Information communication technologies (ICTs) are changing the private security sector in ways never seen before. Day after day, security companies are increasingly employing informatic tools useful to enhance their operational capacities.
In this post, Anne-Marie Buzatu, Executive Director of the ICT4Peace Foundation, exposes the essence and the most compelling findings of a recently published report on how the private security sector is using ICTs in the provision of security services.
Newspapers and social media platforms are brimming with tales reminiscent of science fiction novels: drones used to carry out surveillance, map territories and even fire ammunition, artificial intelligence systems that can “predict” the behavior of would-be criminals, robots that are providing perimeter and other security services and issuing citations when individuals litter or smoke in a prohibited place. While these stories tickle the imagination, they also indicate that a lot of tech is being used by a lot of companies in the provision of security services. However, setting aside the hype, what is less clear is how exactly ICTs are changing the private security sector.
This is what a recent mapping study supported by the Swiss Department of Federal Affairs Peace and Human Rights Division aimed to find out. In carrying out this study, ICT4Peace Foundation (ICT4Peace) was tasked with two overall objectives: 1) to understand and report on how ICTs are impacting the private security sector, and 2) to identify the consequential benefits and challenges to existing regulatory frameworks and standards, considering these through a human rights lens. The resulting “From Boots on the Ground to Bytes in Cyberspace: A Mapping Study on the Use of Information Communications Technologies (ICTs) in Security Services provided by Commercial Actors” (Mapping Study) endeavors to provide those answers.
Initial considerations and the research findings
When embarking on the Mapping Study, ICT4Peace initially approached the topic from the point of view of how traditional “boots on the ground” private security companies (PSCs) were using and integrating ICTs into their private security service offerings. However, desk research and review of PSC websites painted a different picture: in addition to traditional physical protection of persons, places and things, a significant percentage of ICoCA member companies were offering purely cybersecurity services, defined in the report protection of computers and other ICT-connected devices from cyberattacks. Interviews with experts ranging from civil society, to academic, to the private security sector confirmed this trend, but also added another wrinkle to the story: the increasing use of surveillance tech in security services. This includes technologies such as facial recognition and other biometrics capture, services such as open-source intelligence gathering and analysis, as well as the rise of so-called “cyber-mercenaries” selling products and services designed to retrieve detailed and often very personal information off of devices such as computers and smartphones.
These findings point to a clear conclusion: the private security sector has embraced and broadly integrated ICTs into its private security service offerings, providing upgraded and new kinds of security services that were not envisaged when the International Code of Conduct for Private Security Service Providers (ICoC) was developed thirteen years ago. Therefore, to fulfill its stated objectives, the scope and definition of a private security company and the services it provides need to be enlarged to capture these developments. Accordingly, the Mapping Study considers “private security services” through the lens of ICT-related products and services provided by commercial actors, which aim to defend against or respond to attacks, or other incidents related to (human) security, peace and stability, whether through physical or virtual means.
A deeper look at the research findings
Coming to the heart of the Mapping Study, the actual mapping first looks at ICoCA member companies, and then beyond at other companies which likely would not self-identify as private security companies, but which provide services that meet the above understanding of private security services. In so doing, it identifies 14 distinct offerings of commercial security services using ICTs:
- Video surveillance
- Security ISC/SCADA
- Location Tracking
- Access Control
- Security Apps
- Intelligence Services
- Automotive cybersecurity
- Health Care Security
- Cybersecurity Services
- Threat Assessment Services
- Surveillance Tech
- Big Data Analytics
Through research and interviews with ICoCA member companies, it was determined that at least 61 ICoCA member companies of the 89 companies reviewed, or 68.5%, provide at least one of the above services, the vast majority providing more than one of them.
Furthermore, the Mapping Study reveals a new take on human rights considerations that were not on the radar in 2010 that revolve primarily around how information and data are captured, saved, analyzed, bought and sold, with concerning impacts on individuals and societies. These include:
Invasions of privacy through the capture and analysis of huge amounts of digital information generated through sending emails/messages, browsing websites and posting on social media platforms, as well as data collection taken by sophisticated video surveillance cameras, which may employ facial and silhouette recognition technologies, as well as GPS location information, which may be collected from apps purposefully downloaded on smartphones.
Discrimination and inequality fostered by ICTs, which incorporate many of the same biases that are held by humans, or in the words of UN Special Rapporteur on Racism, Tendayi Achiume, they are “fundamentally shaped by the racial, ethnic, gender and other inequalities prevalent in society, and typically makes these inequalities worse.” This is particularly worrying with regard to Artificial Intelligence (AI), a fast-evolving technology that powers many data analytics applications, and which experts such as former co-lead of Google’s ethical AI team warn could “entrench existing inequalities, rather than help solve them.”
The impact of ICTs on freedom of expression, thought and opinion. In today’s information society, many communications and information exchanges take place on different digital platforms, including social media platforms, apps and email and messaging platforms. With powerful data analytics and sentiment analysis capabilities available on the market that can flag and follow postings and other online interactions, this contributes to a “Big Brother” mass surveillance ecosystem, which can have a chilling effect on freedom of thought, opinion and expression, discouraging free discourse and expression online and offline.
Furthermore, these are all impacted by a human rights concern that is not new for private security in the Information Age: the asymmetric nature of private security obligations. Private security providers’ obligations are owed to their client, and not to others in the general population with whom they may come into contact or who may be impacted when they are carrying out services such as surveillance, intelligence gathering or operating drones. This contrasts with public security officers who are tasked with providing (human) security as a public good to everyone.
The case of the Russian invasion of Ukraine on the use of ICTs
The advent of the Ukraine War during the research phase brought another dimension to the study. ICTs feature heavily in the conflict, including both as components of kinetic attacks and as key elements of Ukraine’s defense capabilities. Of note, two large and well-known companies are supporting Ukraine’s war efforts through providing ICT capabilities: Microsoft and Starlink.
As early as March 2021, well before Russia invaded Ukraine, Microsoft found signs that Russia-aligned threat groups were “pre-positioning for conflict” with an increase in cyberattacks, including through phishing campaigns, exploiting vulnerabilities in unpatched Microsoft Exchange servers, compromising other IT service providers in the supply-chain, and infiltrating the networks of Ukrainian energy and network providers. Furthermore, In January 2022 after diplomatic efforts failed to de-escalate tensions, Microsoft’s Threat Intelligence Center (MSTIC) found wiper malware or cyberattacks designed to erase all of a computer system’s data, in more than a dozen networks in Ukraine. Since the invasion of Ukraine began, Microsoft has been documenting a pattern of unconventional warfare in which cyberattacks precede kinetic attacks by a day or two. This certainly challenges traditional notions of armed attacks and may signal a more general shift in how attacks are carried out within the context of an armed conflict.
On 26 February 2022, two days after the Russian physical invasion of Ukraine, where a large swath of Ukraine’s internet services had been knocked out, Ukrainian Deputy Prime Minister Mykhailo Fedorov tweeted to Elon Musk, the CEO of Starlink (satellite provider of high-speed Internet operated by SpaceX), on Twitter. Thirteen hours later, Musk tweeted back.
Starlink service is now active in Ukraine. More terminals en route.— Elon Musk (@elonmusk) February 26, 2022
Two days later, on February 28, Fedorov posted a picture of him unboxing a Starlink modem.
As the two previous examples illustrate, ICTs have become intrinsically linked with both attacks as well as defense within the context of warfare, sometimes rendering the services of ICT companies essential for the conduct of and defense against hostilities. Despite their critical contributions to the war effort, companies such as Microsoft and Starlink are not typically identified as private (military) and security companies, and certainly would not fulfill the definitions for these companies contained in either the Montreux Document or the ICoC. This points to important governance gaps when it comes to the provision of private (military) and security services by companies using ICTs, requiring further action to bring existing regulatory frameworks up to date.
Fortunately, several other initiatives have grappled with similar governance and human rights challenges posed by private commercial actors that can provide guidance. These include the two Swiss initiatives for P(M)SCs: The Montreux Document and the ICoC, as well as other business and human rights initiatives, import-export frameworks as well as initiatives to promote responsible (State) behavior in cyberspace. As discussed in the Mapping Study, these initiatives have engineered a number of innovative mechanisms that translate human rights and humanitarian law standards formats that are adapted to the operations of commercial actors. There is no need to reinvent the wheel, so a more detailed analysis of good practices of and lessons learned from these initiatives would provide guidance for filling governance gaps and help to ensure that these companies contribute to, rather than undermine, (human) security.
Looking forward, a process to improve governance and oversight of the use of ICTs in private (military) and security services should include the following steps:
- Identify gaps in existing relevant norms and standards
- Update existing regulatory frameworks
- Develop robust oversight and remedial processes
- Coordinate it through a multistakeholder platform, including companies, governments, civil society, technical, academic, and other experts
- Develop Capacity-Building for relevant stakeholders
As a final note, the findings of the Mapping Study raise more human rights concerns than originally expected, reflecting both the journey of the study as well as the evolution of the understanding of what makes us secure to include ICTs. It is hoped that the Mapping Study raises more awareness about how ICTs are being used, and the associated human rights and societal impacts, so that legal and governance frameworks can be updated in such a manner to mitigate negative impacts and realize the enormous potentials of ICTs for good.
The views and opinions presented in this article belong solely to the author(s) and do not necessarily represent the stance of the International Code of Conduct Association (ICoCA).