspace, states were believed to be powerless entities with no meaningful policy tools at their disposal. The supposed novelty of the cyber domain was thought to render traditional forms of state intervention and strategies useless. Now researchers and policymakers have come to realize that this is not the case, and that the erroneous assumptions of sovereign powerlessness were the result of flawed arguments inspired by technological determinism. Cyberspace is not a natural environment that has developed beyond the point of human control. On the contrary, it is man-made and almost entirely malleable.

As states have come to reveal themselves as capable and determined actors, willing to use and shape the digital realm as part of their strategic and military toolsets, unease over the escalatory potential of offensive cyber operations has risen. States have invested heavily in digital infrastructures and have built up cyber-command units, often at the intersection between military and intelligence branches. Concurrently, terms such as cyberwar, cyberweapons, or cyber arms race have entered the vocabulary of policy analysts and commentators, and the latter seem to agree that in classic security-dilemma fashion, levels of insecurity have increased rather than decreased.

Through their actions, great powers reveal themselves as able and willing to use and shape the cyber domain as part of their strategic and military toolbox. Therefore, the sense of unease about the escalatory potential of cyber operations is certainly not waning. The overall feeling is that the problem has gotten worse in both quantity and quality. Many experts refer to the malware used in some operations as cyberweapons and regard the build-up of cyber capabilities by state actors as part of a cyber arms race. The uncertainty over the intentions of other states leads to heightened feelings of insecurity and, again in classic security-dilemma fashion, to high incentives to build up (offensive) capabilities and cyber-command units, often at the intersection between the military and intelligence.

The uncertainty about the intentions of other actors and general unease about offensive cyber capabilities cause states to control the risk of escalation and fallout. As a result, the number of ministerial meetings and conferences attempting to agree on norms of responsible behavior in the virtual realm has increased. However, with global political tensions on the rise and cyberspace being treated as a strategic domain, the chances of agreeing on anything meaningful are close to zero. The failure to arrive at a consensus document by the 2017 United Nations Group of Government Experts (UN GGE), which was tasked with examining extant and nascent threats derived from the digital realm, is one case in point. The ideologically inspired bifurcation of the UN-driven norms process is another.

However, because cyberspace is of strategic importance for a great variety of different actors, state behavior, including the failure to come to an agreement concerning rules of the road for the virtual realm, does not go unchallenged by other stakeholders. Subsequent to the UN GGE’s inability to come up with a consensus report, and following major cybersecurity incidents of transnational magnitude, including WannaCry and Petya/NotPetya, there has been a surge in the number of private-sector initiatives directed at fostering responsible conduct in the digital domain. Examples include Microsoft’s proposal for a Digital Geneva Convention as well as its adoption of a Cybersecurity Tech Accord, Google’s New Legal Framework for the Cloud Era, Siemens’ conclusion of a Charter of Trust as well as Telefónica’s Manifesto for a New Digital Deal.

From an empirical perspective, it is fair to say that in cyberspace, the definition of norms is no longer just the domaine reserve of nation states, but increasingly also the purview of business enterprises. Private actors extend their traditional zones of operation and engage in diplomatic dealings at an international level. While the key drivers for corporate engagement on issues relating to international security and stability in cyberspace may be commercial in nature, i.e. the reduction of costs and risks or the acquisition of competitive advantage, the private-sector proposals also display considerable degrees of normativity which go beyond pure business interests and are likely to have an impact on international politics.

Not only have private companies come to assume roles as proposers of norms and diplomatic change agents, they have also put on the table important topics that were previously unaddressed. Most of the normative efforts conducted by states are geared towards the high-end form of cyber aggression, the fabled cyberwar, which could be devastating but presently has a very low probability of occurrence. Indeed, more common are destabilizing cyber acts below the threshold of war. The biggest actual cyber issue, next to cybercrime, is cyber exploitation or cyber espionage, with the goal of gathering classified information from an adversary and using it in strategically opportune ways. This is the world of intelligence agencies, whose actions are regulated by domestic law in their home states but remain more or less unconstrained by international law.

The private-sector initiatives aim to tackle the destabilizing actions of intelligence agencies. Bad actors who plant and exploit vulnerabilities in current operating systems and hardware are making cyberspace more insecure; their aim is to have more access to data while preparing for future conflict. Backdoors and unpatched vulnerabilities reduce the security of the entire system – for everyone. In short, the strategic exploitation of vulnerabilities in computer systems and the weakening of encryption standards have the potential to destroy trust and confidence in cyberspace overall, which would produce considerable economic and social costs.

While the emergence of a coherent global cybersecurity regime in the near future is unlikely, a push for more state restraint and responsible behavior by private-sector protagonists seems probable. In the best case, corporate pushback, especially if coupled with technical innovation and better cybersecurity solutions, will lead to a more-or-less deliberate change in the conduct of state actors. While the norm-building activities of private-sector entities raise a number of important follow-up questions pertaining to legitimacy and order, in the worst case they will create pressure for states to continue diplomatic efforts to make cyberspace more – not less – secure.

MYRIAM DUNN CAVELTY
is a senior lecturer for security studies and deputy for research and teaching at the Center for Security Studies (CSS).

JACQUELINE EGGENSCHWILER
is a PhD student at the University of Oxford’s Centre for Doctoral Training in Cybersecurity and the Faculty of Law.