7 min read

How the balance of power is changing on cybersecurity

The Twitter hack, compromising the accounts of some of the most prominent people on the website, was a reminder of the growing salience of cybersecurity.

Everyday, the news carries word of such data security breaches, debates over use of facial recognition technology, and the growth in cyber conflict. 

These incidents are evidence of the growing pervasiveness of cybersecurity concerns in corporate settings and their broader social implications. Security and privacy concerns loom large. 

The standard reading is that incidents like these require ever ‘more’ technology, in volume, capacity, sophistication, and ubiquity.

Our recent work points to a different reading.

We contend that these incidents chronicle a foundational shift in the relationships between firms, individuals, data and regulatory capacity, often across borders – and hence require a rethink of how state actors and firms engage emerging technologies. 

As the prominence and centrality of large technology firms in economic activities and in civic and political life grow, their relevance to core areas of state affairs of sovereignty and security also increases. Governments, in short, are no longer the only – or in some respects even the principal – players in the provision of national security.

This situation calls for a change in thinking about how states regulate emerging technologies and the relative weight given to ‘technology’ per se rather than the complementary assets that organize the impacts of technology. The now familiar label ‘cybersecurity’ has tended to give too much attention to technical problems and solutions, and not enough to new challenges of governance. These challenges require close collaboration between government actors and private industry in ways that extend beyond existing policy models. The global, systemic nature of the threats posed by cybersecurity incidents typically occur in ways that violate national boundaries more than respect them or are contained by them. 

Logging in to twitter

The expansion of cyberspace challenges the state’s traditional dominance in the governance and ordering of political and economic life. This “sovereignty gap” is evident in two main ways.

First, state actors are no longer the main concern of other states in delivering on national security. The real or latent offensive capabilities of other actors, prominently large tech companies and some global consultancies, means that national security planning must now consider threats emanating not just from other nations but also from the private sector.  States regularly have to engage with firms that literally have greater capacity and resources to manage cyber challenges than all but the most advanced state actors. Because of these developments, ‘national security’ itself is a term in motion, spawning a new agenda of policy and practice – and in the corporate sector, prompting the rise of ‘corporate diplomacy’ as a critical new competence for large corporations. 

Second, governments can no longer take for granted their ability to protect national and economic security against all relevant threats. From infrastructure protection to encryption to data collection and analysis, the work of private companies provides the primary and sometimes superior line of defence against cyber threats. This in turn raises still further challenges in how and in what ways tech firms collaborate with government actors. Never before in modern history has national security provision relied so much on the private sector capacity and deep tech expertise as in the current era. 

States have responded to the sovereignty gap by pushing back against the private sector’s growing relevance. The case of information threats travelling via social media, for example, is instructive here. Social media companies such as Facebook and Twitter are the first line and primary players in attempts to fend off foreign disinformation campaigns that seek to sow division and discord within democracies or that seek to undermine public confidence in the legitimacy of electoral outcomes. Their public records on this work do not inspire. And over time these ‘platform’ companies remain under-regulated by virtue of debates in the division of regulatory labor:  Is Facebook a media company or a private information platform?  The answers to that question are plural, and they implicate different regulatory agencies and policy models.  There are differences of degree between the US responses and those of the European Union; both are still preliminary.  

These efforts to address the situation have not gone far or fast. In a US presidential election year, this problem is an ongoing concern of policymakers and business executives alike. The same issues arise in the context of the recent UK Parliamentary elections and in a dozen other country cases.   This vignette reminds us that the primary issue here is not more effective regulation, but rather fresh insights and new policy models of how states can and should manage this ‘sovereignty gap’.

Another concern involves the controversial use of facial analysis technology in policing. Amazon recently announced that it will suspend the technology’s use in the United States owing to concerns of racial and other bias in the algorithms. There is no clear regulatory framework to govern this technology application, and de facto this is being accomplished through internal worker boycotts and challenges to government contracts, to popular media mobilization and other such ‘informal’ (and uneven) sources of response. Ironically, the design of regulations requires the involvement of the very companies whose technology will be regulated (representatives of the U.S. Congress are currently consulting Amazon; EU policymakers are in dialogue with the companies.

These cases illustrate governance challenges not only at the domestic level but also in the international milieu. Conventional governance mechanisms such as the UN Group of Governmental Experts (UNGGE), which prioritize the state, have struggled to craft norms of acceptable behaviour because of diplomatic disagreement among large powers and because relevant private players are largely absent form the discussion.  The legacy policy venues focus on nation-states.  A new generation of policy forums grapple with new forms of representation and membership.

These examples highlight both the timeliness and analytic value of tools from international relations and regime theories to understand and solve these challenges.  This approach points to how regimes structure both attention to these challenges and the available policy solutions.  Standard IR regime theory on build an analysis by focus on relevant actors, principles and rules, and decision criteria. We find that much of the regulatory capacity, tools, and rules in the cyberspace are drawn by analogy from other incumbent technologies and industries.  This is consistent with findings of the histories of technology and innovation.  

The core point is that emerging cyber technologies have altered the balance of capacity and influence between state actors and corporations in core areas of national and international life. Although information about government capacity and practices in this space is often classified, much data exists in the public domain with which to evaluate international norms construction, social media information campaigns, and technology assisted policing.

The growth of the sovereignty gap occasioned by developments in cyber capacity demonstrate ‘why’ we need to enrich standard technology strategy and cyber studies with an explicit focus on international relations and governance regimes.  These studies suggest the beginning points for the ‘how’.  Our challenge is to understand more fully these issues that at first manifest as a ‘technology’ issue.  And bolstered with this more fully-specified understanding, we can guide the development of policy regarding the force, impact and fate of these emerging, society-shaping technologies. And based on that, we can provide more robust counsel to business leaders.  

The benefits of this research wisdom are relevant for policy and practice: Fully appreciating the challenges of cybersecurity and technology governance beyond one ‘case’ or incident requires coordinated, disciplined inquiry. The virtue of any single discipline is specialized focus– whether computer science or management studies or political science. Further, the idea that any single perspective can conclusively resolve problems of technology is to presume the jurisdictional primacy of engineers and computer scientists, or private firms, or governments. The necessary intellectual project here is to fuse these perspectives. Accordingly, we work to build a research program that starts from a ‘Congress of Disciplines’ – an initiative that connects international relations theory and global affairs with technical understandings and research on management. 

The issue for practice is to experiment with the idea of corporate diplomacy and to explore new ways for tech firms and governments to work together – and also to specify correctly the differences and conflicts.  We need urgently an era of experimentation to develop new kinds of capacity and new kinds of collaboration – and a generation of leaders in both venues with experience in this work. 

Cyber threats as a category of emerging technology-related challenges make visible the need for a new generation of integrated, multidisciplinary research, policy, and practice.  These solutions cannot suffer the limits of a cloistered world; nor should the academic inquiry that gives rise to them.