The lines between civilian and military are increasingly blurred, creating ambiguity under international law when private contractors engage in offensive cyber-security operations on behalf of states. These private security companies (PSCs) are being contracted for cyber security to engage in offensive cyber operations.
States should not contract PSCs for offensive cyber operations. Recognizing the benefits of cybersecurity contracting, a transparent distinction should be established between PSCs and state militaries, whereby private actors would only be involved in defensive and supportive operations.
The North Atlantic Treaty Organization (NATO) is in a prime position to implement a contracting protocol that delineates appropriate classifications for the tasks and personnel required for private cyber-security contracts. Establishing an oversight organization and submitting a proposal to the International Law Commission (ILC) to consider the roles of private security actors would create greater transparency and accountability for contracting.