ABSTRACT
The increasing demand for cybersecurity has been met by a global supply, namely, a rapidly growing market of private companies that offer their services worldwide. Cybersecurity firms develop both defensive (e.g. protection of own networks) and offensive innovations (e.g. development of zero days), whereby they provide operational capacities and expertise to overstrained states. Yet, there is hardly any systematic knowledge of these new cybersecurity warriors to date. Who are they, and how can we differentiate them? This contribution to the special issue seeks to give an initial overview of the coordination between public and private actors in cyberspace. I thus explore these new private security forces by mapping the emerging market for these goods and services. The analysis develops a generic typology from a newly generated data set of almost one hundred companies. As a result of this stock-taking exercise, I suggest how to theorize public-private coordination as network relationships in order to provide a number of preliminary insights into the rise of this ‘brave new industry’ and to point out critical implications for the future of private security forces.
Disclosure statement
No potential conflict of interest was reported by the author(s).
Notes
1. Technically speaking, cyberspace is ‘the virtual space for interaction created by joint use of compatible data communication protocols’ Mueller, Against Sovereignty in Cyberspace, 10. It is ‘the realm of computer networks (and the users behind them) in which information is stored, shared, and communicated online. (…) But cyberspace isn’t purely virtual. It comprises the computers that store data plus the systems and infrastructure that allow it to flow’ Singer and Friedman, Cybersecurity and cyberwar, 13.
2. Weiss and Jankauskas, Securing Cyberspace.
3. Choucri, Cyberpolitics in International Relations, 39; see also, Solms and van Niekerk, From information security to cyber security.
4. Kuerbis and Badiei, Mapping the cybersecurity institutional landscape; Maurer, Cyber mercenaries; and Harris, @War.
5. Betz and Stevens, Cyberspace and the state; Mueller, Against Sovereignty in Cyberspace, 12. See also, Weiss, How to become a first mover.
6. James Bryan, the founding commander of the United States’ Joint Task Force-Computer Network Operations; cited from, Healey, A Fierce domain, 58.
7. Cusumano and Kinsey, Bureaucratic Interests and the Outsourcing of Security; and Abbott et al., The governor’s dilemma.
8. Carr, Public-private partnerships in national cyber-security strategies; Cavelty and Egloff, The Politics of Cybersecurity, 50–51. See also, Cusumano, Policy Prospects on the Regulation of PMSCs.
9. Mahoney, Corporate Hackers, 62.
10. Avant and Haufler, Public–Private Interactions and Practices of Security.
11. Singer and Friedman, Cybersecurity and cyberwar, 216. See also, Schmidt, Secrecy vs. Openness.
12. Berndtsson and Stern, Private security and the public-private divide.
13. Mueller, Schmidt and Kuerbis, Internet Security and Networked Governance in International Relations, 91–8; Weiss and Biermann, Networked Politics, 5–8; Kuerbis and Badiei, Mapping the cybersecurity institutional landscape.
14. Brooks, Producing security, 16–46; and Maurer, Cyber mercenaries, 16–22.
15. Krahmann, States, citizens and the privatization of security, 21–50; and Weiss, Transaction costs; 667–670.
16. For instance, the WTO’s Government Procurement Agreement (GPA) has established one central exemption from applying mandatory, competitive rules, that is the acquisition of weaponry. This exemption can also be found within the European Union’s Single Market. See, for instance, Weiss, Power and signals, and Weiss, Transaction costs.
17. De Vore and Weiss, Who’s in the cockpit?; and Weiss and Biermann, Cyberspace and the protection of critical national infrastructure.
18. Krahmann, States, citizens and the privatization of security, 84–194; Kruck, Theorizing the use of private military and security companies, 120–127; and Cusumano, The scope of military privatization.
19. Markusen, The Case Against Privatizing National Security; and Cusumano, Policy Prospects on the Regulation of PMSCs.
20. Harris, @War, 66–67; and Abbott et al., The governor’s dilemma.
21. Chabinsky, Former deputy assistant director of the FBI’s cyber division; cited from, Healey, A Fierce domain, 62.
22. Weiss and Jankauskas, Securing Cyberspace: How States Design Governance Arrangements, 271–2.
23. Laffont and Tirole, A Theory of Incentives in Procurement and Regulation; Avant, The market for force. Krahmann, NATO contracting in Afghanistan.
24. Abbott, Levi-Faur and Snidal, Theorizing Regulatory Intermediaries.
25. Weiss and Heinkelmann-Wild, Disarmed principals, 420–422.
26. Maurer, Cyber mercenaries, 78.
27. See note 2 above.
28. Cavelty and Wenger, Cyber security meets security politics, 4; Mueller, Against Sovereignty in Cyberspace, 2–5; Kuerbis and Badiei, Mapping the cybersecurity institutional landscape, 474–5. For the general competence-control trade-off, see Abbott et al., The governor’s dilemma.
29. Harris, @War, 103–122.
30. Betz and Stevens, Cyberspace and the state; Mahoney, Corporate Hackers, 63–5; Rid and Buchanan, Attributing Cyber Attacks.
31. Lin, Escalation Dynamics, 46–7; and Belk and Noyes, On the Use of Offensive Cyber Capabilities.
32. As this constellation strongly resembles the rise of private military and security companies (PMSCs) and thus corporate warriors, cybersecurity scholars have directly drawn on the private security forces literature to categorize offensive cyber operations according to the ‘tip-of-the-spear’ framework. Again, private actors appear less extensively involved in delivering the payload to the frontline; yet, more research is necessary. See, Maurer, Cyber mercenaries, 15; see also, Harris, @War, 220.
33. Healey, A Fierce domain, 25.
34. Harris, @War, 57,134–5 see also, Glen, Controlling Cyberspace, 121–42.
35. Allhoff, Henschke and Strawser, Binary bullets.
36. NSA spokesperson, cited from: ‘The agency posted a special notice to FedBizOpps.gov, right before the holidays, advertising work for small companies that develop ‘innovative technologies.’‘ by Aliya Sternstein, Nextgov, 31 December 2015. https://www.nextgov.com/cybersecurity/2015/12/first-nsa-advertises-opportunities-monstercom-federal-contracting/124799/.
37. Cavelty and Wenger, Cyber security meets security politics, 19; see also Maurer, Cyber mercenaries, 71–80. For a similar dynamic in the development of drone technologies, see Weiss, How to become a first mover.
38. Maschmeyer, Deibert, and Lindsay, A tale of two cybers.
39. Rid and Buchanan, Attributing Cyber Attacks; Singer and Friedman, Cybersecurity and cyberwar; Leander, Power to Construct. Interestingly, these dynamics are also in place for PMSCs that provide physical risk consultancy.
40. Goldman and Warner, Why a Digital Pearl Harbour Makes Sense … and Is Possible.
41. Weiss and Jankauskas, Securing Cyberspace: How States Design Governance Arrangements. Under certain circumstances, this may even lead to absurd consequences: ‘The NSA and private security companies have a symbiotic relationship. The government scares the CEOs and they run for help to experts such as Mandiant [i.e. now part of FireEye]. Those companies, in turn, share what they learn during their investigations with the government, as Mandiant did after the Google breach in 2010ʹ (Shane Harris, @War, 180).
42. Maurer, Cyber mercenaries, 71.
43. Cavelty and Wenger, Cyber security meets security politics, 15; and Mahoney, Corporate Hackers.
44. See note 38 above.
45. See, in particular, Kuerbis and Badiei, Mapping the cybersecurity institutional landscape.
46. See also, Weiss and Weiss, Indexing.
47. This data set has been assembled by Jan Tiedemann, to whom I am strongly indebted for providing me access to it. https://airtable.com/shr8fSPcdVfPppv6b/tblLtcZFAvnblAfHH/viwLPSoJC6jdhQf10?blocks=hide.
48. https://www.thesoftwarereport.com/the-top-25-cybersecurity-companies-of-2019/https://www.softwaretestinghelp.com/best-cyber-security-companies/.
49. See also, Kuerbis and Badiei, Mapping the cybersecurity institutional landscape, 473.
50. For a similar, though a bit different, categorization, see Maurer, Cyber mercenaries, 73.
53. Harris, @War, 121.
55. https://arstechnica.com/tech-policy/2014/05/photos-of-an-nsa-upgrade-factory-show-cisco-router-getting-implant/https://www.spiegel.de/netzwelt/netzpolitik/interaktive-grafik-hier-sitzen-die-spaeh-werkzeuge-der-nsa-a-941030.htmlSimilar rumours regularly arise for other general tech champions, such as Microsoft or IBM.
56. Harris, @War, 181.http://www.cybersecco.com/company/mcafee/history.
57. https://s24.q4cdn.com/151081985/files/doc_financials/2019/2019-NortonLifeLock-Annual-Report-(Final).pdfhttps://www.nortonlifelock.com/us/en/government/https://staysafeonline.org/See also, Lewallen, Emerging technologies.
59. https://www.faz.net/aktuell/finanzen/antivirenprogramme-ist-kaspersky-noch-zu-trauen-15201986.htmlhttps://www.pc-magazin.de/news/marktanteile-der-antivirushersteller-1259297.html.
62. Harris, @War, 5.
63. Ibid., 121.
64. Harris, @War, xviii.
65. Bernstein and Wilson, New Perspectives on the History of the Military–Industrial Complex, 2
67. https://www.thalesgroup.com/en/activities/security/critical-information-systems-and-cybersecurity
68. Cavelty and Wenger, Cyber security meets security politics, 4; Schmidt, Secrecy vs. Openness, 15–74; and Mueller, Against Sovereignty in Cyberspace.
69. Choucri, Cyberpolitics in International Relations, 39; see also, Solms and Niekerk, From information security to cyber security.
70. Mueller, Schmidt and Kuerbis, Internet Security and Networked Governance in International Relations; Weiss, Varieties of privatization; and Weiss and Biermann, Networked Politics.
71. See note 12 above.
72. Scharpf, Games real actors play, 137.
73. Krahmann, Security Governance and Networks; Mueller, Schmidt and Kuerbis, Internet Security and Networked Governance in International Relations. See also, Weiss, Power and signals.
74. Carr, Public-private partnerships in national cyber-security strategies; Cavelty and Egloff, The Politics of Cybersecurity: Balancing Different Roles of the State, 50–51.
75. Weiss, Varieties of privatization.
76. Bernstein and Wilson, New Perspectives on the History of the Military–Industrial Complex.
77. Slayton and Clark-Ginsberg, Beyond regulatory capture.
78. Seidl, The politics of platform capitalism.
79. Harris, @War, 88.
80. Owen, Disruptive power, 14, 19.
81. Cavelty and Wenger, Cyber security meets security politics, 19; see also Glen, Controlling Cyberspace, 121–42; and Paarlberg, Knowledge as Power.
82. See note 77 above.
83. See note 38 above.
84. Heinrich, Cold War Armory.
85. Harris, @War, 220.
Additional information
Notes on contributors
Moritz Weiss
Moritz Weiss is a research fellow and senior lecturer in International Relations at the LMU University of Munich (Germany). In 2019/2020, he was a Jean Monnet Fellow at the Robert Schuman Centre for Advanced Studies of the European University Institute in Florence (Italy). His current research focuses on the political economy of defence policies, technological innovation and the rise of a regulatory security state. Among others, Moritz Weiss has published in leading political science journals, such as Security Studies, Review of International Political Economy, Governance, Journal of European Public Policy, Journal of Common Market Studies, European Journal of International Security, and Journal of Global Security Studies.