Given the developments in the last ten or fifteen years of what is now called Cyber Security, we find that companies, and not national states, are the combatants in the actual cyber battlefield.
When General Keith B. Alexander took over as Director of the NSA, he put all the resources of that super-secret agency to serve the cybernetic control. The NSA was and is the largest buyer of Zero-Days and accumulates the largest arsenal of unknown programming defects.
General Alexander updated the massive eavesdropping and interception system the agency had to turn it into a system of sensors for monitoring all digital traffic and giving the alarm when telematics activities considered by them as “threatening” were detected.
Corporations are gaining importance in actual cyber scenarios.
NSA boasted of their secret know-how, but when the moment of truth arrived, most of the recipes were obsolete and were far less accurate / effective than they thought. In those same scenarios, which we call APTs, private companies can now get better results than government agencies.
To play and play hard in cyber security scenarios does not require as large amounts of money as the physical armaments industry requires. That is why the private sector has entered the scene from the very beginning and moves in it more freely than Lockheed Martin, Northrop Grumman, Raytheon, and Booz Allen Hamilton never did when they developed devices designed to kill and kill a lot.
Leadership in cyber security is not in the hands of nation states, at least in Western societies, but in the hands of companies that have had to learn on the fly how to defend themselves in all different and multiple attacks suffered over the years.
This lack of role of the states in cyberspace causes the proliferation of private companies that in the purest mercenary style are leading modern cyber offensive capabilities and selling products only usable for violating human rights and freedom of information.
In that scenario, nation states have failed in their mission to protect their citizens, so the Internet community governance may turn to a political model more typical of the Italian Renaissance or even the medieval Europe.
Quite another thing is whether those nation states act as attackers and their intelligence agencies become collectors of Business Intelligence. In that case, the economic capacity of the states far exceeds those of cybercrime gangs or hackers, and they will continue what criminals desist to do. States defend themselves badly but attack viciously either with their own means or by cyber fortune soldiers hired; in that last case, both citizens and companies are as lonely as David before Goliath.
With this background it is easy to understand that we face a new professional market where the classic image of hackers languishes and thousands of uniformed security information consultants emerge to defend the heritage of their employers and to attack the interests of the enemies or competitors of whom pay them.
The Cyberspace, or whatever we call it, is getting more and more enthralling. Facts are ahead of the capabilities of the society that suffers them, but even if we do not want to see this reality, it is not going to change.
Jorge Dávila