A Framework for the Global Governance of Private Cybersecurity Companies

Private cybersecurity companies (PCSCs) have developed cyber capabilities significantly greater than those of many governments, including members of the G20. These capabilities focus on protecting the computer systems of their clients and undertaking forensic investigation to attribute responsibility for cyberattacks. However, without proper oversight, such attributions may also exert unhelpful influence on governments, weakening their response to cyberattacks. While PCSCs currently limit their activities to passive cyber defence, the pressure to move into more active forms of cyber defence could lead them to offering cyber offense capabilities to their public and private sector clients. This would pose serious threats to internet stability and international peace, and impact human rights, security, and the rule of law. The G20 should task a commission with exploring PCSCs’ current and future activities, the need for regulation and how to strengthen government cybersecurity capabilities at the global level, particularly in developing countries. The commission´s report should help the G20 develop a Cybersecurity Action Plan to promote responsible and accountable private cybersecurity practices.