Tech companies have gradually and informally assumed the role of international
lawmakers on global cybersecurity issues. But while it might seem as if the international
community and Internet users are the direct beneficiaries of private tech industries’ involvement
in making law, there are many questions about this endeavor that require a thorough
examination. The end goal and risks associated with such ventures are largely obscure
and unexplored.
This Article provides an analysis of how tech companies are effectively becoming
regulators on global cybersecurity, based on states’ inability to overcome geopolitical divides on
how cyberspace ought to be regulated globally. This Article looks primarily at three separate
proposals representing the larger trend of the privatization of cybersecurity law: the Digital
Geneva Convention, the Cyber Red Cross, and the Cybersecurity Tech Accord. These, as well
as other initiatives, reflect the gradual and uncontested assimilation of private tech companies
into the machinery of international lawmaking.
This Article argues that state governments, civil society organizations, Internet users,
and other stakeholders need to step back and carefully evaluate the dangers of ceding too much
lawmaking control and authority to the private tech sector. These private actors, while not yet
on an equal footing to states, are increasingly displacing states as they seek to create their own
privatized and unaccountable version of cybersecurity law.