Tech companies aren’t just going to war. They’re owning the battlefield

In the months after Russia invaded Ukraine and destroyed much of the country’s telecom infrastructure, Elon Musk offered 20 thousand Starlink satellite internet terminals to facilitate internet connections for Ukrainians. These SpaceX terminals did not just enable communications between citizens or allow people to reach news websites; they were also critical for military operations, such as navigating drones and launching artillery. Ronan Farrow has called Musk “a private citizen with a private company who had become the arbiter of the outcome of this war.” 

There are few people in the world not in government of whom the same can be said. 

After his rescue mission, Musk was hailed as a savior by Ukrainian politicians and received appreciation from around the world. But that changed when he started hinting that the services his company was providing were too costly. Eventually, the company threatened to discontinue access to the satellites unless the U.S. government picked up a large portion of the cost, which the government had little choice but to do, as the Ukrainian war effort had become dependent on the service. Shutting it off could incapacitate military operations—and result in real casualties. 

SpaceX is not the only company that has purposely—or even inadvertently—become involved in the fighting in Ukraine. The battlefields are full of companies. Defense tech has emerged as one of Silicon Valley’s newest darlings, as start-ups like Anduril and Shield AI take in hundreds of millions or even billions of dollars in funding rounds. Commercial satellite imaging companies like Maxar have helped open-source investigators and journalists identify mass graves and Russian troop movements. And even before Russian soldiers entered Ukraine, Microsoft was working to take down malware attacking Ukrainian government organizations. 

The involvement of big tech companies in active military conflicts raises tough questions about the concept that underpins the foundations of international relations and international law: state sovereignty. The principle of state sovereignty assumes that a government is responsible for the activities within its borders and is mandated to uphold international standards and agreements. Most famously, after World War II, states signed the UN Charter, which held them to a host of commitments regarding human rights and the use of military force. Additional treaties and conventions bind signatory governments to uphold everything from the laws of armed conflict to trade agreements to the laws of the seas. Typically these treaties also include mechanisms of accountability in case signatories don’t comply. 

But companies are not signatories to these agreements or treaties.

Google, Maxar, Microsoft, and SpaceX and Clearview have few, if any, legal mandates according to international law. They are private, not public, actors. The rules that surround companies cover reporting revenue, accounting costs, and filing taxes—not when or how they should act in military confrontations. Yet companies like these exude sovereign power in new ways. They have monopolies on key insights and data analytics and make decisions about affairs that were once the exclusive domain of states, while these companies are not subject to comparable checks and balances. Moreover, companies that operate at a global scale often chafe against geographic borders. Even when governments want to exert control over such companies, which happens far less frequently than it should, they face a variety of constraints.

As far as we know, tech companies have abided by international conventions in the case of Ukraine, but there is no reason to expect that they will be on the right side of history or human rights law in the next conflict. Elon Musk, for instance, has recognized that in the current geopolitical climate, standing by Ukraine is good for business. 

But the market calculus changes with respect to China and some Middle Eastern nations. In conflicts involving those countries, companies may prioritize their business interests over the greater good. They may be reluctant to hand over aerial imagery of war crimes, assist in blocking troop movements, or even provide internet service for fear that such assistance would hurt their quarterly revenue. 

The challenge posed to state sovereignty by the shifting technology landscape is perhaps clearest at the moment war begins. When a tank breaches a nation’s border, the situation is clear: the aggressor has violated article 2.1 of the UN Charter, which commits member states to refrain from “threats and the use of force against the territorial integrity or political independence of any state.” When soldiers manning the tank proceed to shoot at people in a school, hospital, or any other civilian target such as energy infrastructure, they violate the Geneva Conventions, which establish legal standards for humanitarian treatment in war. Even then, achieving accountability and meeting the thresholds for the burden of proof are difficult enough, but at least there are concrete legal guardrails.

For cyberattacks, the rules are far less obvious. Ukraine offers a great case study because even before the tanks invaded in 2022, a barrage of digital attacks befell the country. Starting shortly after Russia’s illegal annexation of Crimea in 2014, a series of cyberattacks targeted Ukraine’s civilian infrastructure. In early 2022 DDoS attacks shut down websites of banks, and wiper malware was aimed at deleting crucial information in the hands of the Ukrainian government. All of this activity could be traced back to Russia, according to the U.K. government. Microsoft called the cyber component of Russia’s attack on Ukraine “destructive and relentless.”

And yet, many experts would say that Russia’s invasion did not begin until its troops crossed the border on February 24, 2022. Indeed, for the White House, cyberwarfare does not meet the threshold of war. General Paul Nakasone, the then-head of U.S. Cyber Command, said that the United States has used offensive cyber operations to take out Russian targets. But when a journalist asked a White House spokesperson whether his words implied the direct engagement of Russia, the answer was a firm no. 

The status of cyberattacks remains ambiguous in the context of war, and the growing role of such attacks as part of hybrid conflict has blurred existing boundaries between war and peace. In fact, a kind of “digital exceptionalism” is emerging. From a military perspective, the digital and physical worlds are treated differently. This is only possible by having different readings of the application of law in the context of cyberwarfare. Existing law can cover new forms of attacks, and both the EU and the UN have stated that rights apply online as they do offline. Yet it remains an open question as to how, exactly, to legally interpret the spectrum of attack methods and the damages they inflict. 

Notably, companies are playing an ever more critical role in this strange cyber dividing line between war and peace. Microsoft takes down state-sponsored malware across the world and refers to court orders to legitimize its actions; Google’s Threat Analysis Group, one of the company’s elite security operations, terminates YouTube channels for running coordinated influence operations and shuts down countless phishing operations targeting high-level officials and journalists. 

Cross-border operations involving private companies are a new reality that flows from the power of technology companies in building networks, scanning them for risks and defending them. But it is hard to square rule-of-law principles with giving companies a free hand to attack—under the guise of defense—networks all over the world.

One rising challenge in this space is “attribution,” which is the technical term for publicly labeling the perpetrators of a cyberattack. Attribution is the first step to accountability: After all, if we don’t know who waged an attack, we can’t attach consequences. Attribution is another area where vagueness and opacity are the norm and where private companies are often ahead of states. Companies have a privileged view of the risks to their own corporate networks, which frequently give them greater insights into cyberattacks than even government intelligence agencies can see. As a result, over the past few years, cybersecurity companies have frequently come out and pointed fingers at perpetrators, mostly specifying China, Russia, and Iran. 

However, this kind of commercial attribution should not be confused for public attribution conducted by democratic institutions. Beyond a blog post that “names and shames” the hackers, companies can do virtually nothing to punish the malicious cyber actors that they identify. Public attribution is far more important than commercial attribution because it unlocks the power of the state to hold attackers responsible and can reshape the state’s foreign policy based on the conclusion. Unfortunately, democratic nations—the ones with the material power to prosecute or punish—are far less likely to publicly blame perpetrators for attacks, often due to a lack of the necessary political will. 

But that might change soon. Ukrainian officials are preparing to hand over evidence of cyberattacks on civilian targets to the International Criminal Court, arguing that they amount to war crimes. According to Victor Zhora, chief digital transformation officer at Ukraine’s State Service of Special Communications and Information Protection, “When we observe the situation in cyberspace we notice some coordination between kinetic strikes and cyberattacks, and since the majority of kinetic attacks are originated against civilians—being a direct act of war crime—supportive actions in cyber can be considered as war crimes.” 

To end impunity, democracies should take the lead in creating accountability mechanisms for cyberspace, whether these are to try war crimes and acts of aggression or criminally motivated attacks. They must do this even though, inevitably, those mechanisms will limit the strategic options available to democratic governments. To date, however, democratic governments have themselves been reluctant to constrain their behavior in cyberspace. 

One recent episode from the White House amply illustrates the gray-area tactics that democratic governments have begun to view as regular tools in their arsenal. In the spring of 2022, the New York Times revealed that the United States had quietly removed malware from computer networks all over the world. The matter was sensitive enough that the U.S. attorney general, Merrick Garland, personally signed off on the global crime-fighting operation, backed by a secret court order.

The purpose of the operation, according to the White House, was to remove malware that allowed the Russian government to build botnets, massive networks of computers that can be controlled to act on command. The White House said it acted to prevent Russian state actors from abusing the botnets for geopolitical gains, and experts were anticipating Russia to intensify disruptions as part of their response to new sanctions from the international community over the invasion of Ukraine. While American officials were not yet sure how the Russians were planning on using them, they “did not want to wait to find out.” 

While the Times reports that the operation was carried out with help of foreign countries, few additional details have emerged. We don’t know where the malware was taken down—inside which company or inside which country. In fact, it is exceptional that this operation was revealed at all. In contrast to the movements of a tank or fighter jet, cyberoperations are less visible to the naked eye, and intelligence agencies would argue that to optimize the operational room for maneuvering around cyberattacks, secrecy is ideal.

But for democratic authorities to live up to the promise of rule-of-law mechanisms, solid forms of transparency and accountability are essential. The U.S. cross-border malware takedown illustrates one of the most contested areas in cyberoperations: offense as a means of defense in the digital world. This is another area in which the line between war and peace is extraordinarily gray. In 2018 the U.S. government articulated its Defend Forward strategy under President Donald Trump, which authorized the use of covert operations on China and Russia using digital weapons. President Joe Biden followed the same philosophy. Though Defend Forward gives the U.S. Department of Defense wide latitude to engage in operations to hinder or destroy the cyber capabilities of adversaries, the government has released little information about which operations have been deployed under this umbrella and whether they have been successful.

The contrast between this American offensive intervention in the cyber realm and its passive role in the kinetic Russian war against Ukraine is stark. In Ukraine, the U.S. swiftly drew the line of its involvement at NATO’s physical borders. American officials made clear that they did not want U.S. soldiers on the ground, nor did they support Ukrainian calls for a no-fly zone, for which the United States or NATO would have to engage Russian fighter jets. Instead, the Biden administration sent weapons to the Ukrainians to defend themselves. 

Beyond treating cyberattacks as distinct from kinetic attacks, democratic governments more generally adopt a posture of strategic ambiguity when it comes to cyber attacks. Basically, that tends to mean they refrain from clearly and predictably signaling how they may respond to a cyberattack or showcasing their capacities in the cyber realm. Some argue that this allows democratic states to keep all options on the table, offering maximum strategic and tactical room for maneuver. Others worry that strategic ambiguity masks the absence of a clear path forward. As Senator Mark Warner cautions, “The West may have wanted strategic ambiguity in this area, and that may still be the right choice. But have we sufficiently made clear to the Russians the red lines on cyber or frankly to the NATO public, the American public, the red lines on cyber? I don’t think we’ve done that.” 

A lot of democracies’ cyber policies are ad hoc and do not come with the types of mandates or oversight that other state operations involve. As a result, ethical and moral boundaries are frequently being stretched, setting a dangerous precedent.

The laws governing warfare need to be revamped for the digital world. The pace of digital disruption and the cross-border operations of technology companies have combined to make it difficult to know which, if any, rules and laws govern these actions and what, precisely, they require. This must change. While political responses to cyberattacks, such as targeted sanctions, are certainly the beginning of closing the accountability gap, they cannot replace the clarity of a legal framework or the efficacy of more conventional enforcement methods like prosecution. After all, states—including democratic ones—also need to be accountable.

As in regular, kinetic warfare, both an explicit mandate and a process for ensuring that state operations are run within the limits of the law are needed. Of course, that is not to suggest that strategic decisions should be planned in the open. In conventional war, while a parliamentary mandate is required in most democracies, the tactical detail is entirely at the discretion of the armed forces. 

But in order to respect the rule of law, the foundation on which operations are based should be explicit and accountable. As U.K. member of Parliament Jeremy Wright has argued, “The very pervasiveness of cyber makes silence from states on the boundaries of acceptable behavior in cyberspace unsustainable. If we stay silent, if we accept that the challenges posed by cyber technology are too great for the existing framework of international law to bear, that cyberspace will always be a gray area, a place of blurred boundaries, then we should expect cyberspace to continue to become a more dangerous place.”

By reserving room for flexibility and opening the door to private companies in cyberwar, democracies have ceded both their sovereignty and their commitment to the rule of law. From building platforms for conducting elections, to curating public access to information in app stores, to interfering in the front lines of war to decide who does and doesn’t get internet access, these companies and their leaders share or have even overtaken the responsibilities of the democratic state. 

Yet there are no elections for consumers to share thoughts on corporate policy; CEOs cannot be voted in (or out) by the public; C-SPAN doesn’t cover these companies’ internal deliberative processes. The decisions that they make in the public interest are locked behind the fortress of private-sector protections. And unless democracies begin to claw back their power from such companies, they will continue to experience the erosion of their sovereign power.

Marietje Schaake is a Fellow at Stanford’s Cyber Policy Center and at the Institute for Human-Centered AI. She is a columnist for the Financial Times and serves on a number of not-for-profit Boards as well as the UN’s High Level Advisory Body on AI. Between 2009-2019 she served as a Member of European Parliament where she worked on trade-, foreign- and tech policy.

Adapted from The Tech Coup: How to Save Democracy from Silicon Valley by Marietje Schaake. Copyright © 2024 by Marietje Schaake. Published by Princeton University Press. Reprinted by permission.