The writer is international policy director at Stanford University’s Cyber Policy Center
Whether they like it or not, technology companies can’t avoid making consequential decisions about geopolitics, conflict and war. Not only do they operate close to the frontline — at times they effectively mark it. Yet, astonishingly, there is no official mechanism for sharing information on threats and attacks involving corporate infrastructure between the governments of EU members or Nato countries and technology companies.
Take, for example, Russia’s ongoing war in Ukraine. Not long after the invasion, Ukraine’s minister of digital transformation, Mykhailo Fedorov, reached out directly to Elon Musk on Twitter, requesting support from Starlink to replace destroyed internet infrastructure. On the same day, Musk tweeted back that the service was active, and more terminals were on the way. Such exchanges between tech and government leaders are rare, especially in public. Sure, we have seen Microsoft share threat assessments and reports of cyber attacks. And Facebook and Twitter have taken action to thwart disinformation campaigns ranging from taking down news outlet impersonators to the identification of botnets.
But how keen are these companies to share information less favourable to them about how their products are being used for geopolitical gain? Which attacks have they failed to mitigate? When did they request government help to avert disaster?
There are few recent policy efforts to ensure companies operating critical infrastructure are sharing the complete picture with the proper authorities. Yet there are likely plenty of tech companies that conceal or fail to report information about attempted hacking or misinformation operations. Some companies have close ties to intelligence services and law enforcement, while others will only share information when asked directly, or when sanctions are looming in case of non-compliance. There is no level playing field.
Restricting the publishing of critical information can be legitimate, but EU countries and Nato members should demand a dialogue. It is high time we had a mechanism for exchanging information with technology companies, whose products and services sit at vital nodes of an ecosystem that could prove decisive in conflict outcomes. Organising this via existing groupings such as the EU or Nato would be a good starting point.
A conflict technology dialogue would help share critical information about risks, threats and attacks. It would benefit both sides, by helping governments keep up to date with how hybrid conflict is evolving and allowing companies to access greater state support during crises such as conflict, war, or cyber attacks. Shared information should be considered confidential so companies should not fear that the information they share will be passed on to regulators. Such a dialogue would ensure all companies are brought around the table to share critical insights. This does not have to be a group exercise, and sessions might be requested by a tech company or by a government.
If a software company were to see an increase in attempts to hack civilian infrastructure, it should come forward. Similarly, when social media platforms have crucial insights into co-ordinated information manipulation attempts by state actors, they should make it known. Participation by companies would be mandatory.
Over the past decade, both formal and informal dialogues with technology companies have been initiated by lawmakers. The EU, for example, has leaned on the codes of conduct the European Commission agreed with technology platforms to engage on the topics of disinformation, hate speech and terrorist content.
In the UK, the communications regulator has been given greater authority under the Online Safety Bill to deal with child sexual abuse material. However, no comparable agreements exist between democratic governments and technology companies around war and conflict.
Governments should be able to defend their sovereignty, and act in line with the UN Charter. The reality is that for that to succeed, they now rely on technology companies. Subversion, manipulation and disruption by state hackers or government-backed groups beneath the formal threshold of conflict all involve relatively new technologies.
When you consider the question: “when did the Russian war of aggression against Ukraine start?”, it is technology companies, rather than governments, who increasingly have the necessary insights to answer. They need to start sharing what they know.