LGBTQ+ community grapples with hidden wave of digital abuse
Read more 
Public-private collaboration in Ukraine and beyond
Voluntary, ad hoc partnerships between governments and the tech sector have worked thus far in Ukraine, but they are not a sustainable path forward
Image created with the assistance of Midjourney
In a long missive penned in response to Russia’s invasion of Ukraine, Microsoft President Brad Smith wrote: “At the outset, it’s important to note that we are a company and not a government or a country.” Several years ago, such a line might have seemed redundant. Now, the picture is rather more complex.
The technology industry has emerged as a pivotal player in geopolitics. Russia’s ongoing war in Ukraine—which just passed its two-year mark this February—has brought into sharp focus the many roles that technology companies can assume within the sphere of international politics.
In February 2023, the European Cyber Conflict Research Initiative (ECCRI) hosted a workshop that explored the cyber dimension of the Ukraine-Russia war, with support from the UK National Cyber Security Centre. The day-long discussion evolved into a full report, which laid out some of the primary trends that had developed over the course of the war.
Over a year later, we have revisited those findings. Three key takeaways have emerged. First, industry has increasing leverage to shift conflict dynamics, and increasing responsibility to act carefully. Second, wartime affects markets, complicating companies’ profitability and sustainability and making it unwise for the public sector to rely on voluntary support. Third, public-private partnerships are a necessary but thus far underused mechanism for aligning business interests with national security prerogatives.
1. Industry is in the driver’s seat but still needs directions.
In past conflicts, governments marshalled industry to its aid. Now, in cyberspace, the roles are reversed.
In Ukraine, tech companies have played prominent public roles. Microsoft has been an ardent supporter of the country from the conflict’s outset, while Amazon Web Services helped safeguard the government’s data by moving it to the cloud. Meanwhile, Elon Musk has seemed almost personally responsible for SpaceX’s wavering engagement in the country.
Industry now finds itself responsible for delivering significant impact on its own terms and on a large scale. In the tech sector, governments are in the odd position of offering or encouraging support, rather than driving it.
Major technology companies have evolved into de facto political players, not only by dedicating cybersecurity resources to conflict participants, but also through the ways they—intentionally or otherwise—shape public perceptions of the crisis. Companies are amassing political influence through their cyber intelligence capabilities. Threat intelligence reports are key public documents that can influence popular opinion and, at times, even sway government stances toward different actors.
Despite what they may say, companies are increasingly aware of their growing role influencing—and in some cases making—policy. Companies have a responsibility to use their influence prudently, without exacerbating conflict situations or contradicting core public sector objectives.
2. Private sector involvement is neither sustainable nor guaranteed.
In Ukraine, Western private companies have thus far been impressively aligned with their governments. However, this level of cooperation may not be achievable in other scenarios. Western tech companies are more closely interwoven with the Chinese economy, for example: a Chinese invasion of Taiwan might not galvanise the same levels of support from Western industry.
Many private sector actors decided early in the conflict to withdraw from the Russian market. While Western sanctions are certainly a motivating factor, a significant number of companies—including prominent cybersecurity firms—have gone far beyond what is legally required.
Some firms have faced substantial financial setbacks as a result, particularly those with prominent operations within Russian territory. Local subsidiaries have been shuttered. The rapid exodus of security providers also disrupted—and in many cases severed—significant data sources in the region, altering companies’ perspectives on the broader threat environment. These withdrawals will likely have long-term consequences for commercial threat intelligence.
Ultimately, industry operates to make a profit. The public sector cannot count on companies to align their business operations with national security objectives without providing adequate support. Conflicts can—cynically—be good for business, offering a very clear demonstration of a firm’s use case. The Ukraine conflict, for example, has been a boon for cloud services providers as they have been able to showcase the benefits of their business model. Yet companies also face serious choices about where and how to do business, and engaging with one side of a conflict may have severe market repercussions for business in other contexts.
Industry functions under a distinct set of incentives, driven by shareholders and market forces that diverge from the motivations of governments. Companies are also limited in the ways they can act; unlike governments, they cannot generate currency or impose taxes. Even a market giant like Amazon or Google faces capacity constraints and will need to act to preserve long-term sustainability.
Governments need to be prepared to compensate corporations for their services during times of crisis. National governments define the responsibilities and expectations of the private sector during times of war. They can facilitate industry’s involvement, but it remains essential to distinguish between peacetime and conflict scenarios. This differentiation builds trust and establishes long-term predictability and strategic stability.
3. Public-private partnerships (PPPs) are fragile but necessary.
Thus far, successful joint efforts between public and private sectors in Ukraine have been ad hoc and varied. Many have been led by individual companies or small clusters across the tech ecosystem, rather than through concerted and organised efforts.
Experts continue to question how best to structure and advance PPPs. Improvisation is often most effective in the short term, and Ukraine is certainly a case study for the efficacy of smaller, private sector-driven efforts. Larger networks need management structures and other infrastructure, leading to inefficiencies. Government-led efforts can suffer from incentive mismatches, particularly in the field of cyber threat intelligence. Companies want reciprocal information sharing, while public institutions often expect intelligence to flow one-way. (The US government is notoriously bad at sharing actionable information, even within its own borders). Trust is also very hard to scale, making questions of expansion always a balancing act.
However, governments and multilateral institutions have important levers at their disposal that they can use to facilitate and bolster PPPs. Both public and private sector entities need to establish clear expectations of the extent of their ongoing involvement, whether that be through formal contracting or voluntary collaboration.
Governments can also play an important role in incentivising collaboration. Such mechanisms have begun to emerge in recent months: the Ukrainian government launched the Brave1 programme in April 2023 to facilitate cooperation, while the US State Department has made a concerted effort to work more closely with private sector actors in the country. Researchers and the broader public should continue to champion these efforts.
Lessons for the future?
Although Ukraine has benefited from the best efforts of many different actors, this conflict may not provide a clear map for the road ahead.
Private sector support has unfolded in Ukraine largely through ad hoc mechanisms. In future situations, stakeholders will need to approach such engagements with greater care and a more strategic perspective from the outset.
In some cases, Western governments may need to develop a coordinator or central mechanism to facilitate connection points. NATO has gestured toward developing a virtual capability specific to cyber crises. Perhaps a virtual rapid response programme could be established, leveraging national and private capabilities as part of a broader collective endeavour.
The excitement about private sector participation also needs to be tempered with careful evaluation of its real impact. Actions that offer substantial benefits must be distinguished from symbolic gestures. By establishing this distinction, we can enhance the effectiveness of public-private sector collaboration in addressing complex geopolitical challenges and yielding tangible results.
