The technology sector continues to disrupt and remake scores of industries, from brick and mortar retail, to medicine, transportation, operations management, and financial services. Government is behind the curve in recognizing how fundamentally major technology companies are altering the balance of power between the public and private sectors. Recognizing and accommodating for this change is critical for national and international security.
Already, the technology sector has proven to be a vital stakeholder in a host of international crises. From the Iranian attack against the Saudi oil behemoth Aramco and North Korea’s attack against Sony’s American subsidiary to Russian digital strikes against critical infrastructure in Estonia, Georgia and Ukraine – we are seeing the rising role of the private sector in identifying, verifying, and responding to state and non-state actor attacks. Sometimes private sector victims look to partner with governments, but sometimes not.
Governments like to think they are responsible for decision-making during national and international crises, but many in the technology sector see things differently. In the North Korean attack against Sony America, for example, it was the Sony Corporation, the Motion Picture Association of America, and movie theater owners and operators who suffered loss and maintained operational control over how they would respond to threats from Pyongyang. The private sector companies opted for accommodation.
The power of the technology sector vis-à-vis governments is growing daily, and major technology companies have surpassed governments in capacity and capability in many elements of the cyber domain. It is truly paradigm changing that major companies like Google, IBM, Apple, and Amazon have more aggregate power in this domain than do governments. Traditionally, defense companies might be the builders of ships and advanced aircraft, but governments acquiring the plethora of defense articles were far more powerful in aggregate than the individual companies that built them.
This is not so for the tech companies. The technology sector is not only making the vital breakthroughs, pushing our networks to better, faster, and deeper sophistication, but also retaining and growing their own power over government capabilities. Who has the best algorithms, neural networks, predicative analytics, and machine learning tools? It is the private sector. And unlike the balance of power in the physical space, having more software offerings quantitatively does not make government stronger than the private sector’s qualitative advantage.
One natural offshoot of this changing balance of power between governments and industry is the growing role of the technology sector in verifying and validating the claims of governments, particularly for attribution. The U.S. intelligence community may be unanimous in its belief that Russia interfered in the 2016 American election by, among other things, unleashing fake news stories using bots, and breaking into private emails of key figures, but many in the public were unconvinced until private sector technology security companies independently validated the claims. Industry will continue to become the independent validator of government assertions about cyber intrusions. It will also continue to be better than governments in identifying trends, targeting the presumed needs of individual users, and pervading our daily life.
Compounding the implications of the changing balance of power between governments and the technology sector is the profoundly multi-national nature of major companies. There are some companies largely beholden to single governments – such as Huawei to the People’s Republic of China – but most are not. Apple may be perceived as an American company, but its consumers, shareholders, board members, financial assets, supply chain, research and development teams, and production and operations centers are physically located around the world.
Despite being so global, major technology companies spend more time comporting to national legal requirements than they do international laws. Privacy, proprietary, data storage and cooperation with host government rules are a tangled yarn rendering many technology sector companies perpetually balancing competing national and international rule sets, and in effect, unregulated. Our international rules must adapt to the global operating environment if they are to better create rules of the road for the technology sector. Europe’s General Data Protection Regulation, slated to begin in 2018, is a good example of an international agreement that will require consistent industry compliance across national borders.
So how do governmental institutions accommodate the growing, independent power of major, transnational technology companies? Governments must treat them as partners in threat identification, crisis management, and response, not just as actors to be informed and managed as appropriate. Governments need to treat the technology behemoths much like how status quo powers make space for emerging nations. As in international relations, nation-states will want to jealously guard their privileged standing, and will be reluctant to make space at the table for the new influencers. But making that space is inevitable.
There is a difficult transition ahead. Homeland security communities already have ingested the central role of the private sector and local communities in response and resiliency, but traditional players in overseas national security institutions simply are not used to making any space for non-governmental actors in the decision-making chain of command. This will be a must.
There certainly could be circumstances where the major technology companies work in parallel fashion on identifying patterns in terrorism or digital forensics if one of their workers or assets is in need of defense. This would go beyond information sharing to a true division of labor and cooperation between persons affiliated on both sides of the public-private sector divide.
The technology sector needs a formal place in national and international digital domain crisis management and decision-making bodies. Indeed, Google has more global reach than some members of today’s UN Security Council. Perhaps there could be one seat for the sector that rotates between the technology powers? Even this idea is fraught with challenges; should companies closely linked to individual states be part of the group, or must there be a level of independence and multinational standing to be part of the circle? It also is difficult to see how any one company could speak for individual profit-making entities on real-time operational matters. Regardless., we have to start codifying the international order to make space for the powerful new actors.