Should Investors Trust U.S.'s `Trusted Partners' Cyberspying?Christopher Flavelle
Last week's revelations about government Internet snooping raised the question of whether U.S. companies have an ethical obligation not to spy on their users. Today's story by Bloomberg News's Michael Riley presents a new question: should we be upset that companies voluntarily assist U.S. cyber-attacks on other countries?
Under what's called the ``trusted partners'' program, thousands of American corporations, including Internet and technology companies, hardware and software makers, banks and Web security providers are voluntarily turning over sensitive information to U.S. national security agencies, Riley reported. In return, U.S. companies get favors from the government, ranging from a pat on the back to access to classified intelligence about issues affecting their businesses.
The government can use that information to infiltrate or attack the computers of foreign governments or other organizations. For example, Microsoft tells American intelligence agencies about bugs in its software programs before they're fixed, which lets the government exploit the flaws. One tech executive called the data voluntarily provided to the government "highly offensive" in value.
After last week's news that the National Security Agency is tracking Americans' e-mails and phone calls, there's a temptation to view this latest story in the same vein of conspiracy and government overreach. But the data being shared don't include the private communications of the companies' customers, according to Riley's sources.
Nor is it clear that U.S. companies are in breach of any ethical obligations by voluntarily cooperating with national security officials. (There's no allegation of a breach of the law, or of customers' privacy.) You could argue that companies such as Microsoft shouldn't aide attacks on foreign governments, but the principle behind that view looks more like pacifism than any clear reading of business ethics.
If these revelations raise new worries, they're for shareholders. By allying with the U.S. government to enable cyberattacks on other countries, these companies become participants in those conflicts, and so may be at greater risk of retaliation by the organizations the U.S. targets. Submitting to legally binding demands for data is one thing; signing up as a voluntary member of the country's cybersecurity forces is another.
Executives may conclude those risks are outweighed by the business value of whatever they get in return, or they may feel they're doing their patriotic duty. Either way, because of the secretive nature of these arrangements shareholders aren't aware of that decision, let alone given the chance to sign off on it. The dilemma increases in the case of foreign investors, who may own shares in companies that are helping to undermine their countries' cyberdefenses. And some shareholders may simply prefer that executives stick to the job of running their companies, not role-play in a John le Carre novel.
Getting into bed with the national-security apparatus raises questions about the appropriateness of executives choosing to play in an arena they may not understand, with consequences they might not be able to predict, and without the knowledge of their shareholders. The tradeoffs may be worth it, but in these early days of cyberwarfare it isn't clear how anyone can say so with confidence.
(Christopher Flavelle is a member of the Bloomberg View editorial board. Follow him on Twitter.)