Corporate Self-Defence in the Wild West of Cyberspace

Human societies continue integrating with artificial intelligence and advanced technology at an unprecedented rate and scale. Accompanying this trend is an irreversible dependence on private sector services. Some private sector organizations fulfill essential state functions and even constitute part of its critical infrastructure. Russia’s 2015 cyber offensive on Ukraine’s electrical grid is just one example of how adversaries can exploit private sector cyber vulnerabilities to potentially tear the societal fabric of a state asunder.  

Society, cyberspace and the private sector are entangled in a web of connectivity and dependence. At a time when some companies operate entirely online, what consequences will governments who are unable to defend their private sector in the cyber domain suffer from? Conversely, how can governments grant the private sector a carte blanche in their pursuit of self-defence when the escalatory risks entailed include largescale war? As a prequel to a forthcoming brief on Active Cyber Defense (ACDs), this policy brief analyzes how legal frameworks regulating private sector cyber operations, alongside cyber vulnerabilities, often incentivize organizations to defend themselves—sometimes with substantial risk.  

L’etat des Affaires

Accommodating the advent of cyberspace (a domain still struggling with definitional issues) is already challenging extant tenets of international law. Numerous legal grey zones in cyberspace are ripe for exploitation. International law is even less helpful when seeking to regulate private sector conduct in cyberspace. International law is focussed on nation states and largely disregards private actors’ conduct—this is not surprising. Not addressing these grey zones by domestic regulation—independently or in coordination with allies—is.

Israel stands out as an exemplary case study of how a consensus based private-public cooperation strategy enhances a nation’s cyber security. A road path for coordination between public and private entities in the U.K. can potentially be paved by the recent National Cyber Security Centre, the U.K.’s independent authority on cyber security. Positive outcomes produced by consensus based actions, no matter how small, become building blocks of trust that precipitate further cooperation.

Canada’s approach to cyber security further fosters the belief that regulation can be achieved through cooperation. Canada’s National Cyber Security Strategy describes the successes of the Canadian Cyber Incident Response Centre and how “private sector leaders will have a central role to play, as a collaborative effort is needed to …. prevent and respond to cyber threats”.

Many countries, including the U.S., have yet to implement similar and equally necessary macro-level strategies. Independent policies implemented by Canada, Israel, and the U.K. result from an absence of any coordinated international agreement that develops the regulation of private sector conduct in cyber space. 

Private and Risky Vulnerabilities

In countries like the U.S., a paucity of any coordinated federal government driven initiative to defend private sector cyber vulnerabilities creates conditions incentivizing the pursuit of self-defence. Legal gray zones in regulations mean certain measures taken in self-defence may be escalatory, but not necessarily illegal under the domestic laws of the country from which they originate.  

Decisions taken by private sector organizations are heavily influenced by their expected impact on a company’s bottom line. Establishing a fulltime in-house cyber security defense team can seem extremely costly to some companies when minimum security standards can be attained without one. For related reasons to be explored later, many companies also abjure adhering to adequate cyber security measures until victimized by an attack themselves. A survey of information technology executives revealed that “the limited cyber-security measures that businesses have introduced have been largely motivated by cost savings, with minimal concern for the protection of information”.

The focus now lies on the paradox of many private organizations contently resigning themselves to lax cyber security standards when their survival in the 21st century requires a resilient cyber defence.    

Active Cyber Defence

Without mutually agreed boundaries between a government and the private sector, it is not surprising to see private organizations outsourcing their cyber security needs to a burgeoning cyber security market profitably providing such services.

A market with a value projected to exceed USD 180 billion USD by 2021, was worth less than USD 100 billion five years ago. North America dominates the majority of this market and its exponential growth is largely attributable to a concomitant rise in the frequency and severity of cyber threats. Perpetually plagued by pernicious cyber attacks, private sector financial losses from cybercrimes exceeded USD 1.3 billion in 2016. This number is indubitably an underestimation of the actual losses, some of which are not even reported.

A feature of this rapidly rising mercenary market has been the willingness by private cyber security firms to offer Active Cyber Defence (ACD) services to those with pecuniary means to procure them. What precisely these ACD measures are, the associated risks and more will be explored in depth later. The following observation suffices for now: History informs us that when a government is unable or unwilling to defend its sovereignty and no longer upholds its end of the social contract, it can no longer uphold its monopoly on the use of force either.

Conclusion

With no multilateral efforts directed towards the development of a global cybersecurity regulatory regime, many private sector organizations are incentivized to outsource their cybersecurity to mercenary firms offering ACD services. Advantages derived from this general trend must be balanced against potential risks. The next part will focus on the benefits of ACDs and why many governments can’t—or won’t—do anything about the dangers. A possibility of certain practical solutions will also be explored.

Disclaimer: Any views or opinions expressed in articles are solely those of the authors and do not necessarily represent the views of the NATO Association of Canada.

Photo by Elnur via Dreamstime

About Touraj Riazi

A Canadian immigrant born in Kuwait, Touraj made Montréal his permanent home in 2012, where he obtained a B.A. in Political Science (2017) at Concordia. He is continuing his education by pursuing a M.A. at Sciences Po Paris and will graduate July 2020. Touraj presently serves the NAOC as a returning Policy Analyst and is responsible for the Cyber Security and Information Warfare program. He is the former Editor of the NATO’s International Arc of Crisis section and simultaneously served as a Project Manager and Event Coordinator. Touraj was also a Director at the Canadian Center for Strategic Studies (CCSS) where he concurrently served as one of the Editors in Chief. Previously, he was also a Project Manager for the Canadian Turkish Business Council. He can be contacted at touraj.riazi@natoassociation.ca