When Corporations Take Offensive Measures Against States
Cyberattacks are increasingly inundating the private sector, and most States are unable or unwilling to provide adequate protection against these attacks. To mitigate this challenge, numerous corporations acknowledge that they have engaged in some form of active cyber defense, despite its unlawfulness. While these “offense-as-defense” measures have been condemned by some government officials, others have been more lenient about the practice. This leniency may be due in part to the fact that States often depend on many of these same corporations for assistance with their own cyber matters.
Notwithstanding (mostly) affable national security collaborations and a reticent acknowledgement of corporate active cyber defense, there is a growing political consensus that private corporations—who act in the interests of their shareholders—cannot be counted on to advance national interests. Indeed, some States are becoming progressively uneasy with the amassed reach and influence of high-tech corporations. For example, China is going further than any other country to rein in its tech behemoths by fining Alibaba $2.8 billion for abuse of market dominance, and Luxembourg’s data-protection commission has also proposed fining Amazon more than $425 million based on unspecified privacy allegations.
At the same time, States (including the United States) are also feeling intense pressure to incentivize innovation among the private sector in order to prevent a competing State from becoming the biggest player in the global AI market (i.e., the world’s science and technology superpower).
Despite these strained attempts at balancing governmental regulations with highly motivated research and development support, some corporations would prefer that States simply “get out of the way.” In 2011 Eric Schmidt, Chairman of Google, citing former Intel CEO Andy Grove, stated: “High tech runs three-times faster than normal businesses. And the government runs three-times slower than normal businesses. So we have a nine-times gap… And so what you want to do is you want to make sure that the government does not get in the way and slow things down.”
Notwithstanding such propositions, private corporations are rarely being slowed down by government (despite attempted antitrust lawsuits). Instead, it is governments who are often being slowed down by the private sector. Lucas Kello notes:
[l]arge technology firms (e.g., Google, Apple, Microsoft) are able to offer salaries multiple times larger than what military and security agencies (USCYBERCOM, NSA, GCHQ) can offer. “We are competing in a tough marketplace against a private sector that is in a position to offer a lot more money,” [former] U.S. Secretary of Homeland Security Jeh Johnson lamented. “We need more cybertalent without a doubt in D.H.S., in the federal government, and we are not where we should be right now, that is without a doubt.” Similarly, in Britain, the government skills gap is so severe that former GCHQ Director Iain Lobban said that his agency might have to employ non-nationals for a brief period—that is, before they, too, are inevitably absorbed by the private sector.
With such asymmetric advantages, an ambitious corporation already focused on market dominance may be enticed to position itself as a dominant actor among States—a difficult but technically achievable goal. Indeed, the 2020 Cyberspace Solarium Commission notes that “[i]n the future cyberspace environment, the advantage will not necessarily go to the most powerful among nations, but to the actors that field the best algorithms or technologies.”
If a tech corporation were to use unparalleled cyber capabilities against States, then States would not only need to be prepared to engage with these powerful non-State actors, but they would also need to adapt their strategic paradigm in order to play the game that’s on the field. Belligerent non-State actors have long been a proverbial thorn in States’ sides; however, a hostile corporation attacking a State would be unique in that States may not have the capability to detect the full range of actions taken due to the private corporation’s superior ability to shield its complex internal operations and/or produce undetectable cyberattacks.
For example, corporations who develop brain-like AI for cognitive brain-computer interface (BCI) computer chips could eventually use this technology as a weapon for unmatched information warfare, which (among other things) could microtarget and exploit individuals based on information from their personal data. This type of attack would not be comparable to current attacks in terms of intensity and effectiveness because the necessary technology has not been fully developed yet. However, with this technology, discreet operations could effectively allow corporate actors to consolidate control over a State without even stepping foot on its territory or raising the suspicions of the State being attacked. Stated further:
[I]n a scenario where [the weapon] exercised manipulative warfare by taking advantage of and heightening already existing feelings among key leaders (using exceptional methods not currently obtainable by man or machine independently), this attack could be a form of “indirect effective control” or “long-arm occupation.” The users of [the weapon] could be an occupying power even if there were no local de facto groups on the ground because they would effectively be controlling the territory through the legitimate leaders themselves. Notably, an invasion of this type theoretically only requires “effective control over persons rather than effective control over foreign territory (or parts of it).” In this scenario, if and when the affected State were to become aware of the occupation, they could no longer respond in self-defense as that window of opportunity would have already passed.
In this hypothetical scenario, if the victim State were to eventually engage with the corporation, it would have to do so as a belligerent actor, which may raise interesting questions as to who the de facto government would be and whether the armed conflict could be considered a non-international armed conflict if the corporation retained its multi-national status.
As noted above, if a State were to abstain from acting in self-defense until after being subjected to the cyberattack, the likelihood of success would be slim as the State would no longer be in a position to defend itself. The ability to digitally communicate and act, or even unify, could effectively be crippled.
Ideally, States would come together now to establish clear understandings and regulations in order to negate the need for preventive self-defense measures against corporations. However, this may prove difficult if States are not interested in committing themselves (or potential allied corporations) to regulation—particularly States who have declared some form of intent to lead in AI and govern on a global scale.
In cyber warfare—which ensnares State and non-State actors alike—it is unparalleled intellect and ingenuity that distinguishes the superior from the weak. If States cannot control the behavior and actions of corporations in their own territory, then they must either independently ramp up technological developments or consider their own unorthodox methods of active cyber defense.
Carolyn Sharp is a law student at Brigham Young University. Carolyn focuses her research on the impacts of advanced technology on international law and the law of armed conflict.
 See Dennis Broeders, Private Active Cyber Defense and (International) Cyber Security—Pushing the Line?. (Noting that “[s]tatements range from clear cut public condemnation of ‘strike back techniques of any kind by firms or other private actors’ by Assistant Attorney General Leslie Caldwell in 2015 to more ambiguous statements such as that by NSA director Admiral Mike Rogers who surmised that though he was not a ‘big fan of the idea, it is not without precedence’.”
 The Cyber Financial Wars on the Horizon: The Convergence of Financial and Cyber Warfare and the Need for a 21st Century National Security Response, 19 (quoting Ellen Richey, Visa’s vice chairman for risk and public policy).
 Lucas Kello, Private-Sector Cyberweapons: Strategic and Other Consequences, Oxford University (2016).
 Report, U.S. Cyberspace Solarium Commission 8-16, 10, 71 (March 2020).
 Carolyn Sharp, Cognitively Enhanced Humans as Both Warfighters and Weapons of War, on file with author.