A recent article in Lawfare highlighted the increasing role of the private sector in a nation’s cyber defense posture during periods of armed conflict. Specifically, the article emphasized Microsoft’s role in defending not only Ukraine, but the larger global community, from the cyber attacks that have occurred since Russia invaded its neighbor. The message is clear: Microsoft’s unique position as an international tech company with global visibility into the activities transpiring in cyberspace has made it an integral partner for governments, and especially the U.S. government, in trying to get ahead of attacks. In the words of another Lawfare author, Microsoft’s role “represents an important change in the cooperation between the U.S. government and the tech industry.”
Private-public partnership has long been the mantra for U.S. cyber security strategies for several years and is often the clarion call after any significant cyber attack that has abused a critical infrastructure industry. The assumption behind such remarks is that the U.S. government with its vast intelligence apparatus has inside information that is stifled behind layers of classification, stove-piping, and whose agencies are generally reluctant to share with one another, no less the private sector. There has been a long-held perception from the private sector that the government wants their information but is slow to respond in quid-pro-quo kind. In effect, the flow of information has been overwhelmingly one-sided, and not in the favor of the private sector. A recent August 2022 Office of the Inspector General of the Department of Homeland Security report generally found that there needed to be substantial improvements to improve cybersecurity-related information sharing. One of the acknowledgements made in that report was that the quality of information shared with private sector Automated Indicator Sharing participants was not always adequate to identify and mitigate cyber threats. That’s a pretty big shortcoming when attacks occur in seconds.
Microsoft’s increased role in these matters seems logical given the extensive resources at its disposal. According to a report the company wrote in June 2022, it received “24 trillion” signals on a daily basis from “ “devices and cloud services across a global ecosystem.” Given that the public sector is the owner of much of the infrastructure that is deemed critical, it would make sense for tech companies like Microsoft to get involved. After all, per the same report, Microsoft’s ability to detect Foxblade wiper malware just at the onset of Russia’s invasion and was able to provide warning enabled defenders to act upon it immediately. Certainly, the intimation is that global big tech companies have as key a role as the government, especially during periods of conflict, to help reduce the severity of potential threats fermenting before their deployment. When reviewing the ongoing cyber part of the Ukraine conflict, one argument for why Russia has been unable to mount the “kill shot” attack many expected is that simply, Ukraine has benefitted from international supportincluding but not limited to NATO and U.S. assistance, a private hacker army, and the assistance of numerous prominent private sector companies and vendors. This has not been a Russia versus Ukraine cyber war – it’s been a Russia versus everyone else on Ukraine’s cyber battlefield, tech companies included.
A recent study by the Carnegie Endowment for International Peace evaluated the international cooperation for Ukraine’s cyber defense as a resounding success, largely in part to private sector involvement. Per the report, “Early decisions by the leadership of some of the world’s major technology and cybersecurity companies to take proactive roles in defending Ukraine were pivotal.” This is certainly a positive development and one that shows that information-sharing must extend beyond the expeditious sharing of threat data to have any type of meaningful impact. Simply, companies must get as involved as any government, and in a way that leverages the special capabilities they have to fortify efforts to neutralize hostile cyber acts. If the Ukraine is a test bed for this unique partnership, it needs to extend beyond conflict into times of peace as well, and not just against state actors or state sympathizers.
This raises a very important question – if tech and cybersecurity companies can extensively collaborate to greatly mitigate the consequences of hostile cyber attacks during periods of armed conflict, what’s stopping them from doing this year-round? While it may be unrealistic to think that even the most robust collaboration could alleviate the majority of cybercrime proliferating around the globe, it is certainly within the wheelhouse to target and stymie the efforts of the more pernicious cybercrime and ransomware gangs with the same aplomb as being demonstrated in the Ukraine crisis. Why does this type of effort have to be solely reserved for military-on-military engagement? Does not the rampant theft of money impacting the global community warrant a dedicated effort?
But a more ominous question remains. How does big tech involvement in conflicts translate into the larger picture? Specifically, how would these companies “choose” sides, especially if they ostensibly provide services to the very countries and governments that might be engaged in the conflict?
It’s too easy to slip into personal bias as a way for these decisions to be made. We are the good guys, they are the bad guys, therefore these companies should help us out. And if companies go down that path, they risk being perceived as impartial and more aligned with a set government or ideology. The same beliefs that many in the West hold against companies like Huawei, ZTE, and even Kaspersky could be held by other countries when looking at a company like Microsoft or any of the other U.S. cybersecurity vendors. At a period where there is concern over the continued balkanization of the Internet and countries being drawn together due to shared visions of how states should behave in cyberspace, these levels of involvement in conflict may only widen the digital fractures that have already formed.
Companies seem to have a bigger role to play in cybersecurity than they have demonstrated thus far. However, finding that sweet spot without risking their images may prove more difficult if they are perceived as colluding with government agencies rather than being reliable partners.