The week-long multi-conference event affectionately referred to as ‘Hacker Summer Camp’ recently concluded. It began with BlackHat, was dotted mid-week with multiple smaller conferences, and was punctuated by DefCon, the world’s largest hacking convention. It brings together cybersecurity practitioners, independent hackers, and most of the major global firms in the cybersecurity marketplace. They represent the majority of the private entities that own and manage cyber intelligence.
Hacker summer camp highlights the fact that while states rely heavily upon global data connectivity and communication, they do not hold a monopoly on intelligence and data in this space. For their part, mature cybersecurity firms (CSFs) have their own threat intelligence units, data collection systems, and often full access to hundreds of thousands of machines through which to collect information about attempted and successful attacks.
The question of who “owns” cyber intelligence has profound implications for the geopolitical landscape. Grappling with this reality and its consequences is crucial.
The Cybersecurity Firm and the State
CSFs challenge any semblance of a state-based monopoly on cyber data collection and analysis. CSFs have special access to the information and communications systems they are contracted to protect. They curate massive amounts of data. Large globally-footprinted CSFs like Mandiant, Crowdstrike, and ZeroFox have access to their clients’ hundreds of thousands of computers and networks that they then use to generate analyses of attack trends and threat actors.
To be sure, states are not flying blind. In the United States, there is a patchwork of institutions responsible for addressing vulnerabilities and breaches at home and abroad. The National Security Agency, which has global surveillance and cyber capabilities, is first among equals. While it is impossible to know precisely how much information CSFs hold relative to these institutions, the constant plea for more and better information sharing with CSFs suggests they are formidable contributors.
The existence of highly-capable private sector actors focused on cyber intelligence can benefit states, especially since the private and public sectors often use the same technologies. Operations like SolarWinds and Microsoft Exchange draw no strong distinctions between government systems and private companies. Because of this, there may be cases when CSFs learn about an intrusion affecting firms and government systems. CSFs can discreetly inform federal entities while also alerting the wider public of the breach.
More broadly, many CSFs are direct providers of cybersecurity services to governments. States may have implicit access to, though not control over, CSF intelligence streams. In neither of these instances, however, does the nation state own the intelligence. It is a consumer or beneficiary of information owned by the CSF. This is particularly likely for democracies with robust private sectors, and perhaps less so in authoritarian countries that exert greater control.
In other cases, states and CSFs might have parallel but unshared knowledge of breaches and intrusions. Since CSFs have differing economic incentives and legal obligations than nations for sharing data and intelligence, it is easy to imagine episodes where these entities are working on understanding different parts of the same attack but not collaborating.
Slightly more worrisome from the government’s standpoint are cases where states may be blind to cyber threat intelligence that CSFs hold and which affect the national interest. CSFs, for example, provide the day-to-day services and monitoring to protecting the sixteen critical infrastructure sectors identified by the Cybersecurity and Infrastructure Security Agency (CISA). While CISA and its parent agency, the Department of Homeland Security (DHS), are the lead federal agencies tasked with helping these sectors protect and respond to attacks, they do not have direct visibility into the systems and event logs through which CSFs develop their situational awareness of attacks and threat actors. Indeed, cooperation with these agencies is voluntary.
Cyber Intelligence and the Politics of Disclosure
One of the more important strategic implications of the CSFs may be on what Erik Lin-Greenberg and Theo Milonopolous call the “disclosure decision,” or “the government’s choice to publicly release or acknowledge information that was initially secret and concealed from one or more audiences.”
States disclose secret information for many reasons. Revealing hostile state activity may embarrass rivals and shore up domestic and international support for counter-measures. It can also demonstrate a state’s bona fides when it comes to detection and response, as well as establish when particular kinds of attacks are out of bounds and send public signals about appropriate norms of behavior in cyberspace.
There are also cases when states want to conceal information, such as when authorities hope to protect sources and methods behind the initial discovery. Relatedly, revelation may lead to calls for escalation from hawkish publics or undermine rules and norms, thereby pushing leaders to keep information secret. Disclosure may also make states look weak or induce widespread panic.
As Lin-Greenberg and Milonopolous illustrate with commercial satellites, new technologies and actors are eroding states’ privileged position regarding disclosure decisions. A similar dynamic is playing out with CSFs. The real tension emerges from the fact that these actors have different incentive structures than states.
Timely public disclosure is often beneficial to CSFs. Firms gain new clients when they demonstrate savvy in technical defense and detection. Firms also retain clients by demonstrating technical expertise while protecting data about client vulnerability and exposure. Thus, firms calculate disclosure based upon reputation effects, tempered largely by the legal agreements to which they are bound.
CSFs share intelligence differently as well. They often preliminarily disclose data and intelligence across to other CSFs to better understand the scope and severity of attacks. Ad-hoc working groups tend to form when detection of shenanigans is not yet fully understood. CSFs often then coordinate release of attack data to ensure the protection of affected parties. Nevertheless, being the first to announce detailed public releases of technical analysis vaults a firm into the limelight.
This mismatch of incentives between states and CSFs creates the possibility that the latter may publicly disclose hostile cyber activity that the former would have kept quiet indefinitely or at least for a time. This poses a particular challenge when the victim is a critical infrastructure node governments are supposed to protect. By divulging these details, CSFs can force the government to respond more rapidly and forcefully than they would prefer.
The SolarWinds breach is illustrative. Mandiant FireEye made the breach known. The Biden Administration took a number of steps in response. The interesting counterfactual is whether they would have behaved differently had Mandiant not gone public with their information, and just how long officials would have waited to make the announcement.
An Enduring Challenge
The loss of the monopoly on disclosure is only one of numerous strategic challenges. CSFs are now increasingly the targets of nation states seeking to steal sensitive vulnerability data, tools, and techniques. They have a target on their back regardless of whether they want to play geopolitics. Moreover, given the CSF bias toward public notification, states may be forced to adjust their strategies about when and how to name and shame rivals.
Finally, we anticipate increased pressure on CSFs to give up their autonomy or intelligence control to host countries. How it will play out it in practice remains to be seen. For governments like the United Sates whose CSFs have thrived in the open marketplace, regulations to force them to directly integrate with intelligence agencies are likely a non-starter. Conversely, the Chinese regime has already introduced some domestic laws that move in this direction. In short, the interplay between countries and CSFs will increasingly be forefront in our capacity to secure nations from cyberattacks.
Dr. Nina Kollars and Dr. Michael Poznansky are Associate Professors in the Cyber & Innovation Policy Institute (CIPI) within the US Naval War College. The views expressed are those of the authors and do not necessarily reflect the official position of the US Naval War College, the Department of the Navy, or the Department of Defense.