Trend in action
The breaking down of these walls is creating perceptible shifts in how national security is achieved.
Shift from central control to disaggregated action
Once centrally controlled, security is now increasingly driven by the actions of disaggregated players. For example, military supplies traditionally flowed to foreign countries through a closely regulated sales process tightly controlled by ministries or departments of defense. But the increasing dual-use applicability of consumer technologies to military tasks means that suppliers increasingly have the opportunity to sell directly to militaries around the world. Defense ministries already purchase consumer-grade drones, hacking software, and more—SpaceX developed its Starlink internet system for consumers, not for Ukrainian national security.10
And if companies are free to do business with countries, they can choose not to do business as well. Traditional government tools such as economic sanctions or military blockades have long controlled the process of limiting a country’s markets to certain buyers, but corporations pulling out of Russia showed that the same effect could be achieved by individual companies electing—based on their own commercial interests—to no longer do business there.11 While the Russia pullouts happened to align with Western nations’ security goals, they raise the troubling issue of whether a government could influence, much less control, such actions if commercial incentives and national security interests pulled in opposite directions.
The intelligence space is confronting rising tensions between security needs and other potentially competing incentives. The proliferation of commercial satellite imagery, online data, and, especially, social media has given amateur analysts the tools to track even sensitive military radar systems in real-time while sitting at their kitchen tables.12 While internet detectives had used these tools to do everything from tracking warship deployments in the Syrian conflict to identifying those responsible for downing Malaysian Air flight 17, the Ukraine conflict focused fresh attention on the trend.13 In advance of Russia’s invasion, online communities were able to track and share details of Russian troop buildup and accurately predict the invasion’s movements.14 Once the invasion began, communities used social media posts and facial recognition to identify individual Russian service members serving in Ukraine,15 particular munitions used,16 and even members of a clandestine Russian military unit programming missile flight paths.17
Again, in all of these cases, the actions of these online sleuths aligned with key Western security goals. But there’s no guarantee that future independent initiatives will share those objectives.
The clash of familiar roles and shifting interests
The proliferation of players now acting in the security space means that government must adjust traditional roles to work within a more diverse ecosystem, often only able to exert influence—not control. In place of fixed rules set by a department of state or ministry of defense, each participant is often guided by their own unique, ever-shifting set of incentives: how they can make money, what sales and activities align with stated organizational values or brand, how certain contracts might conflict with others, and so on. The way a government agency is currently organized or equipped may not be suited to meet changing private-sector incentives.
Nowhere might this struggle between government roles and industry incentives be more visible than in cyberspace, where lines between sanctioned and freelance, legitimate and rogue, often blur. In April 2022, a Russian hacker group launched a ransomware attack on the government of Costa Rica, crippling the nation’s electric grid. As with previous cyberattacks on Brazil and Argentina, Costa Rica found itself in discussions and negotiations with other governments, private companies, and hackers to bring the issue to resolution.18
The conflict in Ukraine sounded a clarion call for online freelancers on all sides, guided largely by their own sense of right and wrong: Russia-backed hackers aimed to take down Ukrainian government websites; Western hackers targeted Russian sites and even Russia-backed hackers themselves.19 And this activity often occurred without state sanction and, thus, outside of any internationally agreed-upon principles of conduct.20 This type of behavior—which will likely become more common21—not only complicates attribution and response by other nations but can make these activities difficult for even an aligned state to control. What do you do if a hacker invokes your nation’s name in taking down a hospital, whether in an allied or enemy country? Are you legally responsible? Can an adversary legitimately encourage its own freelance hackers to respond?
Finding mechanisms to coordinate these disaggregated, interest-driven actions is key to solving or at least mitigating these difficult possibilities.
This shift challenges traditional tools
For government leaders looking to steer behaviors through a new set of incentives, the challenge is exacerbated by the ineffectiveness of many traditional tools. National security is increasingly tangled with economic and other considerations.
Take semiconductors, for instance. A critical component of electronic devices, from personal vehicles to fighter jets, semiconductor availability is vital to a country’s economic and national security. But their production is highly concentrated, with companies in Taiwan, the United States, China, and South Korea owning 84% of the global market share in assembly, testing, and packaging.22 Furthermore, just two regions—Taiwan and South Korea—manufacture nearly all advanced chips.23 This concentration creates supply chain chokepoints and vulnerabilities, which could leave entire industries and countries without access to semiconductors during heightened geopolitical tensions or other trade disruptions.24
As the COVID-19 pandemic and the Russian invasion of Ukraine disrupted a range of global supply chains, some governments moved to bolster or jumpstart domestic semiconductor industries: The European Union recently announced a €43 billion EU Chips Act with the aim of making the region self-sufficient in semiconductors, while the US government’s CHIPS Act laid out plans for more than US$52 billion in federal funding.25 Yet some governments—especially those without the means to stand up a new high-tech industry—may have little choice but to deal with an uncomfortably tenuous supply chain.
The promise of making national security more, well, secure—aligning the interconnected challenges of semiconductors, cybersecurity, and open-source intelligence, among other areas—demands tools more fine-grained than the blunt instruments of export controls and similar regulations. Agencies need agile tools that can inform and align private-sector interests and guide decisions without costly consequences for government or industry.
Efforts to shore up vulnerabilities have thus far focused on encouraging closer collaboration around shared interests. For example, the FY2023 US National Defense Authorization Act requires key government agencies to study how to build a more collaborative cyber information environment.26 The European Union has also doubled down on collaboration through Horizon Europe, a research and innovation program with particular emphasis on pressing transnational or regional issues, such as climate change and support to Ukraine. The program pays special attention to open-science policies and new approaches to partnerships with industry.27 It’s likely that governments and agencies will further expand such initiatives as national security ecosystems continue to sprawl.