Hill Briefing Recap: The Private Sector’s Evolving Role in Conflict
On June 13, 2023, the R Street Institute’s Cybersecurity and Emerging Threats team hosted a Hill briefing on the private sector’s evolving role in conflict. It was held in partnership with the Congressional Cybersecurity Caucus, co-chaired by Congressman Michael McCaul (Texas-10) and Congresswoman Elissa Slotkin (Mich.-7), and Recorded Future.
The briefing featured a panel moderated by R Street’s Cyber Policy Director, Brandon Pugh, and experts from academia, industry and government, including Geoff Brown, Vice President of Global Intelligence Platforms at Recorded Future; Joanna LaHaie, Acting Director of the Office of International Engagement and Capacity Building in the U.S. Department of State’s Bureau of Cyberspace and Digital Policy; and Melanie Teplinsky, Senior Fellow at the Tech, Law, and Security Program at the American University Washington College of Law.
Private companies have contributed to defense efforts for many years, but their engagement in the Ukraine conflict has been unique and takes various forms, including providing open-source intelligence (OSINT) and offering cybersecurity assistance. The goal of the event was to highlight such assistance, takeaways from efforts in Ukraine and best practices to apply in future conflicts, including the role before conflict begins and after it ends. Highlights are shared below, and the discussion made it clear that the private sector plays a critical role that might be unmet otherwise.
Examples of Assistance in the Ukraine Conflict
The panel explored various examples of how the private sector assisted during the Ukraine conflict. LaHaie conveyed how the conflict demonstrated that the private sector can react quicker than government as government tends to be slower and face issues like authorities and budgets. She noted that the private sector had capabilities already available which allowed the federal government to work with Congress on other resources while urgent needs were met. One example cited was assistance with moving data to the cloud, which has national security benefits and is something for partners to consider.
Brown highlighted how the Cyber Defense Assistance Collaborative brought together private sector companies on a volunteer basis to assist Ukraine in an integrative fashion, which worked well since companies were already in the trenches and had a willingness to aid. This started with efforts to provide threat intelligence and network defense, but matured overtime to additional capabilities.
Teplinsky flagged two specific examples of engagement. One example was how Mandiant, an American cybersecurity firm, assisted Naftogaz, the largest national oil and gas company in Ukraine, by conducting threat hunting on their network to identify bad actors and to help prevent network access to keep critical infrastructure online. The other example involved Microsoft identifying the FoxBlade malware that was designed to wipe data from systems and sharing this discovery with Ukraine’s cyber defense authority and other European nations to prevent a destructive outcome.
Lessons Learned
Various lessons were learned from the private sector’s assistance in Ukraine. Brown said the conflict showed the agility of the private sector. For example, companies like Recorded Future had OSINT readily available that is not secret data, which allowed them to provide it when needed. The fact that a relationship existed before the conflict emerged was helpful.
Teplinsky offered that the private sector needs to work hand-in-hand with the government when assisting. She noted the private sector is essential to keeping critical infrastructure running, which is important for international bodies like the North Atlantic Treaty Organization to keep in mind.
LaHaie said positioning ourselves to deal with conflict before, and when, it arises is critical, especially considering a lot of actions occur under the threshold of armed conflict. She flagged how the White House’s National Cybersecurity Strategy is connected because it prioritizes international relationships like providing support to others around the world from a cybersecurity perspective.
The Structure of Collaboration
The panel explored what collaboration should look like between industry and the U.S. government, along with collaboration between industry and foreign governments. Brown noted that in the case of Ukraine, the aggression from Russia was clear so the private sector came together easily, but he was unsure if that cohesion can always be counted when a conflict is not as easy to classify. He noted that different factors go into that like technology, market factors and politics.
Moving forward, Brown noted that definitions are important to determine what conflicts and situations qualify for assistance and what do not, like limiting it to defense purposes and knowing where different players in the field fall in a moment of need. Teplinsky shared the example of Starlink, which was offered for defense purposes only to enable internet access, but was later used to fly drones as well.
The idea of sustaining and scaling involvement was raised by all panelists. LaHaie questioned what the right way is for the U.S. government to engage with industry to make their tools available in a sustainable and realistic way that can also be profitable. She noted that the global economy might not be able to afford these tools and that they can only be provided for so long and that at some point, there needs to be people and processes to manage them.
Teplinsky outlined a few routes for formalizing this assistance moving forward. They include contracting, looking to legal frameworks like the Defense Production Act and the European Union’s Single Market Emergency Instrument, and assistance models like the Civil Reserve Air Fleet. While these are not all focused on cyber, she argued that there might be a model for cybersecurity.
Other Topics Raised
Several questions were raised during the question and answer period. One surrounded legal considerations for individuals, private sector companies, and private sector employees providing assistance before, during and after a conflict. This includes looking at the legal status of the individual and entity, protections provided by the Law of Armed Conflict, and the threshold for an individual or entity to be considered engaging in conflict.
In addition, the model for assistance in future conflicts was raised. LaHaie flagged a few considerations including what U.S. government resources are needed; the legal relationship with industry and authorities to act; whether contracts should be made with companies in advance and/or creating a bullpen model where solutions can be drawn as needed; and finding a way to access the breadth of solutions from industry in a fast and nimble way so they can be deployed. Brown echoed the sentiment that a model is key so up-front work can be done quickly, which would help ensure that the capabilities meet the situation and that things are well timed and tested when a time of need arises.
The briefing ultimately demonstrated the value of the private sector’s assistance in Ukraine and the various forms it took; lessons learned and best practices for the future; and the structure for private sector assistance before and during future conflicts. There are still multiple areas to explore and finalize, such as the specific model of engagement and legal considerations, but significant progress has been made toward providing assistance and capabilities in a conflict.