Privatized Cybersecurity Law

Tech companies have gradually and informally assumed the role of international lawmakers on global cybersecurity issues. But while it might seem as if the international community and Internet users are the direct beneficiaries of private tech industries’ involvement in making law, there are many questions about this endeavor that require a thorough examination. The end goal and risks associated with such ventures are largely obscure and unexplored. This Article provides an analysis of how tech companies are effectively becoming regulators on global cybersecurity, based on states’ inability to overcome geopolitical divides on how cyberspace ought to be regulated globally. This Article looks primarily at three separate proposals representing the larger trend of the privatization of cybersecurity law: the Digital Geneva Convention, the Cyber Red Cross, and the Cybersecurity Tech Accord. These, as well as other initiatives, reflect the gradual and uncontested assimilation of private tech companies into the machinery of international lawmaking. This Article argues that state governments, civil society organizations, Internet users, and other stakeholders need to step back and carefully evaluate the dangers of ceding too much lawmaking control and authority to the private tech sector. These private actors, while not yet on an equal footing to states, are increasingly displacing states as they seek to create their own privatized and unaccountable version of cybersecurity law.