Cyber and Corporate Responsibility

By Peter O’Brien

Senior Fellow, London Center for Policy Research

Published May 23, 2018

The US is only now waking to the threat posed by those who’d use the cyber world to not only steal information (and money), but corrupt data, undermine our politics, and even cripple key industries and infrastructure. Developing cyber capabilities to defend against those nations, groups and individuals who would attack us is essential.
Equally essential, if we are to deter future attacks, are offensive cyber capabilities, the ability to reach out in the cyber world and ensure that those who would attack us would receive far worse than any benefit they gain. Such a capability is the essence of any viable deterrence.
Yet, the very companies that would help provide such capabilities, both to the US and our allies, have said they want out of the game.
In April, 34 major “high tech” companies signed an agreement to work together to prevent their (or their customers’) data from being tampered with, while defending each other from cyber attacks.
They also pledged they wouldn’t aid any state in “offensive” cyber attacks.
One writer noted we should applaud their efforts to protect their clients’ data. I suppose… If you think it’s applause-worthy that a company obeys the law and protects information clients entrusted to it. I suppose in this day of everyone getting a trophy it’s appropriate to applaud when someone does the minimum expected.
As for the idea these 34 companies wouldn’t support any state’s offensive cyber… There seems to be some sort of strained thinking going on here.
First is an issue of moral equivalency. A request from the US (whether the Intelligence Community or DOD) asking for support when conducting offensive cyber operations would be denied, just as it would be if the request were made by anyone else, say Iran, North Korea, or perhaps the Taliban…
Perhaps this is just commercial-grade cynicism; publicly announce that “we won’t help develop offensive tools,” but if the DOD or Intelligence Community were to request some sort of cyber tools – both offensive and defensive, offering perhaps several billion dollars per year for 5 years, and offered the contractor access to the latest technology from DARPA and other US government contracts, then maybe they’ll make an exception?
If you recall, following the San Bernadino shooting (December 2015), Apple (not a signatory to this particular agreement) refused to assist the FBI in breaking the encryption on the shooter’s phone. But in 2017 Apple agreed to, in effect, provide the Chinese government access to its encryption in order to continue doing business in China.
I wonder what the signatories are willing to do to sell in China?
And there’s the issue of responsible citizenship. The companies signing this accord appear to think they can avoid the legal fact of their country of residence. Companies have countries of residence, they are for legal purposes “citizens,” and enjoy many of the same rights that human citizens have. (In 1886, for example, the Supreme Court ruled that corporations have the benefit of the Equal Protection clause of the 14th amendment, just as human beings have.)
But, with rights come responsibilities. Corporations must pay taxes and obey the law. They benefit from the protection the nation provides; shouldn’t they also be prepared to assist in the nation’s defense? And a proper defense includes providing for adequate deterrence.
The US government doesn’t have the authority to order a company to work for it. But the cyber world lacks clear boundaries, and the line between offense and defense is very fuzzy at best – a fact known only too well by the signators. Taking money for “defense” but eschewing “offensive” cyber begins to look deliberately obscure.
Might corporate directors claim their corporations are “conscientious objectors?” Can a corporation have moral and ethical values different from the owners? That seems to be a reach. And if they were to make such a claim, that would seem to require the approval of the ownership. Did the stockholders hold a referendum?
Or is this is a dodge, a legal head-fake to have things their way, an effort to paint themselves as not accountable or responsible if the US and her allies were to find themselves in a cyber-war, trying to protect their own holdings by claiming some sort of neutrality?
But, if they’re neutrals, then there’s no US government responsibility to defend them from either physical or cyber attack.
Can’t have it both ways.