United States
Canada
United States
India
On May 13, 1972, the newly christened USS Nimitz slid down Slipway 11 of Newport News Shipbuilding and Dry Dock Co.,1 launching not just one ship but the largest class of warships ever built.2 Indeed, the Nimitz, at more than 1,000 feet long, was more: an advertisement for and indicator of American dominance in the entire scope of national security. The US government was the world’s largest player in technology and innovation; lawmakers in Washington, D.C., could set industry agendas through purchases, grants, and regulations.
Decades later, the global security environment has shifted. The Nimitz class of warships would remain the world’s largest for the next four decades,3 but they no longer served as the same metaphor for supreme federal power. Globally, commercial R&D spending eclipsed government levels,4 and democratizing technology meant that industrial decisions would now be driven by a host of different international public and private participants, each with differing agendas and incentives. When it comes to national security today, government is less an aircraft carrier than one ship—albeit a large ship—among many, with routes intersecting and crisscrossed with destinations varied.
Russia’s invasion of Ukraine has highlighted this trend toward a more disaggregated, interest-driven world, with a wide range of public- and private-sector organizations making independent decisions, each with an impact on military and security outcomes.
Shortly after Russia’s invasion of Ukraine, companies began to pull out of the Russian market,5 motivated not by any central security decision, such as a nation’s imposition of sanctions, but by the diverse pull of shareholders and customers overwhelmingly opposed to Russia’s actions and the business risk they believe resulted from Moscow’s choices.6 The trend of disaggregated action continued as the conflict evolved. For example, when attacks threatened Ukrainian communications infrastructure, Ukraine’s deputy prime minister tweeted an appeal to SpaceX, which moved quickly to provide Starlink internet service and terminals.7 The satellite-based technology’s ubiquity and jamming resistance helped Ukraine, in the words of an adviser to President Zelenskyy, “survive the most critical moments of war.”8 But the nation’s appeal to and reliance on the actions of a private company—one based thousands of miles away, no less—to bolster its national security put Ukraine in an awkward position where it had to consider the interests of a private sector actor to preserve a critical wartime capability.9
As governments around the world grapple with this trend, it is increasingly clear more collaboration with public and private participants is necessary to protect national security. Indeed, leaders are beginning to evolve new approaches and new tools to shape commercial partners’ incentives and protect public security.
The breaking down of these walls is creating perceptible shifts in how national security is achieved.
Once centrally controlled, security is now increasingly driven by the actions of disaggregated players. For example, military supplies traditionally flowed to foreign countries through a closely regulated sales process tightly controlled by ministries or departments of defense. But the increasing dual-use applicability of consumer technologies to military tasks means that suppliers increasingly have the opportunity to sell directly to militaries around the world. Defense ministries already purchase consumer-grade drones, hacking software, and more—SpaceX developed its Starlink internet system for consumers, not for Ukrainian national security.10
And if companies are free to do business with countries, they can choose not to do business as well. Traditional government tools such as economic sanctions or military blockades have long controlled the process of limiting a country’s markets to certain buyers, but corporations pulling out of Russia showed that the same effect could be achieved by individual companies electing—based on their own commercial interests—to no longer do business there.11 While the Russia pullouts happened to align with Western nations’ security goals, they raise the troubling issue of whether a government could influence, much less control, such actions if commercial incentives and national security interests pulled in opposite directions.
The intelligence space is confronting rising tensions between security needs and other potentially competing incentives. The proliferation of commercial satellite imagery, online data, and, especially, social media has given amateur analysts the tools to track even sensitive military radar systems in real-time while sitting at their kitchen tables.12 While internet detectives had used these tools to do everything from tracking warship deployments in the Syrian conflict to identifying those responsible for downing Malaysian Air flight 17, the Ukraine conflict focused fresh attention on the trend.13 In advance of Russia’s invasion, online communities were able to track and share details of Russian troop buildup and accurately predict the invasion’s movements.14 Once the invasion began, communities used social media posts and facial recognition to identify individual Russian service members serving in Ukraine,15 particular munitions used,16 and even members of a clandestine Russian military unit programming missile flight paths.17
Again, in all of these cases, the actions of these online sleuths aligned with key Western security goals. But there’s no guarantee that future independent initiatives will share those objectives.
The proliferation of players now acting in the security space means that government must adjust traditional roles to work within a more diverse ecosystem, often only able to exert influence—not control. In place of fixed rules set by a department of state or ministry of defense, each participant is often guided by their own unique, ever-shifting set of incentives: how they can make money, what sales and activities align with stated organizational values or brand, how certain contracts might conflict with others, and so on. The way a government agency is currently organized or equipped may not be suited to meet changing private-sector incentives.
Nowhere might this struggle between government roles and industry incentives be more visible than in cyberspace, where lines between sanctioned and freelance, legitimate and rogue, often blur. In April 2022, a Russian hacker group launched a ransomware attack on the government of Costa Rica, crippling the nation’s electric grid. As with previous cyberattacks on Brazil and Argentina, Costa Rica found itself in discussions and negotiations with other governments, private companies, and hackers to bring the issue to resolution.18
The conflict in Ukraine sounded a clarion call for online freelancers on all sides, guided largely by their own sense of right and wrong: Russia-backed hackers aimed to take down Ukrainian government websites; Western hackers targeted Russian sites and even Russia-backed hackers themselves.19 And this activity often occurred without state sanction and, thus, outside of any internationally agreed-upon principles of conduct.20 This type of behavior—which will likely become more common21—not only complicates attribution and response by other nations but can make these activities difficult for even an aligned state to control. What do you do if a hacker invokes your nation’s name in taking down a hospital, whether in an allied or enemy country? Are you legally responsible? Can an adversary legitimately encourage its own freelance hackers to respond?
Finding mechanisms to coordinate these disaggregated, interest-driven actions is key to solving or at least mitigating these difficult possibilities.
For government leaders looking to steer behaviors through a new set of incentives, the challenge is exacerbated by the ineffectiveness of many traditional tools. National security is increasingly tangled with economic and other considerations.
Take semiconductors, for instance. A critical component of electronic devices, from personal vehicles to fighter jets, semiconductor availability is vital to a country’s economic and national security. But their production is highly concentrated, with companies in Taiwan, the United States, China, and South Korea owning 84% of the global market share in assembly, testing, and packaging.22 Furthermore, just two regions—Taiwan and South Korea—manufacture nearly all advanced chips.23 This concentration creates supply chain chokepoints and vulnerabilities, which could leave entire industries and countries without access to semiconductors during heightened geopolitical tensions or other trade disruptions.24
As the COVID-19 pandemic and the Russian invasion of Ukraine disrupted a range of global supply chains, some governments moved to bolster or jumpstart domestic semiconductor industries: The European Union recently announced a €43 billion EU Chips Act with the aim of making the region self-sufficient in semiconductors, while the US government’s CHIPS Act laid out plans for more than US$52 billion in federal funding.25 Yet some governments—especially those without the means to stand up a new high-tech industry—may have little choice but to deal with an uncomfortably tenuous supply chain.
The promise of making national security more, well, secure—aligning the interconnected challenges of semiconductors, cybersecurity, and open-source intelligence, among other areas—demands tools more fine-grained than the blunt instruments of export controls and similar regulations. Agencies need agile tools that can inform and align private-sector interests and guide decisions without costly consequences for government or industry.
Efforts to shore up vulnerabilities have thus far focused on encouraging closer collaboration around shared interests. For example, the FY2023 US National Defense Authorization Act requires key government agencies to study how to build a more collaborative cyber information environment.26 The European Union has also doubled down on collaboration through Horizon Europe, a research and innovation program with particular emphasis on pressing transnational or regional issues, such as climate change and support to Ukraine. The program pays special attention to open-science policies and new approaches to partnerships with industry.27 It’s likely that governments and agencies will further expand such initiatives as national security ecosystems continue to sprawl.
Governments, often through law enforcement agencies, have traditionally taken the lead in investigating and preventing crime. But in the cyber domain, tech giants such as Google, which see a huge chunk of global internet traffic pass through their systems daily, are increasingly incentivized to take down wrongdoers.
Governments had long tracked the Glupteba botnet. Spread by tricking users into downloading malware via third-party “free download” sites; the malware would then steal user credentials and data, secretly mine cryptocurrencies on infected hosts, and use infected machines and routers to channel other people’s internet traffic.28 Glupteba posed a real and growing threat to not only victims’ finances but entire systems, both private and public.
Google took the initiative to study the extent of the problem and found that Glupteba had infected around one million devices worldwide and that hackers were using Google’s own services to distribute the malware. Google moved to shut it down. The company terminated around 63 million Google Docs, more than 1,000 Google accounts, and over 900 Google Cloud projects that hackers were using to distribute Glupteba. Google also worked with internet infrastructure companies worldwide to disrupt the botnet’s command-and-control infrastructure, preventing infected devices from receiving new commands from their controllers.29 And Google successfully sued two Russia-based hackers it alleged were behind Glupteba’s operations.30 The effort suggests how broad cybersecurity moves may be increasingly public-private partnerships.
A more disaggregated and interest-driven world means that government agencies and ministries cannot go it alone even when it comes to national security, a role topping any list of government responsibilities. Increasingly, governments must collaborate with a broad ecosystem that includes a wide variety of players—often quickly, with crises and events still developing—to advance national security outcomes. If that collaboration is well-managed, new and more effective security capabilities may emerge. Recommendations to establish and manage that collaboration include:
David Perry, PhD, president and senior analyst, Canadian Global Affairs Institute
The last few years have brought into sharp focus the tension between industry and government interests and the need to work together in response to a seemingly ever-shifting national security landscape. In Canada, we’ve seen the COVID-19 pandemic, supply chain issues, and Russia’s invasion of Ukraine stress government and industry’s capacity to respond to unexpected national security threats. Whether the goal is to quickly procure personal protective equipment to save lives during the pandemic or provide timely critical aid to Ukraine, government and industry tend to understand what a good solution looks like, but struggle to identify and align interests to realize it, at least at first.
This tends to stem from weak linkages between government and industry, leading to poor knowledge-sharing. Indeed, assumptions often underwrite too much of government and industry’s relationship: what industry may assume the government needs or government’s assumptions about the risks or vulnerabilities that might be influencing industry interests. This problem makes it difficult to identify shared interests, synchronize resources, and identify courses of action across the national security enterprise.
Strengthening industry and government linkages to align interests requires new forms of knowledge-sharing and collaboration. Improving knowledge-sharing requires better communication between government and industry, with particular focus on avoiding assumptions about what the other may know or need. A strong dialogue should include a process for quickly understanding what resources or solutions each can bring to a problem set and what each needs to offer additional solutions. Improving collaboration should include joint efforts to forecast national security needs, enabling government and industry to identify cross-sector solutions and any challenges that may impede a desired response. Improved collaboration should also include mechanisms to act before a forecast risk becomes real.
At the Canadian Global Affairs Institute, we’ve been working to prompt conversations on improving industry and government linkages. Our recent conference assessing defence procurement challenges, including rebuilding the industrial base and overcoming labor shortages, is one such example. We understand that as the national security environment changes, the relationship between industry and government will also change, and that they must make these changes together.
U.S. Carriers, “USS NIMITZ CVN 68,” accessed December 15, 2022.
View in ArticleNaval Technology, “Nimitz Class Aircraft Carrier,” January 6, 2020.
View in ArticleShamseer Mambra, “USS Nimitz: One of the biggest war ships in the world,” Marine Insight, August 7, 2011; Naval Technology, “Nimitz class aircraft carriers,” January 6, 2020.
View in ArticleRebecca Mandt, Kushal Seetharam, and Chung Hon Michael Cheng, Federal R&D funding: the bedrock of national innovation, MIT Science Policy Review, August 20, 2020, pp. 44-54.
View in ArticleIrina Ivanova and Kate Gibson, “These are the companies that have pulled out of Russia since its invasion of Ukraine,” CBS News, March 11, 2022; New York Times, “Companies are getting out of Russia, sometimes at a cost,” October 14, 2022.
View in ArticleJeff Foust, “SpaceX worked for weeks to begin Starlink service in Ukraine,” SpaceNews, March 8, 2022; Minda Zetlin, “Here’s the untold story of how a single tweet to Elon Musk changed history,” Inc.com, March 26, 2022.
View in ArticleMatt Binder, “Providing Starlink to Ukraine was Elon Musk’s biggest PR victory. Now he doesn’t even want to do that,” Mashable, October 14, 2022.
View in ArticleNicholas Gordon, “Chinese drone maker DJI has suspended sales in both Ukraine and Russia, where its consumer tech was deployed in war,” Fortune, April 27, 2022; Mark Mazzetti, Ronen Bergman, and Matina Stevis-Gridneff, “How the global spyware industry spiraled out of control,” New York Times, December 10, 2022.
View in ArticleBelinda Luscombe, “Hundreds of CEOs came out against Russia. Their involvement could change war forever,” Time, March 11, 2022.
View in ArticleKarl Vick, “Bellingcat’s Eliot Higgins explains why Ukraine is winning the information war,” Time, March 9, 2022.
View in ArticleThomas Eydoux, “Meet the anonymous internet investigators tracking Russian movements on the Ukrainian border,” The Observers, February 10, 2022.
View in ArticleTom Simonite, “Online sleuths are using face recognition to ID Russian soldiers,” Wired, March 10, 2022.
View in ArticleJanosch Deeg, “How Bellingcat investigators verified the brutal use of cluster munitions in Ukraine,” Scientific American, March 18, 2022.
View in ArticleChristo Grozev, “The remote control killers behind Russia’s cruise missile strikes on Ukraine,” Bellingcat, October 24, 2022.
View in ArticlePaul Brian, “Ransomware hackers declare total war on Costa Rica,” National Interest, May 22, 2022.
View in ArticleCarmela Chirinos, “Russian hackers started a vigilante cyber militia to take down Ukraine’s websites and steal data,” Fortune, February 25, 2022; Reuters, “Russian ministry website appears hacked; RIA reports users data protected,” June 5, 2022.
View in ArticleSimon Handler and Liv Rowley, “The 5x5—cybercrime and national security,” Atlantic Council, June 29, 2022; Lucas Ropek, “Are hackers targeting critical infrastructure more often?”, Government Technology, March 3, 2020.
View in ArticleSaif M. Khan, Alexander Mann, and Dahlia Peterson, "The Semiconductor Supply Chain: Assessing National Competitivenessk," Center for Security and Emerging Technology, January 2021.
View in ArticleDeloitte Center for Government Insights, Boosting resilience: Working with like-minded partners to orchestrate critical supply chains, Deloitte, 2022.
View in ArticleMelanie Rojas et al., Reshoring and “friendshoring” supply chains, Deloitte Insights, March 24, 2022.
View in ArticleEuropean Commission, “European Chips Act—questions and answers,” February 8, 2022.
View in ArticleNihal Krishan, “NDAA requires intelligence agencies to study creation of cyber collaboration program,” FedScoop, December 8, 2022.
View in ArticleEuropean Commission, “Horizon Europe,” accessed December 20, 2022.
View in ArticleShane Huntley and Lucy Nagy, “Disrupting the Glupteba operation,” Google Blog, December 07, 2021.
View in ArticleGerrit De Vynck, “Google disrupted a massive botnet that hackers used to steal information and mine cryptocurrency,” Washington Post, December 7, 2021.
View in ArticleRoyal Hansen and Halimah DeLaine Prado, “A ruling in our legal case against the Glupteba botnet,” Google, November 18, 2022.
View in ArticleWilliam D. Eggers and Donald Kettl, Bridgebuilders: How Government Can Transcend Boundaries to Solve Big Problems (Cambridge MA: Harvard Business Review Press, 2023).
View in ArticleThe authors thank Joe Mariani for his insights and thoughtful feedback on the draft. They would also like to thank Meenakshi Venkateswaran for helping design the infographics of the article.
Cover image by: Natalie Pfaff
