The most interesting thing about the cyber world isn’t computers, it’s in the confluence with power.
Cyber technology is changing the way humans live. Both private and public corporations have online problems that look remarkably similar to their offline problems. So when their digital remedies look identical to their offline remedies because there’s really no good alternatives, the consequences can be forecast. What this all means for society is, well, intriguing.
The best way to think about cyber is from the perspective of a soldier. For the military, the world is split into “domains”: land, sea, air and space. Cyber is the fifth domain. The first four were built by nature, while the fifth was built by humans. And unlike the others, cyber has no natural obstacles such as rivers, mountains or deserts. It is an entirely flat landscape, ideal for communication and offence. It is cyber’s inherent defensive flaws that keeps CEOs up at night.
Cyber foments its own versions of commerce, entertainment and traditional statecraft. People rely on it for almost every facet of their lives, and private corporations are increasingly dependent on the internet for the simplest of tasks. We’ve seen this before in history. The most apt parallel to what’s happening in cyber is the creation of global sea lanes during the European colonisation of the Western Hemisphere.
As then, the question for governments is: how much should we allow private entities to defend themselves outside their own perimeter? And what may a company appropriately do inside its own network when under attack from non-state actors, rival companies or a nation state?
Plenty of companies have been set up to help other corporations defend against cyber threats. The word “corporations” is used specifically because a government is also a corporation, in the sense that it is simply a group of people working together for a common purpose. Those cyber defence companies say they will “agnostically” assist both public and private corporations, for a fee.
After 9/11, the Western governments asked these private cyber corporations to complement intelligence and defence forces as contractors. One of those contractors, Edward Snowden, is now infamous. Yet the actions of the Five Eyes intelligence club (New Zealand, United Kingdom, United States, Australia and Canada) over the last decade reveal a remarkable transition of power.
The Five Eyes countries have the greatest collection of cyber firepower on the planet. No other country comes close, not least because the club created, owns and controls the underlying platform of the internet. Even so, when asked the above question by private corporations, the Five Eyes governments respond in much the same way as 18th century governments: “defend yourself.”
Think about this for a second. Powerful as governments are in the cyber world, they are certain of their limitations. Just as the East India Tea Company reached too far across the globe for the British government to effectively defend, todays private corporations travel too far in a significantly more vulnerable domain for their governments to also defend. And both sides know this.
Five Eyes officials, especially in the US, are of course discussing the appropriate response to this reality. They keep coming back to the 17th and 18 centuries as the only relevant parallel. Many of those global, sea-faring companies acted with the attributes of state sovereignty. They could defend their assets with full state-backing using “letters of marque and reprisal.” Now a reissuance of such powers is under serious consideration.
What are these letters? In the days of fighting sail, a letter of marque and reprisal was a government licence authorising a person (known as a privateer) to attack and capture enemy vessels and bring them before admiralty courts for condemnation and sale. It was a mutual understanding between private and public corporations that sometimes the Leviathan can’t offer complete protection, but still deserves the citizen’s full subjugation.
Private cyber defence companies occupy an interesting position in modern society. They offer intelligence and cyber weapons to corporations with the full blessing of governments. What those corporations do with cyber threat intelligence is entirely up to them. After all, the defence companies say they do not encourage counter-attacks against cyber threat actors.
But if the understanding is that public corporations cannot defend private corporations at almost any time (remember the response: “defend yourself”) then those letters of marque and reprisal might already exist implicitly, but not explicitly. This is a grey area but is also a transition of power, although governments won’t see it as such because letters of marque and reprisal sounds Orwellian.
The root of the problem is that the modern English language has no word which means “power,” but carries only positive associations. Yet there are synonyms for power, the most common being “responsibility.” People in power are almost always sincere and cannot think of themselves as having power, but they are responsible and that means powerful.
The legitimacy of a nation state is its promise to defend life and property in exchange for a monopoly on violence. In other words, a state is responsible for its citizens’ safety. But how much does this legitimacy erode when the state voluntarily cedes responsibility of protecting private corporations to those very corporations?
This is the confluence of cyber with power. Since much of the global economy is digital and since governments have indicated they cannot control the realm, what exactly is stopping a corporation from using its cyber weapons to “defend itself” outside its own network? And what if the attacker is a nation state?
Responsibility, like nature, abhors a vacuum. If an entity no longer controls something, yet the requirement still exists, then another will fill its place. Once this happens, it is often impossible to reclaim. Governments were lucky to reclaim power in the 19th century because the global trading companies were too weak. Will they be so lucky this time?