On May 13, 1972, the newly christened USS Nimitz slid down Slipway 11 of Newport News Shipbuilding and Dry Dock Co.,1 launching not just one ship but the largest class of warships ever built.2 Indeed, the Nimitz, at more than 1,000 feet long, was more: an advertisement for and indicator of American dominance in the entire scope of national security. The US government was the world’s largest player in technology and innovation; lawmakers in Washington, D.C., could set industry agendas through purchases, grants, and regulations.
Decades later, the global security environment has shifted. The Nimitz class of warships would remain the world’s largest for the next four decades,3 but they no longer served as the same metaphor for supreme federal power. Globally, commercial R&D spending eclipsed government levels,4 and democratizing technology meant that industrial decisions would now be driven by a host of different international public and private participants, each with differing agendas and incentives. When it comes to national security today, government is less an aircraft carrier than one ship—albeit a large ship—among many, with routes intersecting and crisscrossed with destinations varied.
Russia’s invasion of Ukraine has highlighted this trend toward a more disaggregated, interest-driven world, with a wide range of public- and private-sector organizations making independent decisions, each with an impact on military and security outcomes.
Shortly after Russia’s invasion of Ukraine, companies began to pull out of the Russian market,5 motivated not by any central security decision, such as a nation’s imposition of sanctions, but by the diverse pull of shareholders and customers overwhelmingly opposed to Russia’s actions and the business risk they believe resulted from Moscow’s choices.6 The trend of disaggregated action continued as the conflict evolved. For example, when attacks threatened Ukrainian communications infrastructure, Ukraine’s deputy prime minister tweeted an appeal to SpaceX, which moved quickly to provide Starlink internet service and terminals.7 The satellite-based technology’s ubiquity and jamming resistance helped Ukraine, in the words of an adviser to President Zelenskyy, “survive the most critical moments of war.”8 But the nation’s appeal to and reliance on the actions of a private company—one based thousands of miles away, no less—to bolster its national security put Ukraine in an awkward position where it had to consider the interests of a private sector actor to preserve a critical wartime capability.9
As governments around the world grapple with this trend, it is increasingly clear more collaboration with public and private participants is necessary to protect national security. Indeed, leaders are beginning to evolve new approaches and new tools to shape commercial partners’ incentives and protect public security.
The breaking down of these walls is creating perceptible shifts in how national security is achieved.
Once centrally controlled, security is now increasingly driven by the actions of disaggregated players. For example, military supplies traditionally flowed to foreign countries through a closely regulated sales process tightly controlled by ministries or departments of defense. But the increasing dual-use applicability of consumer technologies to military tasks means that suppliers increasingly have the opportunity to sell directly to militaries around the world. Defense ministries already purchase consumer-grade drones, hacking software, and more—SpaceX developed its Starlink internet system for consumers, not for Ukrainian national security.10
And if companies are free to do business with countries, they can choose not to do business as well. Traditional government tools such as economic sanctions or military blockades have long controlled the process of limiting a country’s markets to certain buyers, but corporations pulling out of Russia showed that the same effect could be achieved by individual companies electing—based on their own commercial interests—to no longer do business there.11 While the Russia pullouts happened to align with Western nations’ security goals, they raise the troubling issue of whether a government could influence, much less control, such actions if commercial incentives and national security interests pulled in opposite directions.
The intelligence space is confronting rising tensions between security needs and other potentially competing incentives. The proliferation of commercial satellite imagery, online data, and, especially, social media has given amateur analysts the tools to track even sensitive military radar systems in real-time while sitting at their kitchen tables.12 While internet detectives had used these tools to do everything from tracking warship deployments in the Syrian conflict to identifying those responsible for downing Malaysian Air flight 17, the Ukraine conflict focused fresh attention on the trend.13 In advance of Russia’s invasion, online communities were able to track and share details of Russian troop buildup and accurately predict the invasion’s movements.14 Once the invasion began, communities used social media posts and facial recognition to identify individual Russian service members serving in Ukraine,15 particular munitions used,16 and even members of a clandestine Russian military unit programming missile flight paths.17
Again, in all of these cases, the actions of these online sleuths aligned with key Western security goals. But there’s no guarantee that future independent initiatives will share those objectives.
The proliferation of players now acting in the security space means that government must adjust traditional roles to work within a more diverse ecosystem, often only able to exert influence—not control. In place of fixed rules set by a department of state or ministry of defense, each participant is often guided by their own unique, ever-shifting set of incentives: how they can make money, what sales and activities align with stated organizational values or brand, how certain contracts might conflict with others, and so on. The way a government agency is currently organized or equipped may not be suited to meet changing private-sector incentives.
Nowhere might this struggle between government roles and industry incentives be more visible than in cyberspace, where lines between sanctioned and freelance, legitimate and rogue, often blur. In April 2022, a Russian hacker group launched a ransomware attack on the government of Costa Rica, crippling the nation’s electric grid. As with previous cyberattacks on Brazil and Argentina, Costa Rica found itself in discussions and negotiations with other governments, private companies, and hackers to bring the issue to resolution.18
The conflict in Ukraine sounded a clarion call for online freelancers on all sides, guided largely by their own sense of right and wrong: Russia-backed hackers aimed to take down Ukrainian government websites; Western hackers targeted Russian sites and even Russia-backed hackers themselves.19 And this activity often occurred without state sanction and, thus, outside of any internationally agreed-upon principles of conduct.20 This type of behavior—which will likely become more common21—not only complicates attribution and response by other nations but can make these activities difficult for even an aligned state to control. What do you do if a hacker invokes your nation’s name in taking down a hospital, whether in an allied or enemy country? Are you legally responsible? Can an adversary legitimately encourage its own freelance hackers to respond?
Finding mechanisms to coordinate these disaggregated, interest-driven actions is key to solving or at least mitigating these difficult possibilities.
For government leaders looking to steer behaviors through a new set of incentives, the challenge is exacerbated by the ineffectiveness of many traditional tools. National security is increasingly tangled with economic and other considerations.
Take semiconductors, for instance. A critical component of electronic devices, from personal vehicles to fighter jets, semiconductor availability is vital to a country’s economic and national security. But their production is highly concentrated, with companies in Taiwan, the United States, China, and South Korea owning 84% of the global market share in assembly, testing, and packaging.22 Furthermore, just two regions—Taiwan and South Korea—manufacture nearly all advanced chips.23 This concentration creates supply chain chokepoints and vulnerabilities, which could leave entire industries and countries without access to semiconductors during heightened geopolitical tensions or other trade disruptions.24
As the COVID-19 pandemic and the Russian invasion of Ukraine disrupted a range of global supply chains, some governments moved to bolster or jumpstart domestic semiconductor industries: The European Union recently announced a €43 billion EU Chips Act with the aim of making the region self-sufficient in semiconductors, while the US government’s CHIPS Act laid out plans for more than US$52 billion in federal funding.25 Yet some governments—especially those without the means to stand up a new high-tech industry—may have little choice but to deal with an uncomfortably tenuous supply chain.
The promise of making national security more, well, secure—aligning the interconnected challenges of semiconductors, cybersecurity, and open-source intelligence, among other areas—demands tools more fine-grained than the blunt instruments of export controls and similar regulations. Agencies need agile tools that can inform and align private-sector interests and guide decisions without costly consequences for government or industry.
Efforts to shore up vulnerabilities have thus far focused on encouraging closer collaboration around shared interests. For example, the FY2023 US National Defense Authorization Act requires key government agencies to study how to build a more collaborative cyber information environment.26 The European Union has also doubled down on collaboration through Horizon Europe, a research and innovation program with particular emphasis on pressing transnational or regional issues, such as climate change and support to Ukraine. The program pays special attention to open-science policies and new approaches to partnerships with industry.27 It’s likely that governments and agencies will further expand such initiatives as national security ecosystems continue to sprawl.
Governments, often through law enforcement agencies, have traditionally taken the lead in investigating and preventing crime. But in the cyber domain, tech giants such as Google, which see a huge chunk of global internet traffic pass through their systems daily, are increasingly incentivized to take down wrongdoers.
Governments had long tracked the Glupteba botnet. Spread by tricking users into downloading malware via third-party “free download” sites; the malware would then steal user credentials and data, secretly mine cryptocurrencies on infected hosts, and use infected machines and routers to channel other people’s internet traffic.28 Glupteba posed a real and growing threat to not only victims’ finances but entire systems, both private and public.
Google took the initiative to study the extent of the problem and found that Glupteba had infected around one million devices worldwide and that hackers were using Google’s own services to distribute the malware. Google moved to shut it down. The company terminated around 63 million Google Docs, more than 1,000 Google accounts, and over 900 Google Cloud projects that hackers were using to distribute Glupteba. Google also worked with internet infrastructure companies worldwide to disrupt the botnet’s command-and-control infrastructure, preventing infected devices from receiving new commands from their controllers.29 And Google successfully sued two Russia-based hackers it alleged were behind Glupteba’s operations.30 The effort suggests how broad cybersecurity moves may be increasingly public-private partnerships.
A more disaggregated and interest-driven world means that government agencies and ministries cannot go it alone even when it comes to national security, a role topping any list of government responsibilities. Increasingly, governments must collaborate with a broad ecosystem that includes a wide variety of players—often quickly, with crises and events still developing—to advance national security outcomes. If that collaboration is well-managed, new and more effective security capabilities may emerge. Recommendations to establish and manage that collaboration include:
David Perry, PhD, president and senior analyst, Canadian Global Affairs Institute
The last few years have brought into sharp focus the tension between industry and government interests and the need to work together in response to a seemingly ever-shifting national security landscape. In Canada, we’ve seen the COVID-19 pandemic, supply chain issues, and Russia’s invasion of Ukraine stress government and industry’s capacity to respond to unexpected national security threats. Whether the goal is to quickly procure personal protective equipment to save lives during the pandemic or provide timely critical aid to Ukraine, government and industry tend to understand what a good solution looks like, but struggle to identify and align interests to realize it, at least at first.
This tends to stem from weak linkages between government and industry, leading to poor knowledge-sharing. Indeed, assumptions often underwrite too much of government and industry’s relationship: what industry may assume the government needs or government’s assumptions about the risks or vulnerabilities that might be influencing industry interests. This problem makes it difficult to identify shared interests, synchronize resources, and identify courses of action across the national security enterprise.
Strengthening industry and government linkages to align interests requires new forms of knowledge-sharing and collaboration. Improving knowledge-sharing requires better communication between government and industry, with particular focus on avoiding assumptions about what the other may know or need. A strong dialogue should include a process for quickly understanding what resources or solutions each can bring to a problem set and what each needs to offer additional solutions. Improving collaboration should include joint efforts to forecast national security needs, enabling government and industry to identify cross-sector solutions and any challenges that may impede a desired response. Improved collaboration should also include mechanisms to act before a forecast risk becomes real.
At the Canadian Global Affairs Institute, we’ve been working to prompt conversations on improving industry and government linkages. Our recent conference assessing defence procurement challenges, including rebuilding the industrial base and overcoming labor shortages, is one such example. We understand that as the national security environment changes, the relationship between industry and government will also change, and that they must make these changes together.
The Deloitte Center for Government Insights shares inspiring stories of government innovation, looking at what’s behind the adoption of new technologies and management practices. We produce cutting-edge research that guides public officials without burying them in jargon and minutiae, crystalizing essential insights in an easy-to-absorb format. Through research, forums, and immersive workshops, our goal is to provide public officials, policy professionals, and members of the media with fresh insights that advance an understanding of what is possible in government transformation.
Deloitte offers national security consulting and advisory
services to clients across the Department of Defense, the Department of
Homeland Security, the Department of Justice, and the intelligence
community. From cyber and logistics to data visualization and mission
analytics, personnel, and finance, we bring insights from our client
experience and research to drive bold and lasting results in the
national security and intelligence sector. Our people, ideas,
technology, and outcomes are all designed for impact.