Submit your essay to the AI-Cybersecurity Essay Prize Competition by January 2, 2025.
The AI-Cybersecurity Essay Prize Competition
Read more
Main Logo Expert commentary on tech and security

Public-private collaboration in Ukraine and beyond

Taylor Grossman / Monica Kello / James Shires / Max Smeets 4 April 2024
Share On:
Voluntary, ad hoc partnerships between governments and the tech sector have worked thus far in Ukraine, but they are not a sustainable path forward
Main Top Image
Image created with the assistance of Midjourney

In a long missive penned in response to Russia’s invasion of Ukraine, Microsoft President Brad Smith wrote: “At the outset, it’s important to note that we are a company and not a government or a country.” Several years ago, such a line might have seemed redundant. Now, the picture is rather more complex.

The technology industry has emerged as a pivotal player in geopolitics. Russia’s ongoing war in Ukraine—which just passed its two-year mark this February—has brought into sharp focus the many roles that technology companies can assume within the sphere of international politics.

In February 2023, the European Cyber Conflict Research Initiative (ECCRI) hosted a workshop that explored the cyber dimension of the Ukraine-Russia war, with support from the UK National Cyber Security Centre. The day-long discussion evolved into a full report, which laid out some of the primary trends that had developed over the course of the war.

Over a year later, we have revisited those findings. Three key takeaways have emerged. First, industry has increasing leverage to shift conflict dynamics, and increasing responsibility to act carefully. Second, wartime affects markets, complicating companies’ profitability and sustainability and making it unwise for the public sector to rely on voluntary support. Third, public-private partnerships are a necessary but thus far underused mechanism for aligning business interests with national security prerogatives.

1. Industry is in the driver’s seat but still needs directions.

In past conflicts, governments marshalled industry to its aid. Now, in cyberspace, the roles are reversed.

In Ukraine, tech companies have played prominent public roles. Microsoft has been an ardent supporter of the country from the conflict’s outset, while Amazon Web Services helped safeguard the government’s data by moving it to the cloud. Meanwhile, Elon Musk has seemed almost personally responsible for SpaceX’s wavering engagement in the country.

Industry now finds itself responsible for delivering significant impact on its own terms and on a large scale. In the tech sector, governments are in the odd position of offering or encouraging support, rather than driving it. 

Major technology companies have evolved into de facto political players, not only by dedicating cybersecurity resources to conflict participants, but also through the ways they—intentionally or otherwise—shape public perceptions of the crisis. Companies are amassing political influence through their cyber intelligence capabilities. Threat intelligence reports are key public documents that can influence popular opinion and, at times, even sway government stances toward different actors.

Despite what they may say, companies are increasingly aware of their growing role influencing—and in some cases making—policy. Companies have a responsibility to use their influence prudently, without exacerbating conflict situations or contradicting core public sector objectives.

2. Private sector involvement is neither sustainable nor guaranteed.

In Ukraine, Western private companies have thus far been impressively aligned with their governments. However, this level of cooperation may not be achievable in other scenarios. Western tech companies are more closely interwoven with the Chinese economy, for example: a Chinese invasion of Taiwan might not galvanise the same levels of support from Western industry.

Many private sector actors decided early in the conflict to withdraw from the Russian market. While Western sanctions are certainly a motivating factor, a significant number of companies—including prominent cybersecurity firms—have gone far beyond what is legally required.

Some firms have faced substantial financial setbacks as a result, particularly those with prominent operations within Russian territory. Local subsidiaries have been shuttered. The rapid exodus of security providers also disrupted—and in many cases severed—significant data sources in the region, altering companies’ perspectives on the broader threat environment. These withdrawals will likely have long-term consequences for commercial threat intelligence.

Ultimately, industry operates to make a profit. The public sector cannot count on companies to align their business operations with national security objectives without providing adequate support. Conflicts can—cynically—be good for business, offering a very clear demonstration of a firm’s use case. The Ukraine conflict, for example, has been a boon for cloud services providers as they have been able to showcase the benefits of their business model. Yet companies also face serious choices about where and how to do business, and engaging with one side of a conflict may have severe market repercussions for business in other contexts.

Industry functions under a distinct set of incentives, driven by shareholders and market forces that diverge from the motivations of governments. Companies are also limited in the ways they can act; unlike governments, they cannot generate currency or impose taxes. Even a market giant like Amazon or Google faces capacity constraints and will need to act to preserve long-term sustainability.

Governments need to be prepared to compensate corporations for their services during times of crisis. National governments define the responsibilities and expectations of the private sector during times of war. They can facilitate industry’s involvement, but it remains essential to distinguish between peacetime and conflict scenarios. This differentiation builds trust and establishes long-term predictability and strategic stability.

3. Public-private partnerships (PPPs) are fragile but necessary.

Thus far, successful joint efforts between public and private sectors in Ukraine have been ad hoc and varied. Many have been led by individual companies or small clusters across the tech ecosystem, rather than through concerted and organised efforts.

Experts continue to question how best to structure and advance PPPs. Improvisation is often most effective in the short term, and Ukraine is certainly a case study for the efficacy of smaller, private sector-driven efforts. Larger networks need management structures and other infrastructure, leading to inefficiencies. Government-led efforts can suffer from incentive mismatches, particularly in the field of cyber threat intelligence. Companies want reciprocal information sharing, while public institutions often expect intelligence to flow one-way. (The US government is notoriously bad at sharing actionable information, even within its own borders). Trust is also very hard to scale, making questions of expansion always a balancing act.

However, governments and multilateral institutions have important levers at their disposal that they can use to facilitate and bolster PPPs. Both public and private sector entities need to establish clear expectations of the extent of their ongoing involvement, whether that be through formal contracting or voluntary collaboration.

Governments can also play an important role in incentivising collaboration. Such mechanisms have begun to emerge in recent months: the Ukrainian government launched the Brave1 programme in April 2023 to facilitate cooperation, while the US State Department has made a concerted effort to work more closely with private sector actors in the country. Researchers and the broader public should continue to champion these efforts.

Lessons for the future?

Although Ukraine has benefited from the best efforts of many different actors, this conflict may not provide a clear map for the road ahead.

Private sector support has unfolded in Ukraine largely through ad hoc mechanisms. In future situations, stakeholders will need to approach such engagements with greater care and a more strategic perspective from the outset.

In some cases, Western governments may need to develop a coordinator or central mechanism to facilitate connection points. NATO has gestured toward developing a virtual capability specific to cyber crises. Perhaps a virtual rapid response programme could be established, leveraging national and private capabilities as part of a broader collective endeavour.

The excitement about private sector participation also needs to be tempered with careful evaluation of its real impact. Actions that offer substantial benefits must be distinguished from symbolic gestures. By establishing this distinction, we can enhance the effectiveness of public-private sector collaboration in addressing complex geopolitical challenges and yielding tangible results.

avatar
Taylor Grossman
avatar
Monica Kello
avatar
James Shires
avatar
Max Smeets

Related

Featured image
Binding Edge
Pell Mell or Pas Mal? Governing commercial cyber intrusion capabilities
James Shires 11 November 2024
Read more arrow
Featured image
Binding Edge
Responsible AI principles in an ‘apolitical’ industry
Cat Easdon 29 October 2024
Read more arrow
Featured image
Binding Edge
The Uncertainty Maschine
Gavin Wilde 8 February 2024
Read more arrow

Terms and Conditions for the AI-Cybersecurity Essay Prize Competition

Introduction

The AI-Cybersecurity Essay Prize Competition (the “Competition”) is organized by the European Cyber Conflict Research Incubator (“ECCRI CIC”) in partnership with the Munich Security Conference (“MSC”). It is sponsored by Google (the “Sponsor”). By entering the Competition, participants agree to these Terms and Conditions (T&Cs).

Eligibility

The Competition is open to individuals worldwide who are experts in the fields of cybersecurity and artificial intelligence (“AI”). Participants must ensure that their participation complies with local laws and regulations.

Submission Guidelines

Essays must address the question: “How will Artificial Intelligence change cybersecurity, and what are the implications for Europe? Discuss potential strategies that policymakers can adopt to navigate these changes.”

Submissions must be original, unpublished works between 800-1200 words, excluding footnotes but including hyperlinks for references.

Essays must be submitted by 2 January 2025, 00:00 am CET., through the official submission portal provided by ECCRI CIC.

Only single-authored essays are accepted. Co-authored submissions will not be considered.

Participants are responsible for ensuring their submissions do not infringe upon the intellectual property rights of third parties.

Judging and Awards

Essays will be judged based on insightfulness, relevance, originality, clarity, and evidence by a review board comprising distinguished figures from academia, industry, and government.

The decision of the review board is final and binding in all matters related to the Competition.

Prizes are as follows: 1st Place: €10,000; Runner-Up: €5,000; 3rd Place: €2,500; 4th-5th Places: €1,000 each. The winner will also be invited to attend The Munich Security Conference

Intellectual Property Rights

The author retains ownership of the submitted essay.

By submitting the essay, the author grants ECCRI CIC exclusive, royalty-free rights to use, reproduce, publish, distribute, and display the essay for purposes related to the Competition, including but not limited to educational, promotional, and research-related activities.

The author represents, warrants, and agrees that no essay submitted as part of the essay prize competition violates or infringes upon the rights of any third party, including copyright, trademark, privacy, publicity, or other personal or proprietary rights, breaches, or conflicts with any obligation, such as a confidentiality obligation, or contains libellous, defamatory, or otherwise unlawful material.

The author agrees that the organizers can use your name (or your pseudonym) and an image of you in association with your essay for purposes of publicity, promotion and any other activity related to the exercise of its rights under these Terms.

The organizers may remove any essay-related content from its platforms at any time and without explanation.

The organizers may block contributions from particular email or IP addresses without notice or explanation.

The organizers may enable advertising on its platforms and associated social media accounts, including in connection with the display of your essay. The organizers may also use your Material to promote its products and services.

The organizers may, at its sole discretion, categorise Material, whether by means of ranking according to popularity or by any other criteria.

Data Protection

Personal information collected in connection with the Competition will be processed in accordance with Virtual Routes’ Privacy Policy. Participants agree to the collection, processing, and storage of their personal data for the purposes of the Competition.

Liability and Indemnity

ECCRI CIC, MSC, and the Sponsor will not be liable for any damages arising from participation in the Competition, except where prohibited by law.

Participants agree to indemnify ECCRI CIC, MSC, and the Sponsor against any claims, damages, or losses resulting from a breach of these T&Cs.

General Conditions

ECCRI CIC reserves the right to cancel, suspend, or modify the Competition or these T&Cs if fraud, technical failures, or any other factor beyond ECCRI CIC’s reasonable control impairs the integrity or proper functioning of the Competition, as determined by ECCRI CIC in its sole discretion.

Any attempt by any person to deliberately undermine the legitimate operation of the Competition may be a violation of criminal and civil law, and, should such an attempt be made, ECCRI CIC reserves the right to seek damages from any such person to the fullest extent permitted by law.

Governing Law

These Terms and Conditions are governed by the laws of the United Kingdom, without regard to its conflict of law principles. Any dispute arising out of or in connection with these Terms and Conditions, including any question regarding its existence, validity, or termination, shall be referred to and finally resolved by the courts of the United Kingdom. The participants agree to submit to the exclusive jurisdiction of the courts located in the United Kingdom for the resolution of all disputes arising from or related to these Terms and Conditions or the Competition.