In the physical world, governments are responsible for keeping citizens and corporations safe from enemies. But when it comes to cybersecurity and cyber attacks, most governments have spent much more time increasing their offensive capabilities than protecting companies and individuals. That’s why, over the last few years, tech-focused companies have begun entering into cybersecurity alliances and pacts with one another. Hundreds of companies — some of them among the largest in the world — have formed groups around goals related to the future of the internet and digital networks. There is evidence that these efforts have indeed begun to advance the global conversation about cybersecurity, which is welcome news. Unless cooperation, between companies as well as between companies and countries, becomes the norm, global cybersecurity is unlikely to improve.
In the physical world, governments are responsible for keeping citizens and corporations safe from enemies. The digital world, so far, has been a little different. When it comes to cybersecurity and cyber attacks, most governments have spent much more time increasing their offensive capabilities than protecting companies and individuals.
The reason for this is, until recently, national security officials viewed digital networks as fairly benign and cyber attackers as unlikely threats to safety — or to a country’s sovereignty. However, the advent of cyber-physical systems and the internet of things, along with the increasing sophistication of bad actors, has made cyber attacks issues of human safety. But companies have largely been left to fend for themselves.
That’s why, over the last few years, tech-focused companies have begun entering into cybersecurity alliances and pacts with one another. These alliances are a symptom of the breakdown of trust between policy makers and those they’re making polices for. Hundreds of companies — some of them, such as Airbus, Cisco, HP, Microsoft, Siemens, and Telefonica, among the largest in the world — have tried to step into this trust gap by forming groups around goals related to the future of the internet and digital networks. Some of these groups (those I call the operational alliances) are mainly practical, sharing intelligence or technical data. Others (the normative alliances) are explicitly aimed at changing the ways companies deal with cybersecurity vulnerabilities and renegotiating the social contract between states and their citizens.
The operational alliances are built around small groups of companies. Their exchanges of information about cyber attacks and threats try to raise the collective level of cybersecurity, shape overall security practices, and speed the adoption of security technologies. Groups such as the Cyber Threat Alliance, the Global Cyber Alliance, and the Trusted Computing Group (to name a few) represent the range of such alliances.
For companies with IT or security departments capable of sorting through and acting on cybersecurity data, it often makes sense to become part of a network that can keep a CISO or IT team apprised of looming threats and best practices for mitigating them. The nature of digital networks is that everyone has to share the risks; these alliances help leaders to share solutions, too.
The normative alliances, on the other hand, make explicit calls for digital peace, government support for companies under attack, and cooperation to limit the use of private systems and networks against citizens (especially by a nation-state). They try to uphold values like trust and accountability in cybersecurity and to spur collective action in favor of peace and nonaggression — much as agreements between countries do.
Even so, these alliances vary in how much they presume to dictate corporate or even state behavior. The Charter of Trust, initiated by Siemens in 2018, favors self-regulation on the part of its corporate signatories that, over time, would establish expectations and norms that might apply to nations as well. The Cybersecurity Tech Accord, pioneered by Microsoft and other leading technology companies, aims to build “a safer online world by fostering collaboration among global technology companies”; its members pledge to oppose efforts by nations to attack citizens and enterprises.
These alliances are ultimately focused on the wider world, rather than on individual companies and industries. The companies involved reason that working together gives them the ability to create the kind of safe, peaceful digital environment they need to innovate and protect their customers.
Yet while virtually every company supports peace, it may not make sense for every company to join one of these alliances. The charters and accords have the potential to put their signatories at odds with at least one national government, if not more. For those companies that operate the infrastructure of the internet, this dynamic already exists. The largest platform companies (like Google, Apple, Microsoft, and Facebook) are increasingly finding themselves in conflict with one or more major powers on policy or regulatory issues and also are targets of sophisticated attacks. It is only by banding together and pushing for peace and security that they will be able to survive the seemingly lawless cyber environment. Companies that similarly will be targets of attacks (or that have customers who are) could see significant positive outcomes by joining these alliances, regardless of whether they confront their attackers.
Of course, not every company is so systemically important that it needs to take a position on the geopolitics of cybersecurity. Ultimately, it comes down to risk tolerance and capacity. It may be better for these companies to protect themselves as best they can through better cyber hygiene or by joining the operational and information-sharing alliances. These companies may prefer to sit on the sidelines for now, let other companies push the global conversation forward, and benefit from the increases in global security and trust that the alliances are starting to foster.
There is evidence that such efforts have indeed begun to move the conversation forward for companies and nations. Last November, for example, President Emmanuel Macron of France launched the “Paris Call for Trust and Security in Cyberspace,” a symbolic declaration to improve cybersecurity practices and international standards for the internet. Sixty-seven countries, including the entire EU, have joined the pledge, along with 358 companies and 139 international and civil society organizations. (The list of signatories includes the World Economic Forum, where I am employed.) At the very least, the call represents an opening for companies and governments that care about security on a global scale to cooperate with a new set of allies.
That’s not to say cooperation will be easy, or perfect, in the short term. Currently, the most powerful nations are signaling an aversion to cooperation on many fronts, not just in tech. Among the signatories to the Paris call, for example, there are three countries noticeably absent: the U.S., China, and Russia. Although the United States generally supports multistakeholder internet governance, China and Russia have opted for a more isolationist and state-controlled approach. Russia, in fact, has announced plans to develop the capacity to entirely shut itself off from the global internet, similar to the “Great Firewall” of China.
And even in spaces that are meant to foster cooperation among nations, there doesn’t seem to be any patience for it. Given the past and continued shortcomings of state-only efforts to create cyber norms, one would think the benefits of working together are obvious. Instead, there are now two competing cybersecurity norms efforts at the United Nations: a Russia-sponsored Open-Ended Working Group, which includes China and is open to all interested UN members, and a U.S.-sponsored Group of Governmental Experts, which includes the European Union, Canada, Japan, and Australia.
Isolation is bound to be self-defeating since digital technologies derive most of their value from wider connectivity. In the worst case, digital isolationism fosters the logic of an arms race, where state-directed hackers, hiding behind national firewalls, attack companies and governments seemingly with impunity. But no firewall is perfect, and such thinking will inevitably lead to conflict or a digital cold war. At the very least, isolation threatens to derail the benefits we’ve achieved through wider use of the global internet. Companies and individuals, the ones likely to bear the costs of conflict, should therefore continue to work together where they can. Cooperative efforts will keep up the pressure on governments to recognize that they are not the only actors who matter in the digital world.
Only cooperation can avoid a new age of global isolationism and digital conflict. The World Economic Forum’s Centre for Cybersecurity is working to support new global architectures for security that recognize the reality of the digital world. In this reality, nations are just as important as they’ve ever been; they continue to be the ultimate protectors of their citizens. But civil society and companies are also important as the drivers of human rights and economic prosperity. What’s needed now is cooperation on a larger scale, broader sets of allies working together to build trust and share responsibility, to protect the increasing numbers of citizens who rely on digital networks to survive and thrive.