The author is International Policy Director at Stanford University’s Cyber Policy Center
Like it or not, tech companies can’t help but make consistent decisions about geopolitics, conflict, and war. Not only do they operate close to the front lines, they sometimes mark them effectively. Amazingly, however, there is no official mechanism for sharing information about threats and attacks on corporate infrastructure between EU or NATO member governments and technology companies.
Take Russia’s ongoing war in Ukraine, for example. Not long after the invasion, Ukraine’s digital transformation minister, Mykhailo Fedorov, reached out directly to Elon Musk on Twitter, requesting support from Starlink to replace the destroyed internet infrastructure. Musk tweeted back the same day that the service was up and more terminals were on the way. Such exchanges between technology and government leaders are rare, especially in public. Sure, we’ve seen Microsoft share threat assessments and cyberattack reports. And Facebook and Twitter have taken action to thwart disinformation campaigns ranging from wiping out news outlet impersonators to identifying botnets.
But how interested are these companies in sharing less favorable information about how their products are being used for geopolitical purposes? What attacks could they not repel? When did they ask for government help to avert a disaster?
In recent times, there has been little policy effort to ensure that companies running critical infrastructure communicate the full picture to the relevant authorities. Still, there are likely many tech companies that hide or don’t report information about attempted hacking or misinformation operations. Some companies have close ties to intelligence and law enforcement agencies, while others only share information upon direct request or where there is a risk of sanctions for non-compliance. There is no level playing field.
Restricting the release of critical information can be legitimate, but EU countries and NATO members should demand dialogue. It is high time we had a mechanism for sharing information with technology companies whose products and services sit at critical nodes in an ecosystem that could prove crucial to the outcome of conflicts. Organizing this through existing groups like the EU or NATO would be a good starting point.
A dialogue about conflict technology would help to share important information about risks, threats and attacks. It would benefit both sides by helping governments stay abreast of evolving hybrid conflicts and giving companies access to greater government support in crisis situations such as conflict, war or cyberattacks. Shared information should be kept confidential, so companies don’t have to worry about the information they share being leaked to regulators. Such a dialogue would ensure that all companies are brought together to share important insights. This does not have to be a group exercise, and sessions can be requested by a technology company or government.
If a software company sees increasing attempts to hack civilian infrastructure, they should report it. Likewise, if social media platforms have critical insights into coordinated information manipulation attempts by state actors, they should make it known. The participation of companies would be mandatory.
Both formal and informal dialogues with technology companies have been initiated by legislators over the past decade. For example, the EU has relied on the codes of conduct that the European Commission has agreed with technology platforms to address disinformation, hate speech and terrorist content.
In the UK, the Online Safety Act has given the Communications Regulator greater powers to deal with child sexual abuse material. However, there are no comparable agreements between democratic governments and technology companies around war and conflict.
Governments should be able to defend their sovereignty and act in accordance with the UN Charter. The reality is they are now relying on technology companies to make this happen. Subversion, manipulation, and disruption by state hackers or state-sponsored groups below the formal threshold of conflict all involve relatively new technologies.
If you ask yourself the question, “When did Russia’s war of aggression against Ukraine begin?” it is tech companies, rather than governments, that increasingly have the insight to provide the answers. They need to start sharing their knowledge.