Reflecting on Sophos's 'Pacific Rim'
The private sector and cyber norm entrepreneurship
Not a full post, but a pointer to a recent commentary I co-wrote with my War Studies colleague Michael Genkin. You can read the full article on Lawfare here. Michael and I were keen to explore the implications of a really interesting Sophos write-up from late last year (read the Sophos reporting here), which outlined their multi-year campaign to thwart determined threat activity that was targeting its network firewall devices.
I had been thinking recently, particularly since the National Cyber Force’s 2023 paper (Responsible Cyber Power in Practice), about the role of strategic communications and public shaping of narratives in cyber statecraft. Questions like: which audiences are being targeted with this report/paper/etc.? What are the intended communication outcomes? Is this communication a one-off, or intended as part of a campaign? How do you measure the effectiveness of a campaign aimed at, for example, fostering responsible cyber behaviour?
Michael and I were discussing these themes and the ways in which private companies can contribute to these debates. We thought that Sophos’s reporting exhibited interesting connotations of the predominantly state-centric debate about “responsible cyber” behaviour/power (delete as applicable). The overlap and interaction between these public and private sector contributions to this debate is something that merits follow up.
But the Sophos example is interesting in its own right, not simply because of cross-over with state-centric narratives about responsible cyber. We thought it showed commendable transparency and level of detail. In the Lawfare piece, we argue that the Sophos reporting develops our understanding of what can be regarded as in scope for counter-cyber operations, and serves as an example of corporate norm entrepreneurship for accountable and responsible behaviour. The Sophos case is an interesting example of an effort to shape norms by publicly elaborating on operational experience.