The rise of companies in the cyber era and the pursuant shift in national security

ABSTRACT

As the cyber era ushers in a new reality nationally and internationally, national security is transformed aswell. We aim to theorise the several levels at which that changes unfolds. First, we explain how the unique features and characteristics of the cyber domain are different from how national security had been traditionally conceptualised. Second, we delve into how the very nature of national security changed. Third, we investigate a critical difference: the key role of companies in the cyber domain, a role that is unprecedented quantitatively or qualitatively in the physical domains. In the cyber realm, states use private companies and organisations to build the edifice of national defence. Governments use companies for a large portion of their cyberoperations and digitally-based services. With such concentration ofinformation in their hands companies serve many of the function straditionally handled by governments, even in national security, which is normally considered a public good. The case of Meta in the 2022 War in Ukraine provides a plethora of empirical evidence in addition to evidence from WannaCry, Stuxnet and SingHealth. Finally, we discuss possible future trajectories for national security as the digital domain further pervades all aspects of life, politics and international relations.

KEYWORDS:

• National security
• cyber era
• cyberspace
• cyber domain
• 2022 war in Ukraine
• wannaCry
• Stuxnet
• SingHealth
• Meta
• Facebook
• cyber security
• democracy
• freedom of speech

Introduction

National security is a key element in the modern state and in international order, and its standard conceptualisations stress the ability of the state to protect its infrastructure, core values and way of life (Powell 2003; Mintz and DeRouen 2010; Mintz, Mishal, and Morag 2005; Redd and Mintz 2013). With new dimensions and novel challenges, the cyber realm changes the very essence of national security.

In the early 2000s, the levels and volume of human activity on the Internet, mainly for commercial and general purposes, started to exponentially increase. By the end of that decade, the horizontal spread of networks of communications reached a third of the world’s population. This spread created not just a new way of communication between people but a new domain of human activity with a new form of human culture. The creation of cyberspace likely marked the beginning of a new era (Halabi, Halabi, and McPherson 2000; ITU 2022, 21). We refer to this new era as the cyber era, in which an increasing share of human activity takes place in the cyber domain or is affected by it. We define cyberspace as ‘ … systems and services connected either directly to or indirectly to the Internet, telecommunications, and computer networks’ (ITU 2011, 5). Critical for us is the fact that with the ascent of cyber the very meaning of national security changed, alongside many of its characteristics.

State capacity to exercise control and practice sovereignty is now increasingly challenged by international and domestic aspects of state affairs in both cyberspace and the physical world (Makinda 1998). Consequently, the scope and scale of national security expands in various ways, including the need to adapt to permanent development of technology environments, the relocation of security threats, and the creation of new security areas (Dobák 2021). A novel man-made technological domain, cyberspace is first among those challenges. As President Biden noted, in the context of cyber the US ’… cannot pretend the world can simply be restored to the way it was 75, 30, or even four years ago. We cannot just return to the way things were before. In foreign policy and national security, just as in domestic policy, we have to chart a new course’. (Biden 2021).

An indication for the increasing and changing scope of national security in the cyber era would be the shifts in the portfolio of the modern national security adviser. In the era of cyber, topics that fall far beyond the limited understanding of national security as concerning territorial integrity and military capabilities, would concern the national security adviser, and as such fall within the realm of national security issues. As early as in 2010, many states, including for example the Netherlands, the UK, and the US, recognised cyber threats as inherent to their national security, and as a potentially critical threat to their interests (Cabinet office 2010; Corder 2023). The Director of National Intelligence ranked cyber threats at the top of the list of worldwide threats to the US, higher even than the proliferation of weapons of mass destruction (Coats 2018). Thus, for example, security breach in the computer network of a major financial institution would, inter alia, undermine core value of the West and would fall well within the portfolio of the modern national security adviser (Matania and Rapaport 2021), whose responsibilities cross foreign and domestic policy, as well as high-politics and low-politics (Daalder and Destler 2004). Likewise, a cyber-attack on the national health database may be a strategic threat to the nation and its leaders, if only by the fact that the leaders’ own private information may be revealed and thus jeopardise their ability to lead the nation in general and certainly through a strategic crisis. How the portfolio of the national security adviser evolved in the cyber era is but one illustration of how the very concept of national security morphed.

Concomitantly, several of the key players in this arena changed as well, with companies of various sorts playing a role qualitatively and quantitatively greater than ever in the past.

The growing activity of companies is one indication of their important role. For example, the size of the global cybersecurity market was valued at $185B in 2022 and is expected to grow by 2030 at an annual rate of 12% (Milburn 2022). The US federal spending on cyber in 2022 was $11.2B for cyber activities of the Department of Defense, and $2.5B for the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security (DHS 2022, 6–7; DoD 2022, 5).

As opposed to state agencies, major technological trans-national corporations both control much of the cyber infrastructure and possess more information about cyber-attacks and cyber-threats than most if not all nations. Microsoft and Google are good examples. Such corporations are in a position where most cyber defenders use their support as a major vehicle to mitigate cyber-attacks. In addition, expertise concerning protection against cyber threats mostly lies with the business sector. Cybersecurity companies oversee broad aspects of national security (Farwell 2012; Gasser et al. 2016). Thus, unlike traditional frameworks, broad aspects of national security in the cyber era are de facto privatised and in effect are in the hands of private companies.

Yet, the literature on the interface of cyber technology and national security in its broad sense is still limited. Most of the earlier literature has focused on the creation of cyber power, cyber and military affairs, cyberspace as a battlefield, the balance between attack and defence in cyberspace and who has the high ground (International Institute for Strategic Studies 2015; Lewis 2006; Lindsay 2013; Matania and Tel-Shir 2020, Rid, 2013; Slayton 2017). This has been extended to studying forms of behaviour to mitigate cyber threats, including user awareness of cyber threats (Kostyuk and Wayne 2021) and corresponding behaviour on the part of cyber technology’s companies (Rovner, 2017) as well as hegemony in international security on the internet (Fung and Lam, 2021; Rovner, 2017). Cyber and levels of violence of warfare were also examined as well as the publicity of non-state actors’ cyberwarfare and its effect on their legitimacy. The relations between commercial companies and the state in the context of cybersecurity have also been examined to understand state motivation to use companies for political goals and to show de-facto systems of public-private cybersecurity (Egloff 2022; Eichensehr 2016).

A later strand of literature raised the notion that cyberspace creates new kinds of national security threats aimed at eroding opponents’ capabilities. This is done through cyber operations that create new forms of conflict, largely remaining below the threshold of an armed conflict (Fischerkeller and Harknett 2017; Goldman and Warner 2021; Kello 2017, 2021). Such work shows how Western governments fail to maintain deterrence that can work and persist in the grey zones of war. The state cannot fulfill its traditional control over new technologies any longer since technology empowers new actors that can use it to subvert the international system (Kello 2021). US deterrence has failed to become a viable strategy in cyberspace and cyber operations may be executed to signal acceptable behaviour in cyberspace (Fischerkeller and Harknett 2017). Goldman and Warner (2021) contend that only an integrated government approach to charge costs from the attackers would be effective in thwarting cyber threats. As a result of those new cyber threats, a new type of strategic competition has emerged to gain power and achieve goals previously unattainable.

However, the notion that cyberspace created new national security challenges has been contested by another scholarly debate around the extent to which cyber operations are indeed revolutionary. The competing argument is that cyber operations, instead, are new and at times limited means of carrying out covert operations that had already been undertaken in the past (Maschmeyer 2021). The change brought by cyber is the type of combat that emphasises non-violent confrontation through espionage, sabotage, and subversion (Redd and Mintz 2013). It is far from clear how cyberwar enables aggressors to accomplish tasks typically associated with military violence. Thus, cyberwar may not prove as significant in world affairs (Gartzke 2013). Some argue that cyber weapons are ineffective deterrents by themselves (Lindsay 2015). Both Gartzke and Lindsay explain deception in military affairs as ‘ … more central and widespread in the Internet era simply because there are so many more opportunities to exploit user trust and design oversight’ (Gartzke and Lindsay, p.318). For Lindsay (2021), the same applies to cyber espionage, which expands the opportunities for all types of intelligence. Building on those recent debates in the scholarship on the nature of national security in the cyber era, our work adds additional dimensions to the theoretical discussions. We move the debate forward by highlighting the importance of technological developments and how they influence questions of national security. In that sense, we show that cyber has indeed been transformational to the field of national security and is, accordingly, highly significant in world affairs.

We aim to contribute to our understanding of the interface between technology and national security in its broader sense and the changes this interface has gone through. In particular, we claim that the very concept of national security is undergoing fundamental changes due to the growing role that cyberspace and cybersecurity take in national security combined with the dominance of the private sector in cyberspace, cyber technologies and cybersecurity. In the novel conceptualisation we offer, the emergence of cyberspace is the independent variable, whose effect on national security (the outcome variable) is mediated through the companies from the private sector that dominate its creation and expansion. Thus, cyberspace creates a change, mediated via companies, and resulting in shifts in national security. Recent developments in the 2022 Ukraine war are used to strengthen these claims and to indicate more profound, broader, and more convoluted implications for the pivotal role that companies fulfil in the realm of national security, and how as a result this realm is changing. A cyber-attack may undermine military capabilities. Yet, it may reach well beyond, as it could impact the nation’s national security interests, such as its financial institutions, its critical infrastructures, its media and communication institutions or its medical sector. The growth of cyber capabilities means that as a part of their national security effort, countries are engaged in types of activities that had not existed as shortly as a few years back (Fischerkeller, Goldman, and Harknett 2022; Ford and Hoskins 2022; Helberg 2022; Maschmeyer 2021). The range of this type of novel activities grows as time goes by and may include: maintaining their cyber hygiene, protecting storage and cloud computing, educating their citizenry and workforce about cyber rules, and collaborating and negotiating with companies on issues ranging from national security and prevention of terrorist networks via social media to international migration.

Our research question, thus, is in what ways has national security changed as a result of the rise of cyberspace as a new domain of human activity through the mediating role of the private sector. We first analyse the key elements of this sea change in national security, thus making important contributions to extant theoretical frameworks.

Key to our analysis of this change is our identification of companies as key players in the cyber arena due to its nature as a man-made domain created and owned mostly by companies. Those companies, thus, have influence unlike any in the past in the physical domains. Companies influence national security in more than one way, and thus, in addition to traditional players in this field, companies have become pivotal for how states maintain their national security. The various interfaces with those companies are also associated with major changes in national strategies. On various issues concerning cyberspace, nation-states have little control over the type of technological development, the rate of that development or the use of novel technologies. These are largely in the hands of private companies. The infrastructure created by private companies in terms of storage, algorithms, software, etc., is irreplaceable. This infrastructure is the platform on which an increasing share of national and international security unfold. We identify this new set of key national security players. Next, to empirically test our theoretical contributions, we delve into the case study of Meta in the 2022 war in Ukraine. Finally, we offer some insights into why companies have become so central to national security in the era of cyber.

How national security is different in the cyber era

Scholarship has examined national security extensively, yet it has to catch up with the rapid change underfoot since the beginning of the cyber era (Ford and Hoskins 2022; Heim 2009; Krebs 2015; Maschmeyer 2021). Several new types of national security vulnerabilities that did not exist before the cyber era are key to current forms of national security, which is also reflected in the novel institutions shaped to address them. In this new era, kinetic attacks are not the sole, or even the major, concern for the national security of many nations. Indeed, cyber vulnerabilities, such as the Internet of Things (IOT) systems, information and control systems of critical infrastructure and national electrical grids to name a few, become increasingly central in the national security priorities of most nations.

Various global trends are the institutional manifestation of this development. One important example is how government agencies are augmented with more robust cyber security components and units. Such is the case with the National Protection and Programs Directorate (NPPD) unit in the DHS which was founded in 2007 and in 2018 turned into a new agency – the Cybersecurity and Infrastructure Security Agency (CISA) in the DHS (CISA 2022; the US Cyber Command (USCYBERCOM) in the DoD established in 2010 (US Cyber Command n.d.), the National Cyber Security Center (CSIS) in the UK established in 2016 (Information Commissioner’s Office n.d.), or the National Cyber Directorate of Israel (INCD) from 2012 (Government Resolution 2011), as well as others Governmental agencies founded in the last decade with the goal of protecting nations from cyber threats (Matania, Yoffe, and Goldstein 2017).

Beyond the novel vulnerabilities that are introduced into the realm of national security in the cyber era and the institutions created to address them, what is considered sufficiently valuable to protect also changes. In the cyber era, the meaning of protecting the nation’s core values and its way of life includes protecting elements that had not existed, at least not in their current form, prior to the age of cyber. Yet, those new elements are part and parcel of how the democratic national fabric evolved.

Let us take free political speech as an example. A foundational element in the edifice of democracy, an increasing share of free political speech happens online. Social media platforms, that have all been created by companies based on the unique characteristics of cyberspace, thus, is a potential vulnerability to the integrity of the democratic system. One example would be the 2016 US presidential elections, when foreign powers have been shown to take advantage of free speech to intervene in the primary elections of the Democratic Party, with the goal of tilting the outcome in favour of one of the candidates. Such intervention in free and fair elections would undermine the national security of the United States. Although election intervention has been studied from a variety of perspectives (see for example Levin 2016; Rid 2020; Way and Casey 2018), cyberspace amplifies and ameliorates intervention practices through influence operations that create bigger challenges to national security (Hansen and Darren 2019). An example is the unprecedented resources that states allocate to tackle this new threat (undefined). In February 2018, Special Counsel Robert S. Mueller III indicted Russian individuals and organisations in operations aimed to interfere with the integrity of US elections. The indictment stated that the defendants posed as U.S. persons by operating social media that attracted American audience. More specifically, those social media pages ‘addressed divisive U.S. political and social issues’ (House of Representatives n.d.). Those fabricated accounts served to reach tens of millions of American voters and interfere with the political system in the United States, undermining its integrity. Using derogatory information about candidates in the 2016 presidential elections, the defendants supported the Trump campaign and worked to undermine the Clinton electoral effort. By buying false political advertisements and staging political rallies in the USA without revealing their Russian affiliation, the defendants abused free speech to communicate ‘with unwitting individuals associated with the Trump Campaign and with other political activists to seek to coordinate political activities’ (House of Representatives, n.d.). Some argue that rather than undermining the political goals of one of the political parties, the Russians' goal was to sow discord and disharmony in the United States and thereby to hurt the democracy (BBC News 2020). The Russian intervention, being the most salient case to date, is a prime example of how technology changes the landscape of national security and how protecting the core values and way of life of the nation takes on a new meaning in the era of cyber. Indeed, the very meaning of protecting the democratic way of life, including free speech, is different.

Another example of attempts to protect national security from foreign intervention by Russia is the case of Finland. This is another illustration of how the concept of national security expands to new dimensions as the core assets of the nation change. In Finland, where manipulation of content by foreign powers may undermine national security, the government has fostered an innovative program, aimed to educate the citizens, from an early age. The program teaches citizens, even as school age children, to deal with false messages, distinguish between real and fake information and more. The Finish anti-fake news initiative was launched by the Finnish government in 2014 (Mackintosh and Kiernan 2019). It was first introduced following the Russian invasion of Crimea that year. The military invasion took place side by side with an information campaign, at a magnitude far greater than ever before. Finland had long been exposed to Russian propaganda. Yet, the attack in 2014 made it clear that the range of options available in the online domain to undermine the integrity of the democratic institutions of Finland made fresh thinking and the seeking of new solutions and protections inevitable. The Finish initiative involved extensive training programs for politicians, civil servants, students and the general public. Training was meant to increase the ability to use critical thinking and to identify real facts in an online environment. Finish President, Sauli Niinisto, called on his nation, which was already ranked first in Europe on media literacy, to take responsibility stating that the ‘kindergarden teacher is the first line of defense’ for Finland in its struggle to protect its democratic institutions and values and its national security. Forging a new system of education and training, Finland aimed to protect its core democratic principles and national security in the era of cyber (Mackintosh and Kiernan 2019).

In addition to the protection of the freedom of speech online, national digital assets have become increasingly important for the state, and their protection is a matter of national security. This is true for the digital domains of key national institutions such as museums, national libraries and the like. Their digital collections and websites are by now part and parcel of how such institutions serve their goals of protecting national heritage and culture.

The same is true for the operation of the state, which sustain the core values and interests of the nation. The ability of the government to protect its websites, cloud computing and cellular applications, to name a few crucial assets, is essential for the smooth functioning of the state and its interface with citizens.

The SingHealth cyberattack illustrates the potential ramifications of cyber defence failure to national security and the weakness of government agencies to protect its digital assets. On 4 July 2018, data administrators in Singapore detected unusual activity on one of SingHealth’s IT databases. With more than two million patients, SingHealth is the largest health provider in the nation. The cyber-attack resulted in the personal details of 1.5 M SingHealth patients being accessed and copied, this included names, identification numbers, address, gender, race and date of birth.

The personal data of Singapore’s Prime Minister (PM) Lee Hsien Loong was also breached. This could seriously affect the PM’s ability to serve. Lee himself noted that his medical records were targeted specifically and persistently … perhaps they were hunting for some dark state secret, or at least something to embarrass me” (Beech 2018). PM Lee’s medical record could have been used for strategic purposes to create a scandal with immediate legal, diplomatic, and public opinion effects with destabilizing ramifications for Singapore’s national security. But even short of such a leadership and strategic crisis, the very fact that their most private information has been leaked, and in large volumes, means that citizens trust in their state was damaged, with implications for the state’s resilience in case of a strategic threat (Baum 2002; Chatagnier 2012; Shandler and Gomez 2022).

A senior counsel in the Ministry of Justice summarised in front of a committee investigating the attack how advanced, determined and disciplined the attackers were: ‘The skill and sophistication used in the SingHealth attack highlights the challenges that cyber defenders face’ (Tham 2018). Out of a population of 5.6 M, the personal information and health data of over 26% were jeopardised. In order to uphold some of the most basic national principles and protect the interests of the state – anything from filing taxes to registering to vote and to maintain the integrity of the national public health system – has become digitally-based. As such, digital integrity and cyber security are nothing short of essential for the nation and its security.

The SingHealth cyberattack illustrates the expansion of national security from the physical world into cyberspace, and the transformation from territorial integrity to data supremacy. Data becomes an infrastructure and controlling them is the main goal of states and companies alike in order to achieve objectives in both the physical world and cyberspace. As such, they create new cybersecurity and national security vulnerabilities, which turns them into key targets of hostile activity.

Finally, in the cyber era patterns of activity over time in the realm of national security are different than what we had known in the past. National security was broadly characterised by long periods of low levels of activity, interrupted by short periods of activity in high intensity during wars or military operations (Fischerkeller, Goldman, and Harknett 2022; Morabito 2021; Shifrinson 2020). Conversely, in the cyber era, patterns of activity are closer to what had been familiar from espionage and the work of intelligence agencies (Darien 2017). The ceaseless pattern of activity in such agencies is closer to the shape national security takes in the cyber era. While the likelihood of an all-out conflict is reduced, the potential is real and present, and attacks are ceaseless. Accordingly, standard levels of activity are higher, plus the likelihood of switching from one level of intensity to another and in quick succession is typical to the cyber realm and unique compared to traditional conceptualisations of national security (Fischerkeller, Goldman, and Harknett 2022; Mintz and DeRouen 2010; Mintz, Mishal, and Morag 2005; Redd and Mintz 2013).

The rise of companies in national security

The cyber era transformed national security in more than one way. One of the most important is the change in key players in this arena. Apart from states, companies increasingly feature as dominant actors in the field. The rise of companies is not precedential, as it has happened in earlier periods in history. However, its nature is distinctly different from similar cases in the past. In addition, the cyber era is characterised by a need to augment some of the established theories in international relations and the types of conflict they typically consider, with companies playing a major role (Geers 2009; Hsueh 2016; Kinne 2018; Tieku 2014).

There are cases in history, where private companies were key players in the realm of national security. While examples from farther in history such as the East India Company are relevant, most recently such a trend transpired at the end of the Cold War. In the early 1990s, several processes converged to lead to the rise in the importance of private companies in the realm of national security. A market for force emerged with the increasing role of private companies in international security contexts. As a result of profound geostrategic shifts, private companies rose in their importance in national security. Excessive supply in the market for force came in the form of excess of weapons and skilled military personnel available after the Cold War coupled with the incentives of private firms to engage in military operations (Markusen 2003). The proliferation of small conflicts placed pressure on dysfunctional states to seek additional national security support (Avant and Haufler 2012). At the same time, Western governments and intergovernmental organisations such as the United Nations, became less keen to be officially entangled in international wars and so preferred to outsource specific functions of their own military forces (Mandel 2009; Singer 2017). Finally, neoliberal reforms in the US and the UK during the Reagan and Thatcher administrations also contributed, with increased denationalisation of previously government owned and run infrastructure and services and a general trend towards privatisation, which also included the realm of national security (Krahmann 2010).

The rise of companies in the national security realm entails the production of security as a commodity (Krahmann 2010). Such security commodification as a private, rather than a public, good means that certain elements of security may not be non-excludable and non-rival. The market is more likely to provide excludable forms of security such as protection or deterrence. Conversely, prevention is more likely to be provided by the state. The changing role of private companies in national security and cybersecurity is influenced by the type of policy model adopted by the nation-state. In a national security model, the state may consider security to be a public good. Conversely, in a neoliberal market model, security may be considered by the state as a commodity. Indeed, in many cases it is the security governance via a public-private partnership that serves the governing of security in the cyber realm (Matania, Yoffe, and Mashkautsan 2016). This is distinctly different from the rise of mercenary firms in developing countries. In the latter, failed states are unable to provide security and resort to be assisted by private organisations, many of which are either illegal or only marginally legal. This is distinctly different from the rise of private companies in the West, particularly in the context of cyber security, as we elaborate below.

In the past, states created general frameworks of rules for the digital environment. Such frameworks were then implemented by private actors, as was the case with E-Commerce (Farrell 2003). Yet, the cyber arena has evolved to the point where key elements of this environment are dominated almost exclusively by corporations and companies, rather than in a hybrid fashion. With the advance of digital technologies and the increasing centrality of cyberspace in all aspects of human and political life, states are not in a position any longer to create general frameworks of rules for the digital environment. At least in some key aspects of the activity in cyberspace – cloud computing, search algorithms and social media – companies have almost complete freedom to operate as they see fit and to design cyberspace in line with their business, moral, social, economic and political visions. Yet, those seemingly business-oriented decisions by companies have major implications for the national security of almost all the countries in the West and beyond.

The few exceptions are probably China, Russia and North Korea, whose interface with companies, domestic and foreign, is fundamentally different, and therefore will remain outside the scope of the current project. Compared to Western democracies, where corporations have a greater degree of autonomy, the rules and regulations of non-Western states varies between different degrees of interventionist government models which limit corporate autonomy. For example, China’s National Intelligence Law of 2017 determines that ‘Any organization or citizen shall support, assist and cooperate with the state intelligence work…’(Article 7), and that ‘state intelligence work agencies shall use the necessary methods, means and channels to carry out intelligence work’ (Article 10). Therefore, at times, extended state sovereignty raises discrepancies with the business considerations of their companies. Another illustration concerns Jack Ma, the founder of the Alibaba Group. When Mr. Ma criticised the regulator and the banking system in China in 2021, the Chinese government launched an antitrust investigation and intervened in the business activity of companies owned by Ma. In Russia, to satisfy government security and political interests, Yandex awarded Russia’s biggest lender, the state-owned Sberbank, a golden share in 2009, allowing the bank to veto any transaction involving more than a quarter of Yandex’s stock (Gershkovich 2020).

With those exceptions in mind, it is change in the very nature of national security, rather than a geostrategic shift following a cataclysmic event in the form of the end of the Cold War, that catapulted private companies within the realm of national security to where they are today. The Stuxnet attack, in June 2010, illustrates the extent to which companies have turned into a central axis in security relations between countries, supporting a more elaborate conceptualisation of national security of the type developed within our novel theory. In the Stuxnet attack, in order to assault Iranian nuclear facilities, it was a German company, Siemens, whose supervisory control and data acquisition system was targeted (Zetter 2014b). Rather than a nation, Germany, it was one of its flagship companies that were at the heart of this key national security event. Targeting programmable logic controllers used, inter alia, for automation of Iranian nuclear centrifuges, while exploiting zero-day flaws, Stuxnet attacked Siemens’s software (Kushner 2013; Zetter 2014a). As such, an attack reputedly originating in democracies focused on a major company in another democracy. National security agencies in the USA and some of its democratic allies devised a cyber-attack on the product of a German company. Germany and the USA are democratic nations. While the primary target was a non-democracy (Iran) and the technology used sophisticated enough to influence Siemens Step7 software in Iranian facilities exclusively, the democracy-on-democracy attack here is hard to ignore. Since much of the cutting-edge cyber technology is developed in democratic nations in the West, the challenges to democratic peace theory are likely to even further mount with time, as cyber figures more prominently in how countries interact with each other and in their national security strategies. Accordingly, security considerations of various nations, which conceivably were influence by democratic peace ramifications, might be upended or at least updated in light of the rise of digital technology and the influence of cyber in the realm of national security. Such changes are increasingly related to companies.

The state-companies interface in national security

In the area of cyber, states delegate to companies more than in other aspects of national security. This is so since companies control many of the digital assets belonging to states. In addition, companies have the ability to provide better services and solutions that support their national security. Indeed, much of cyber space is controlled, developed and owned by private companies (Gu 2023). What is more, states also demand from companies more in this context than in other domains of national security. While they are largely neglected in the literature on national security, companies figure as key players in an international system infused with cybersecurity considerations. It is companies that are often the victims of cyber-attacks, and it is companies that are critical for the cyber resilience of the nation.

At the same time, division of responsibility for national security and capabilities between the state and companies changes in the cyber era (Matania, Yoffe, and Mashkautsan 2016). On the one hand, a state government still has the authority to use power – brute or soft and a monopoly over its military affairs. The state is officially in charge of national security and foreign policy. Through government policies, rules and regulations, states can also set the rules of the game in different issue areas domestically and internationally. On the other hand, big technology companies, as independent players have turned into indispensable partners for national security. Big tech companies share with governments information and their expertise in combating cyber threats and other security issues. They provide technical assistance, share data and tools to help identify threats to national security. Big technology companies invest heavily in cybersecurity measures and employ advanced technologies and teams of experts to deal with cyber threats. The safeguarding of their own platforms contributes to broad aspects of national security including hacking attempts, data breaches, and malware attacks. Furthermore, by safeguarding their own platforms, they contribute to overall national cybersecurity.

What is more, companies play a significant role in the development of advanced technologies that have national security implications. For example, they contribute to the advancement of artificial intelligence, and cloud computing, which are crucial for various national security applications, including defence, intelligence, and counterterrorism efforts. Another major role is their work with defence agencies. They provide technology solutions, hardware, and software and services for defence purposes. They contract with governments and collaborate on R&D projects related to defence systems, communications infrastructure, cybersecurity, as well as other critical assets. Not only is the state’s national security dependent on the ability and will of private companies to protect their digital systems, but in critical ways the state is developing increasing dependence on companies for its national security.

Technology companies have helped defend Ukraine’s sovereignty by leveraging their resources, capabilities, and expertise. Companies, for instance, have been responsible to counter Russian misinformation, and making life-saving information available in warzones (US Chamber of Commerce Technology Engagement Center n.d.). Twitter, an essential tool for Ukrainian outreach, launched a privacy-protected site to bypass Russia’s block, while Google and Microsoft blocked and removed Russian state media content on several channels. These measures, and others taken by companies, which we further elaborate on extensively below in particular with respect to Meta, may explain at least some of the reason why Russia has failed to substantially tilt the war in its favour through cyber means. On the cyber frontlines, Russia gained only a marginal strategic effect, to a large extent due to the assistance to the Ukrainian government from transnational companies. Let us take cloud computing as an example. Companies providing cloud services become crucially important for national security. Much of the operations of the state, including its national security institutions and apparatus as well as its public health and education systems, is immersed and integrated into cloud computing. As such, national security becomes dependent to a meaningful degree on such private companies that control and develop the cloud. An extreme case is the assistance of Microsoft to the Ukrainian government during the Russian invasion in February-March of 2022. During this emergency, Microsoft helped Ukraine migrate key data by shifting government ministries to cloud in order to back up government data. This move had geostrategic implications for how the war unfolded and for the resilience of Ukraine (Fedorov 2022). In effect, cloud services were found to be among the top factors inhibiting Russia’s cyber operations during the war, producing ‘wide-scale improvement in Ukraine’s overall cybersecurity and resilience’ (Bateman 2022, 33, 42–43).

However, such dependence on cloud computing is at this point a daily matter for almost all nations worldwide. Yet, in most countries, there is no designated regulatory agency that is in charge of this area. No specific government office or agency are responsible for cloud computing. Accordingly, the regulatory frameworks for cloud computing companies are left wanting. Even in countries where cloud computing is regulated to some degree, the government ministry in charge of such regulation would typically not be the defence ministry and there might be confusion between the ministries in charge.

What further complicates the feasibility of a state-sanctioned regulatory framework in the context of cloud computing is the international nature of the companies involved. Those companies are typically global rather than national in nature, with several important implications. First, their agendas, motives and goals may not have national interests as a top priority. As such, national security may be a concern for some but not for others. Certainly, when a transnational corporation of that sort has no physical presence in a country, and is unrelated to that country financially, in terms of its personnel, facilities or infrastructure, then the national security of that country would be of lesser concern to the leadership of the company. If interests align, the company would protect national security interests, but that is not guaranteed.

Second, the ability of the state to influence companies that are fully within its jurisdiction is considerably better than that of transnational corporations (Backer 2015; Van den Herik and Letnar Černič 2010). Using regulatory frameworks, financial incentives and training programs, inter alia, the state is in a position to influence private companies that operate largely within its borders. This is true also in the context of national security, where private companies would follow state directives, for instance about erecting bomb shelters. Likewise, in the context of cyber national security, national companies would stay up to date on state-issued recommendations concerning software and hardware protections, antivirus updates and more. The case is not the same for international companies. The latter, in addition to not necessarily having to serve the goal of national security within their own interests, would also be harder to regulate by the state.

In sum, the state is dependent on cyber companies for the very subsistence and integrity of its national security framework. This is so for reasons related both to the potentially diverging interests of cyber companies and the state and to the challenges in regulating international (as opposed to national) companies. The capacity of the state to proactively influence such companies may be seriously hampered. While the state would not ask banks, hospitals or critical infrastructure facilities to put together their own air defence, it would certainly be prodding them to keep their antivirus versions up to date. In a departure from safety standards, which are usually imposed by the regulatory frameworks of the state, companies need to meet security standards as they are at the digital frontiers of the nation. Yet, such demands are unlikely when the state deals with big transnational corporations, whose influence on national cyber security may be immense, as the empirical case study of Meta in the war in Ukraine below further demonstrates.

New strategic Trajectories and an altered course of development

The production, development and strategic trajectory of the cyber realm is key for national security. Yet, and again unlike traditional conceptualisations of national security, those are key to the interface of states and companies. Let us take air defence as a comparison. The production of combat airplanes is done either by the state or by private companies. Yet, the object of those airplanes is one. They are made in order to protect the national airspace, a key element of national security. There are no other intended uses for such airplanes, as they are used exclusively for the purpose of national security. Furthermore, the operation of the airplanes is done almost invariably by the air force, which is an arm of the national government and is key among the institutions of national security. Products intended for cyber national security are fundamentally different in nature.

While cyber products are produced by private companies inter alia for national security purposes, they are also intended for private use. Indeed, in many cases, such products would be as commonly (if not more) used to serve the security needs of private companies than the needs of the state. In other words, cyber security features are subject to market mechanisms in terms of both their consumption and their production. Rather than providing national security products exclusively to a state or to an alliance of states, which belong to certain categories clearly defined by national or international standards – such as NATO – cyber security products are sold widely. Price, demand and supply, rather than national affiliations or affinities, play a key role. This discrepancy entails some fundamental differences between national security in the old sense and its meaning in the cyber era.

As the consumption of combat airplanes – as well as tanks or heavy artillery – is almost exclusively by states for the purpose of national security, their strategic trajectory is inevitably aligned with national security strategy. Weapon producers manufacture what states need, and as those needs alter with changes in national security strategy, the vision and strategy of the company would change alongside. Conversely, when it comes to cyber security, the strategic vision of big technology companies may be a function of their worldview and values or their understanding of the market and how it is bound to change and develop. When commercial interests and national security strategy contradict, the latter has marginal significance. Companies are motivated to stay dominant because their size allows them to hold market shares and allows them to create a network effect (Bateman 2019).

Many if not most of the cyber security products are dual-use. They are produced for the private market to be purchased by private companies for the purposes of cyber security as much as they are meant to serve national security. In fact, many of them are produced only for the use of private companies or private individuals, but it is their proper function that in the aggregate adds up to the national resilience at the national level (Matania, Yoffe, and Goldstein 2017). It is when cyber security products serve their goal, and when all companies in the nation have their systems protected, that the integrity of the national security framework is preserved.

Explaining the rise of companies

Traditional dimensions of national security were typically considered using a holistic approach. The same is not necessarily true for the cyber realm. Ground troops, fortifications or air defence were intended at different points in history to provide the nation with complete security. When nations were not in a position to put together national defence of that sort on their own, they aimed to get foolproof protection using international alliances. The basic understanding, nonetheless, was that security is fully provided by the state. Yet, in the cyber era, companies, and in some cases even individuals, are brought into the fold of maintaining national security.

Companies stand on the nation’s digital frontiers (Matania, Yoffe, and Mashkautsan 2016) and in many cases traverse such frontiers physically, economically and technologically. Thus, organisations are meaningfully responsible for the cyber hygiene of the nation and its defence in cyberspace. National security policies, the nation’s status in the world and its geostrategic standing are all inextricably linked with its organisations and companies. In this reality, LTD identity may be more central than a certain national affiliation, and the CISO and her directives for her company may be critical for national security as much as policies enacted by various state officeholders. There are several reasons why the incorporation of companies into national security has become part and parcel of national security strategies.

First is the borderless nature of cyberspace. When a conflict erupts in the physical world, it takes place on certain borders, with certain nations directly or indirectly involved. Likewise in intrastate conflicts, which do not necessarily happen along international borders, there is a finite number of parties to the conflict. Conversely, the cyber realm is a borderless terrain (Matania, Yoffe, and Mashkautsan 2016). Cyberspace is a global domain within an information environment consisting of the interdependent network of information system infrastructures. Those include the Internet, telecommunications networks, computer systems and embedded processors and controllers (NIST). It is a borderless manmade virtual domain, perceived as an additional stand-alone domain of human activity and military power besides the physical domains such as air, land, sea and outer space (Shallcross 2017). A cyber conflict does not necessarily happen in a clearly designated location or between clearly identified parties. Rather, it can take place in the entire terrain, and unfold simultaneously around the world. Take the WannaCry ransomware attack of May 2017 as an example. Taking advantage of EternalBlue – a loophole in Microsoft Windows OS, which was stolen from the American National Security Agency where it was discovered – the worm encrypted data only to demand ransom payment. Software patches released by Microsoft before May 2017 were intended to secure against such attacks but were not applied by many of the companies whose computers were attacked. The attack happened worldwide and inflicted within a matter of hours or a few days, computers around the world

Second, with respect to contiguity, in the cyber realm, as Matania et al. point out “threats all but ignore national borders as they take advantage of interconnectivity to target organisations directly”. (Matania, Yoffe, and Mashkautsan 2016, 78). The digital frontier of nations changed, and with it the concept of national security. Rather than an exclusive focus on territory and people, national security (somewhat like other terms such as sovereignty and jurisdiction) is now heavily intertwined with organisations, among which tech companies are crucial.

There is no immediate circle or secondary circle of friends and foes. As such, states may use the same means to protect their national security when dealing with an immediately close enemy or with one across the Atlantic Ocean. In the example mentioned above, to protect its own national security, Russia employed cyber means to undercut the democratic electoral process in the USA, an enemy located far away. However, China also used cyber means only to protect itself against what it perceived as an immediate threat and one that was also geographically very close. The protest movement in Hong Kong, over the summer of 2019, generated a flurry of Chinese interventions online. The Chinese government did not hesitate to use inaccurate information. That included images of masked protesters flooding the streets of Hong Kong, the allegations that the C.I.A. orchestrated the protests, and a series of messages on social media suggesting that radicals were behind the protest movement. Despite the fact that people went out in droves to join the protests, Chinese state-led propaganda reflected a reality in which protests were fuelled by a minority and influenced by foreigners. This minority posed a threat to the majority of residents, who allegedly were not invested in the movement.

Third, with the advance of the cyber age, pivotal players for national security have changed. Rather than nation-states, technological giants are in many ways key for national security. Tech giants have become indispensable for the ability of the state to protect itself and its institutions. The roots of the power the tech giants amassed in the area of national security are dissimilar to how such power is traditionally conceptualised. Their growth of power was unpredictable, not only to the states but to the tech corporations themselves. While they are immensely powerful, their path to occupy such a position and the motivations that pushed them forward were distinctly different from states, as their key motivation was business oriented, rather than oriented towards political power (Nye 2010).

Almost all of the major technologies that have become central to human activity and to national security are controlled exclusively by giant transnational technological corporations. Just like social media, it was impossible to forecast the importance of storage and cloud computing, and how companies like Amazon, Google and Microsoft would become so powerful in dominating them. A similar story applies to search engines and data collection. Whether it is storage, search engines, social media or other technologies dominated by major cyber transnationals (e.g. artificial intelligence), they were largely created due to the creativity and entrepreneurship of those companies and their business interests. They were not delegated from states, nor were they necessarily designated as key areas of development by the states. The haphazard nature of their growth, and the fact that political goals were not at the top of their agenda, sets those companies apart from states, and makes their role in national security distinct.

Let us return to Wannacry to further illustrate the growing significance of transnational technological corporations in dealing with domestic and cross-border strategic threats. Possibly the most visible victim of the attack was a national agency in the United Kingdom. Tens of thousands of computers, devices and equipment were infected in hospitals and clinics of the British National Health Service. This in turn led to the NHS being forced to divert ambulances and reject certain categories of health emergencies in its medical facilities. Further, it was a national agency that played a key role in the fact the attack took place; While the NSA developed EternalBlue it apparently failed to properly inform Microsoft and potential victims. Yet, it was a private corporation that was pivotal in the successful reaction to the attack in America and beyond. The importance of the role of Microsoft in the fact that the attack was largely controlled within a matter of days cannot be overstated. It was emergency patches from Microsoft that were instrumental in the quick and effective response to the attack that affected hundreds of thousands of computers across the globe. Releasing security patches for several of its old unmaintained Windows products the day after the attack and spreading the necessary security updates in servers around the world was the quick and effective response by this technological multinational corporation in conjunction with the discovery of kill switches that prevented the further spread of the ransomware. Private hackers and cyber companies also played a role. Between the reactions of national agencies, corporations, companies and individuals, the attack was rapidly stifled (Matania and Rapaport 2021, 168–178). Beyond the case of a Western democracy such as the UK in WannaCry, where a democracy sought the assistance of a Western transnational technological company when its national security was jeopardised due to a cyber-attack, there are examples of similar trends in non-democracies. The most recent example is Saudi Arabia resorting to use the help of foreign cyber companies in the attack on Aramco.

The cases of WannaCry, Stuxnet, or SingHealth show the general trend, with increasing momentum for the role of companies as cyber figures as a progressively prominent element in the realm of national security. To more fully examine this trajectory at the empirical level, let us turn to our key case study: the role of Meta in the 2022 Ukraine War. This case involves a company (Meta), a democratic state (Ukraine) and a nondemocracy (Russia) and is particularly timely as it is still ongoing.

Case study: meta in the 2022 Ukraine war

To empirically examine the various facets of the novel theoretical framework we develop for national security in the cyber era, we take the case of Meta during the ongoing war in Ukraine. As it operates permanent international offices in at least seven different countries, Meta is no stranger to international activity that goes well beyond its business dealings and takes on various diplomatic dimensions (Meta n.d.-a, n.d.-e; Zandt and Richter 2022). Beyond its international offices, Meta has employees and 3^rd party contractors in many more countries. This web of international activity takes on diplomatic forms quite often, with repercussions for national security (Mac, Isaac, and Frenkel 2022; Meta n.d.-c, n.d.-f). It is not surprising, then, that the corporation has played a role with momentous national security implications in the 2022 war in Ukraine. This case study illustrates several key aspects of the theoretical framework we develop for national security in the cyber era. This includes the growing importance of cyberspace and digital governance and the new types of vulnerabilities they possess, the cyber protection of democratic values and national digital assets, the new temporal patterns of activity and most importantly the pre-eminence of companies in the realms of national and international security in the cyber era.

In a number of press releases throughout the early stages of the invasion, Meta made changes to its policies and added new services in response to the war. The earliest actions in February 2022 included privacy measures and policy clarifications (Meta n.d.-d, n.d.-g). First was protecting security at the level of individual citizens. Meta made several important changes in that respect. For instance, Meta added personal privacy methods for Ukrainians. Those included adding closed accounts, which allowed users to hide profile pictures and friend lists. In addition, it made possible to prompt Instagram users to be private. On the Messenger platform, it allowed enhanced encryption to preserve privacy and security. On its WhatsApp platform, disappear mode was made available as well as two step verification (Meta n.d.-f).

Second was changes that addressed the flow of information via Meta platforms. Meta opened a dedicated situation center to enforce pre-existing guidelines. The corporation made a concerted effort to deal with misinformation in particular in the context of state-controlled media (Rakov and Fainberg 2023). This included removing content that violated policies, using 3^rd party fact checkers and prioritising war information, marking false content and deprioritizing it, expanding fact checkers specifically about Ukraine and Russia, directly alerting users about old information, placing warning labels on content based on 3^rd party fact checkers, imposing restrictions and labels on message forwarding and notifying users sharing or who shared in the past fact-checked information. Meta additionally attacked state run media by demonetising and banning advertisement by Russian state media and enforcing related policies despite requests from the Russian government to stop these actions. Meta developed its definition and standards for state-controlled media organisations with input from over 65 media, governance, human rights and development experts worldwide (Meta, n.d.-c; Meta 2020).

On February 28^th, in response to a request by several EU member states, Meta acted directly against Russian media and restricted two major Russian media outlets – Russia Today and Sputnik – in the EU (Kayali 2022).

Such moves, and others, such as data sharing to assist with refugee flows and life-saving information share in active warzones, alongside the efforts of other companies (US Chamber of Commerce Technology Engagement Center, n.d..) had a direct and meaningful impact on the resilience of Ukraine’s digital governance and cyber sovereignty/. Accordingly, both Ukraine’s national security and Russian strategic capacity and war effort were affected. Unavoidably, this effort by Meta put it on a collision course with Russia, which perceived the corporation’s actions as threatening its national security. Rather than a business or regulatory interaction between a nation and a company, the conflict between Meta and the Russian government took on the form of a conflict with actual geostrategic implications.

On NaN Invalid Date NaN, Russia reacted: Facebook was banned in Russia and Meta was later labelled an ‘extremist organization’ by the Russian administration, a designation normally reserved for terrorist groups, or other organisations threatening the security of the Russian homeland (Dwoskin, De Vynck, and Telford 2022). For several weeks, Meta continued to take overt actions in response to the Russian invasion. Networks of fake accounts were removed, and more personal security measures were added incrementally. As Facebook was banned in Russia, Meta announced that it would ban advertisement targeting Russia, and ban Russian advertisers from creating or running ads on any of its platforms. On March 8th, restrictions on Russian state-controlled media were expanded to Instagram.

Facebook also began offering new services including a Community Help section on Facebook and WhatsApp with access to resources. Meta added a Center for Emotional Help onto Facebook which made available mental health information from the WHO and IMC and other resources. Meta pushed the availability of resources on it platforms on its press releases, and published figures indicating that millions of people used Facebook to express solidarity and provide help to the Ukrainians. In late February, Russian state media was downgraded globally on Meta platforms. At the same time, Meta advertised a State of Emergency Service of Ukraine hotline opened on its WhatsApp platform. Actions like removing a viral deepfake video of Volodymyr Zelesnki were key to the narrative of the war on both sides. Meta’s direct control over the flow of various types of information – restricting or banning national media outlets, managing misinformation campaigns and more – put it in a position which directly impinged on national security interests of both Russia and Ukraine, clearly favouring the latter (Meta n.d.-b, n.d.-f).

Finally, Meta took miscellaneous actions that further established the fact that the company took sides in the conflict. Those actions allowed Meta to take advantage of the cyber domain but with implications on the ground. For instance, the company raised more than $20 million for non-profit organisations in support of humanitarian aid for Ukraine. Several Facebook groups were set up to help those in need, including a group of 200 thousand Romanian volunteers and donors coordinating the transport and accommodation of refugees. Likewise, a Polish Facebook group of more than 300 thousand members offering assistance to victims with post-border logistics budded on Meta’s platforms. This group organised housing, clothing and medicine. Finally, flexing its own financial muscle, on March 3 Meta donated $15 M to UN agencies and other NGOs for humanitarian aid in Ukraine (Meta, n.d.-f).

All those actions further enhanced Meta’s geostrategic stance in the conflict, a stance not overlooked by the Russian government. A critical development took place on March 11^th when Meta changed its policy to allow Ukrainians to ‘express rage’. Facebook’s content moderators were at the forefront of the information and propaganda war prompted by the Russian invasion. As reported on Reuters, a statement by a Meta spokesperson in early March 2022 said: ‘As a result of the Russian invasion of Ukraine we have temporarily made allowances for forms of political expression that would normally violate our rules like violent speech such as “death to the Russian invaders” We still won’t allow credible calls for violence against Russian civilians’ (Vengattil and Culliford 2022). Meta recognised the multifaceted geostrategic nature of its decision. First, this statement served the strategic goals of the company concerning the side it favours in the conflict. It supported the construction of the war’s narrative and the war effort of Ukraine and its Western allies at the expense of Russia (Bergengruen 2023). Second, it was geostrategic in the sense that it is recognised as having the potential to impact how the war unfolds. The actions of Facebook and other platforms combined acted as a counterweight to Russia’s wartime activities and further demarcated the sphere of influence companies have assumed.

Recognition of the potential national security implications of this change in Meta’s policy was not missed on the Russian side. An official response by the Russian embassy in the US was not late to come on Twitter: ‘Users of Meta & Instagram did not give the owners of these platforms the right to determine the criteria of truth and pit nations against each other’ (Russian Embassy in the US 2022).

There is an indication that Meta recognised the geopolitical repercussions of the change in company policy, and that those rather than customer satisfaction or business goals, were its main motivation. In an undated email cited by Reuters in early March 2022 as well, Meta stated: ‘We are issuing a spirit-of-the-policy allowance to allow T1 violent speech that would otherwise be removed under the Hate Speech policy when: (a) targeting Russian soldiers, except prisoners of war, or (b) targeting Russians where it’s clear that the context is the Russian invasion of Ukraine (e.g. content mentions the invasion, self-defence, etc.). We are doing this because we have observed that in this specific context, “Russian soldiers” is being used as a proxy for the Russian military. The Hate Speech policy continues to prohibit attacks on Russians’.

Discussion and conclusions

Any grand strategy for national security aimed at protecting the values of the state is not limited anymore to the physical reality. It is not only the physical territory and assets that should be protected. And it is not only the physical way of life. Rather, in addition to weaknesses related to national values in the traditional sense, digital liabilities are critical. The nation can be attacked and its interests and way of life seriously undermined due to cyber-attacks. Its digital integrity, social media and digital assets are key concerns for those in charge of national security. A political and national reality so infused with cyber elements inherently advances and expands what it means to be American, French or Indian. It expands the core values of the state. Accordingly, a grand strategy for national security now inevitably includes elements that had not existed, or at least had not been a main concern, prior to the advance of cyber.

Meta’s actions during the Ukraine War reflect more than one aspect of the changing nature of national security. Meta’s direct control over the flow of various types of information – restricting or banning national media outlets, managing misinformation campaigns and more – put it in a position which directly impinged on national security interests of both Russia and Ukraine. Meta took various actions clearly showing the company took sides in the conflict. Those actions allowed Meta to take advantage of the cyber domain and illustrate how this domain changes the essence of national security. Our case study illustrates the new types of vulnerabilities, the cyber protection of democratic values and national digital assets, the new temporal patterns of activity and most importantly the pre-eminence of companies in the realm of security in the cyber era.

Finally, the cyber dimension creates tectonic changes in many areas of life, as technology opens new avenues for human creativity. With the advent of the cyber era, companies have become significant actors in the international system alongside countries because it is those companies that invent, develop and operate the technological infrastructure for the very operation of the domain itself. As the physical dimensions of air, land and sea are natural, such dominance of companies in the very creation of the domain is unprecedented. The cyber domain is an artificial, man-made domain, created and maintained through and by the corporations. Their activity dictates global trends and the vision for the development of the cyber dimension. Furthermore, companies’ control of the domain itself, the knowledge developed, the technology that serves it and is developed in and through it, and the expertise that mainly exists in the corporates’ core departments makes those corporations central in ensuring the national security of countries. Although they are not the sole contributors to political and technological evolution in the cyber era, their conduct has proved highly consequential.

The scope of the present paper is on democracies and large companies, but further research will extend the focus beyond this. While this article is focused on democracies and big tech companies, the changes brought by the cyber era apply to nondemocracies and to smaller tech companies as well. Indeed, this article is part of a more comprehensive effort for developing a research agenda in which we expand the scope conditions by examining more multifaceted transformations of national security. The agenda has three main components. First, this evolving research agenda examines nondemocracies focusing on the relationship between governments and companies. One key aspect of the theory relates to the degree of involvement of governments in the business conduct of technology companies, and the extent to which democratic institutions (or for nondemocracies, government institutions more broadly) are consequential for such a regulatory landscape. Second, an additional aspect of our research agenda examines the nature and degree of influence of technology companies of different types and sizes. While in this article we focused on Big Tech companies that control the digital infrastructure and showed their influence on issues of national security, we believe an articulation of a technological hierarchy of companies is critical. Such hierarchy would determine the order of magnitude and influence of their activities on national security as well as the new forms of action they would need to adopt due to changes in national security. Third, the diverse infrastructure of cyberspace, coupled with technology companies offering a wide range of services across multiple domains, significantly amplifies national security vulnerabilities. This raises a different question, which our future work will grapple with, concerning the types of tools that can be used to evaluate degrees of criticality and vulnerabilities in different areas of national security and their implications for democratic governments on the one hand and the business strategy of tech companies on the other. While, prima facie, we expect areas of national security that are more heavily reliant on technology to be more vulnerable, our analyses explore the more convoluted political and business aspects of this question.

Disclosure statement

No potential conflict of interest was reported by the authors.

Correction Statement

This article has been republished with minor changes. These changes do not impact the academic content of the article.

Additional information

Funding

Funding was provided by Israel Science Foundation Grant number 2737/20 (The effects of legal data regimes on the global data race).

Notes on contributors

Udi Sommer

Udi Sommer is John Jay Fall Research Fellow at the City University of New York and Professor at the School of Political Science, Government and International Relations at Tel Aviv University.

Eviatar Matania

Eviatar Matania is Professor at the School of Political Science, Government and International Relations at Tel Aviv University and Head of the Masters Program in Cyber and Government.

Nir Hassid

Nir Hassid is a post-doctoral fellow at the School of Political Science, Government and International Relations at Tel Aviv University.