[Webinar summary] What is the role of the private sector towards a peaceful cyberspace?

The Geneva Internet Platform (GIP) organised a webinar titled ‘What is the role of the private sector towards a peaceful cyberspace?’ within the framework of the Geneva Dialogue on Responsible Behaviour in Cyberspace, led by the Swiss Federal Department of Foreign Affairs (FDFA), in co-operation with the GIP, the United Nations Institute for Disarmament Research (UNIDIR), ETH Zurich, and the University of Lausanne. This webinar was the third in the series, building upon the first webinar, ‘What is responsible behaviour in cyberspace?’ and the second, ‘What is the role of civil society and communities towards a peaceful cyberspace?.’ The discussion was moderated by Mr Vladimir Radunović (DiploFoundation) while speaker Mr Martin Dion (Kudelski Security) reflected on what the role of the private sector is in ensuring international peace and security through responsible behaviour in cyberspace.

Main components and actors within the private sector

Regarding the private sector as monolithic is a mistake from a policy-making and governance perspective, Dion pointed out. The private sector consists of three categories of actors: the IT community, the critical infrastructure providers, and the companies that create products and services.

The IT community works at a different pace and has different interests than most governments. The IT community creates software and operates cloud softwares, and includes companies such as Google, Amazon, Apple, and Microsoft. A subset of the IT community are cybersecurity firms, which are most likely the ones equipped with the adequate knowledge to effectively engage with governments or civil society to improve the cybersecurity status. The IT community creates products users will want to use, but it is important to note that products will fail if not protected properly – by cybersecurity firms. However, the IT sector is a very small part of society; even though IT firms represent a huge part of the stock market, they employ less people than governments.

The private sector owns and operates up to 95% of critical infrastructure, needed for day-to-day operations. This raises the question of how governments can ensure the safety and security of critical infrastructures when critical infrastructures actually belong to the private sector.

The third group consists of companies that create products and offer services, but are not IT or critical infrastructure companies. According to Dion, they represent over 70% of the economy. These companies are a part of the attack surface and their safety cannot be neglected.

Why should the private sector companies be involved in cyberspace?

Radunović pointed out that companies might need to have a profit in order to be involved in cybersecurity processes, which drain resources. Therefore, benefits of being involved in cybersecurity processes need to be clarified for companies.

Dion stated that profit is the driver for cybersecurity companies. From an IT community perspective, the challenge is to be able to capture the nascent, emerging economies, and untapped markets in order to achieve profit. However, IT companies must enable digital transformation in those societies, so they may take a leap forward in economy and security. For critical infrastructure providers, there is tension between profitability and service delivery, as they are for-profit organisations, but they are also a part of national security apparatuses. Their services must be reasonably priced, and must respect rules and measures imposed by governments. Therefore, their driver is also profit. The third group of companies also seek to capture untapped markets in order to achieve profit.

Social responsibility of IT companies

A participant posed the question of socially responsible businesses of big IT companies. Dion pointed out that, while large companies are by definition and as a result of their maturity more secure, they should enable their customers to be more secure as well. However, Dion does not think that it is a matter of social responsibility of companies, as customers make the choice to adopt technologies and IT companies are not endangering lives. On one hand, customers are responsible for choosing to use technologies and services offered by the IT companies.  On the other hand, IT companies are not endangering lives yet, even as their practives are being criticised on ethical and moral grounds.

Dion underlined that there is tension between the users’ need to be safe in cyberspace and their desire for free speech. He also noted there is tension between IT companies which advocate for net neutrality and governments which oppose it, as ability to control content on national level would make protecting their citizens easier. In Dion’s opinion, the only way for governments to provide a certain level of security for users is to have a certain level of control, but rules governments want to impose in cyberspace would not be accepted even in the physical world. A constructive dialogue on the subject will not be possible until users either accept that our reference model from the physical world is copied onto cyberspace or users change their expectations completely.

The role of the private sector in relation to critical infrastructure

Dion stated that critical infrastructure must be defined. In his opinion, a subgroup of critical infrastructure must be both co-ordinated and supported by governments (e.g. the healthcare sector). However, some sectors that are considered a part of critical infrastructure are of international importance, such as telecommunications and banking. It is important to recognise that physical boundaries do not exist in cyberspace and it is therefore hard to determine which government should protect sectors that are of international importance. In these sectors, governments should engage with critical service providers to ensure safety. This endeavour could be further complicated by poor foreign relations between governments.

The responsibility of the private sector to reduce vulnerabilities

Another participant inquired about the possibility of a global coalition of private sector actors in cyberspace. Dion stated that there are numerous coalitions of IT companies, which try to create secure systems. However, as creating a bulletproof system makes a system less usable to the buyer, the creators frequently need to compromise so user experience is not constrained. In Dion’s opinion, the IT industry is trying to grow by reducing the overall friction between technology and user options. While vulnerabilities exist, the security quality of modern products has increased drastically over the years, Dion underlined. He also pointed out that the attack surface is getting bigger because more technology is being used and more services are being offered. As society becomes more dependent on IT, the way of creation, adoption, and promotion of technology needs to change as well. He also stressed that users need to patch their systems on time, underlining that patches are usually made available by big vendors in a timely manner.

Radunović pointed out that the patching system might not be viable anymore in many cases, such as in the case of old versions of Windows operating systems used by industries like health or industrial facilities when patching or upgrading the operating system can void the warranty of a specific software. He also stated that many companies cannot afford the services of security companies. Radunović also stressed that many developing countries still possess a huge number of legacy or orphan software, such as Windows XP.

The role of the private sector in capacity building

Lead service providers, such as Microsoft and Google, should be one of the partners of choice in securing the emerging technologies, such as artificial intelligence (AI). In other sectors, such as healthcare, medical professionals and highly specialised security firms should collaborate. Cybersecurity experts can explain to medical professionals why a device is important, how it interacts with other devices, and why it needs to be updated – all this helps with understanding the risks so they can be managed. AI is, and will be for the foreseeable future, a technology specialist field. The Internet of things (IoT) connect cyberspace and physical space, and physical world specialists need to provide knowledge to IT specialists. Dion stated that, from a policy point of view, governments should force collaborations between these parties, because a lack of knowledge might endanger lives instead of improving quality of life.