Writing during the tumultuous years of the English Civil War, Thomas Hobbes sought to identify the means through which humanity proceeds through an anarchical, violent natural state (the “nasty, brutish, and short” state of Man) to attain ordered, governed society. In formulating an idea of how such a society (or in Hobbes’ terms, a “commonwealth”) emerges, he emphasizes two primary means of development: commonwealth by institution, where individuals contract to the sovereign maximal authority for ordering affairs; and commonwealth by acquisition, where subdued individuals grant the conquering sovereign maximal authority in exchange for their lives. Hobbes’ writings stand as one of the first (and still among the most influential) writings concerning a social contract, and formulate a conception of sovereign authority (especially with respect to the maintenance of public order and exercise of violence) that has in turn at least influenced more modern thinkers from Max Weber to Michel Foucault to Carl Schmitt.

This Hobbesian conception of state power – reflected perhaps most succinctly in Weber’s idea of a state being that entity possessing a “monopoly on the legitimate use of violence within a given territory” – underpinned much expansion of the modern state (as born in early modern Europe) from legal codes to replacing mercenary armies with standing militaries. Thus we are left with a tacit acceptance of a Hobbesian covenant at least in terms of recognizing that legal, legitimate exercise of force or compulsion rests within the powers of sovereign states, from criminal justice through warfare.

Yet while the “modern period” featured a domination of martial, commercial, and related spaces by sovereign-directed or -controlled efforts, the late 20th century saw the emergence of a new, murky, and (somewhat) transnational medium: the Internet. The explosion of networked computer technology, resources, and communication created a space that not only broke free of sovereign control in areas of norms and tastes (from the Internet’s use for organizing fringe or terrorists elements directly opposed to sovereign authority to widespread use of networks for activity looked down upon in “normal” society, such as pornography), but increasing removed itself from the conception of control over force as well.

Essentially, “cyber” became a truly odd realm where private entities – from high value individuals through private enterprises – were expected (if not implicitly forced) to shoulder the burden of self-defense from other state and non-state actors desiring to either steal from or disrupt them. By the dawn of the new millennium, the “default” for nearly all organizations across the “developed” world was that The State was responsible for and would take action on physical security from threats ranging from criminals and terrorists to opposing states – while “cyber” threats represented an uncertain, ungoverned space absent (meaningful) state participation except in (often hollow) legal sanction and concerning focus on offensive activity. Aside from the rare criminal case brought up under either outdated or poorly-devised laws, “cyber violence” manifested as a largely ungoverned space.

Thus, something that would be unthinkable in the “physical” security space apart from, say, oil exploration companies contracting South African mercenaries to protect well sites in uncertain places (at least since the 15th century), started to occur in the cyber realm: the private sector started to take care of itself. While much initial cyber activity focused on government and government-linked academic networks (as we all know for having read Cliff Stoll’s wonderful The Cuckoo’s Egg), activity rapidly branched out in the ‘90s through ‘00s so that an entire ecosystem of private security company emerged: the antivirus industry. 

The rise of AV is interesting on several levels. For one, on a pure product level, the very existence of AV is interesting as it indicated a fundamental flaw in the very nature of the operating systems powering the modern, networked world – a flaw which is increasingly being addressed by native Microsoft efforts to secure its Windows ecosystem (and which Apple will probably get to… eventually). Essentially, the OS was an incomplete good absent buying a third-party security product to pair it with – something consumers and users would find unconscionable in most products yet resigned themselves to in computers for over two decades.

But from a private sector organizational perspective, the rise of AV is more interesting still. While we recognize the need for businesses and individuals to have locks on doors and similar basic physical security measures, modern societies do not even pretend that private entities are responsible for tracking, identifying, mitigating, and then prosecuting criminal or state-nexus violence in the physical realm. Private organizations may be expected to assist or cooperate with legal authorities, but justice (especially of the retributive type) would be meted out by state authorities. Yet for over 20 years, a chaotic state of nature existed in cyber: individuals and corporations were expected (out of their own self-interest usually, via regulation occasionally) to purchase, provision, and maintain cyber defense mechanisms at their own cost to prevent or respond to cyber-nexus incidents – including those instigated by state-nexus actors in support of state-derived interests.

Based on this cyber “state of nature”, an entire ecosystem of defense and security developed within the private space: from the legacy AV shops through the first incident response contractors to managed security service providers. Essentially, private (defensive) “armies” grew up and proliferated in the cyber security space over the course of many years, reacting to clear market needs – and continued governmental inability or indifference.

But then, more recently, this state of (cyber) nature began to change. Essentially, governments (the US government especially) began to identify the continued risk and threat posed by persistent penetration of non-government networks. While, to go back to Hobbesian terminology, the private sector had forged a “commonwealth of institution” where different organizations held varying levels of expertise and responsibility (from vendors to information sharing groups to insurance) within the cyber realm, beginning in the 2010s government began to reassert itself forcefully into the conversation – bringing in at least an expectation of “commonwealth by acquisition” based on existing norms and standards applying to the physical realm.

While government dominance of the information security space has probably been the norm in authoritarian or “unfree” societies since the birth of cyber, the West developed a commercially-minded, self-sustaining (if not always effective) ecosystem of players to deal with information security problems. Some governments (notably in Western Europe) sought a collaborative approach with private industry, looking to shape, guide, or coordinate existing resources and efforts – one example being the UK’s NCSC. In other areas – most significantly the United States – a different, more forceful approach was adopted. Rather than act as intermediaries in an existing ecosystem of private sector interests and capabilities, US authorities began to assert themselves with greater emphasis and force as having responsibility for not just government networks, but “important” areas of private industry as well.

Some of this activity may be an artifact of peculiar institutional arrangements. Following the September 11 2001 attacks, the US government created a new overarching entity for domestic security purposes: the Department of Homeland Security (DHS). From its inception, DHS inherited significant (notional) responsibility for domestic security concerns (including cyber) with either little capacity to support or sporadic (at best) cooperation from long-standing government entities. One may even consider the organization as developing an inferiority complex relative to both other public bodies and the private sector entities performing its (assumed) mission of domestic defense.

Irrespective of underlying organizational psychology, the US government increasingly pushed for state involvement in operations that were previously the near-exclusive environment for private security companies: incident response, traffic monitoring and threat detection, and threat intelligence. As such, the field of cyber defense stands out as an incredible anomaly in US government activity: since the emergence of the de-regulation era under Nixon (accelerating beyond the point of return under Reagan), private sector security is one of the only fields where the US government has worked to displace the private sector in existing commercial ventures. While the US (and similar) governments moved to extract state control from multiple fields – including the very critical infrastructure sectors (such as electric utilities) now the subject of external attack – the same decentralizing authorities sought to re-enter the domestic cyber security market.

In many respects, such an effort is not only understandable, but long overdue. The expectation that private organizations are responsible for defending against hostile state-directed cyber intrusions clearly represents an anomaly compared to any other field. Applying a “market failure correction” approach, where public entities work to correct for or mitigate against market failures that produce socially undesirable outcomes, would be reasonable. In such a role, government would be a defender of last resort or final adjudication, working to coordinate or help prioritize existing resources to best cover entities, and stepping in directly only in those situations where the “market” cannot produce necessary action on its own.

While some efforts reflect this more nuanced and arguably most relevant view given the development of the cyber security industry, others do not. Particularly, there exists a rising trend within government circles that either expects or is willing to force (via legal sanction) cooperation and sharing of information. A very brief conception of this argument is that private security companies (especially US-based entities protecting US-based interests or organizations) should at minimum freely provide the fruit of their labor out of a sense of duty or patriotism – and if such voluntary sharing is not forthcoming, to expect such cooperation to be compelled by the state. The argument drips with irony, given that so much of the private security space has been built off of individuals leaving government service – sometimes for a larger pay package, other times for less structured environments, but in many instances because of a very profound feeling of only being able to actually solve security problems outside of government. Further humor can be found in the fact that the very existence of an increasingly capable, increasingly effective private security market is due to Leviathan’s neglect or ineffectiveness in the first place. Essentially, while Leviathan has in many cases withered or drawn back from many aspects of life, ceding control or governance to commercial entities, in the US (and some other areas) Leviathan has decided to aggressively reclaim territory abandoned decades previously.

In addition to this question of Leviathan’s relevance and attempts to reassert control within this space, another problem calls into question the very ability for Leviathan to do so – or the desirability of private cyber security companies to cooperate with it. A near-simultaneous development of social contract conceptions of government was the development of the Westphalian model of sovereignty – where states become sole arbiters of actions within their borders, including the monopoly on violence previously mentioned. While cracks in this model have appeared regularly over time through the development of alternative, non-state centers of power (from large corporations to the United Nations), the combination of growing economic liberalization and internationalization with the rise of the Internet made for an especially strange space with respect to traditional government control. Basically, an entire ecosystem developed of supra-national entities leveraging privately-controlled media for coordination and communication where the bounds of state power become murky and at times overlapping. In addition to manifesting itself in such areas as corporate tax policy and business regulations, this also appears in the realm of security – where the interests of private entities spanning multiple states will not always (or even frequently) align with the interests of some of the states in which they operate.

Essentially, Leviathan (and especially the US government) acts in such a manner that fails to even acknowledge that the private security space it enabled in the first place through inaction now responds to different masters and responsibilities. The goals of a domestic utility may align typically with the state in which it is based, but the international shipping company or software company that does business around the globe may not always do so. The very expectation of cooperation or compulsion flies in the face of the values created through the organic commonwealth by institution that the private sector constructed for itself. Government efforts to move into the information and security space that is already thoroughly colonized by private entities mean attempting to reimpose a model of control and authority (the Westphalian conception) that has been irrelevant to and unsuited for that space for decades.

Ultimately, those of us within industry are finding ourselves at a crossroads. While many of us are happy to coordinate with state authorities when appropriate and where vital to ensuring the overall security of the ecosystems in which we operate, we also know that such cooperation has limits as the interests of private security and government authority do not always align. In addition to covetting the information, expertise, and access private companies have built within the relatively new and significant warfare realm of “cyber”, Leviathan also finds itself confused and dismayed that its standard conceptions of authority are either inappropriate or irrelevant to social and economic realities. As governments increasingly recognize this gap and rail against this disconnect, the near future of operations in this space seem both exciting (from an academic observational perspective) and extremely concerning (from a security industry standpoint). How Leviathan responds to realities will be interesting to watch and potentially calamitous for the overall security ecosystem. In attempting to reassert control over a domain that may have never belonged to it to begin with, Leviathan may end up fostering a less free, more constrained information landscape while potentially destroying the private security market through forcing private entities to “choose sides” based on Leviathan’s interests.


1 Comment

christopherKrug · 10/10/2019 at 00:13

Thanks for sharing

Comments are closed.