The cyber security industry is growing. Estimates suggest the global market is currently worth $162.5 billion (USD) with common trajectories suggesting further and significant expansion over the coming years (Quince Market Insights, 2021; see also Grand View Research, 2021). There is increased spending from governments, businesses, and general consumers on cyber security, and even organised crime networks appear to be investing and spending more on cyber security strategies (see Cox, 2019, 2020a; Hamilton, 2019). It is clear that commercial cyber security activities are growing in size, scope and revenue, in addition to gaining increasing social importance.

This paper therefore provides a number of conceptual reflections on this development and outlines the need for critical social inquiry into the buying and selling of cyber security. The chief purpose of this paper is to consider commercial markets for cyber security as a form of private security. Despite the significant growth in the cyber security industry and its escalating relevance to wider society the broader literature on private security has only begun to contemplate cybersecurity as ‘private security’ (see Button, 2020). To date the focus has largely been on explorations of ‘public–private partnerships’ in cyber security (Bossong & Wagner, 2017; Carr, 2016; Christensen & Petersen, 2017) and discussions of the competing and shared authority of private and state authorities (Cavelty, 2015), in addition to discussions of ‘cyber security assemblages’ (Collier, 2018). With the exception of Button (2020) however, there has yet to be a dedicated effort to considering commercial cyber security provision as a major part of the twenty-first century private security industry or that the practice of cyber security is now a major component of ‘private security regimes’ (Dupont, 2014).

Considering the cyber security industry as a part of the private security industry and thinking about the commodification of ‘cyber security’ raises an important set of questions around the buying and selling of cyber security and whether it should be considered ‘troubling’ (Loader et al., 2014) or controversial in the same way that ‘conventional’ private security can be. Notably, the ‘conventional’ private security industry and its associated practices of buying and selling security has been extensively critiqued, explored and scrutinised by scholars (see Shearing & Stenning, 1981, 1983; Loader, 1997; Zedner, 2003, 2006; Prenzler et al., 2009; White, 2010; Abrahamsen & Leander, 2016). Analysis of the private security industry has focused on what Gibson (2007: 2) refers to as its “tarnished reputation” or discussing it as a “tainted trade” (Loader et al., 2014: 469). Scholars have highlighted many examples and instances of illegal and unethical behaviour in the private security industry (Prenzler & Sarre, 2008). Analysis has focused on questions of its accountability, its motives, and wider impacts upon society or communities (Loader, 1997; Loader & White, 2017; Prenzler & Sarre, 2012; Zedner, 2006). Loader and Walker (2007: 225) underline that private security activities can often “act in ways that disregard the interests of non-consumers” and Diphoorn (2016) highlights the coercive and punitive practices of private security actions. Furthermore, Zedner (2003, 2006) has argued that private security can damage broader “social solidarity” (ibid, 2003: 171).

Such critical inquiries however, have not yet been applied or tested against commercial cyber security activities. It has not been substantially queried whether the cyber security industry and markets for cyber security create the same type of normative dilemmas as ‘conventional’ private security practices. Can commercial cyber security provision create equivalent or similar impacts on democracy, justice, sovereignty, fairness, exclusion, or produce damaging side-effects for wider society and communities? Or are the implications of buying and selling cyber security somehow unique? Is the commodity of ‘cyber security’ in some way conceptually distinctive and dissimilar to ‘conventional’ security commodities, and in what ways? Ultimately, what are the social implications – if any – of the buying and selling of cyber security?

This paper therefore argues that the buying and selling of cyber security has notable social consequences and that it is vital that cyber security industries are subject to the same type of critical and social inquiry as ‘conventional’ private security. As will be shown there are various ways in which commercial cyber security practices have social impacts and ramifications for ‘public goods’. To prosecute this argument this paper will unpack a number of trends in the commodification of ‘cyber security’ and explore the various dilemmas they can create for ‘public goods’ such as general security, safety, democracy, justice, and freedom from predatory behaviour.

A number of illustrative examples will be used to articulate different ways in which the buying and selling of cyber security can create concerning social implications and is thus deserving of further political, public, and scholarly scrutiny. The first major example relates to the integration of commercial infrastructure such as AWS (Amazon Web Services), Azure, or various other ‘cloud-services’ with many essential and highly sensitive Government agencies and operations. Governments increasingly engage cloud service providers motivated by cyber security concerns (amongst other factors), and these new relationships raise acute questions about the ceded leverage and related concerns about democracy when a commercial institution such as Amazon—as an example—becomes a vital part of any government’s administrative capabilities (see Barbaschow, 2019a; Bartz & Shepherdson, 2021). As will be argued, this has clear implications for notions of “sovereignty” and democracy that have long concerned Shearing and Stenning (1981) in respect to conventional private security.

Other examples that will be explored include markets for encrypted phone-handsets that have been utilised by organised crime groups (see Cox, 2019, 2020a; Hamilton, 2019). This has created negative social externalities for the management of organised crime activity such as violence, human trafficking, the trade of illicit drugs, and so on. The creation and commodification of ‘cyber security’ tools by private enterprise such as ‘Metasploit’, ‘Nessus’ or ‘Cobalt Strike’ are also considered as socially ambivalent products that are important for supporting legitimate cyber security applications but can also be easily re-applied for hostile and malicious use. Furthermore, the “counter-productive” nature of purchasing certain forms of security (see Zedner, 2003) has also been demonstrated through the compromise of network management and IT security products such as SolarWinds’ Orion Software (Vaughan-Nichols, 2021) or Kaseya (Osborne, 2021a). Finally, unethical practices by cyber security vendors will also be highlighted to illustrate how the industry is equally deserving of scrutiny as ‘traditional’ security companies. These examples it is argued, highlight ways in which commercial cyber security practices can create negative implications, dilemmas, and produce considerable social impacts.

Considering these examples will lead to a broader conceptual discussion of the similarities and differences of commodifying cyber security compared with conventional security. While this paper wishes to draw certain parallels between cyber security commodities and other security commodities, it also needs to be recognised that the example of commercial cyber security has its own dynamics and unique characteristics. For example, cyber security commodities are less of a discretionary “grudge” purchase (see Loader et al., 2015) and more of an essential structural feature of contemporary digital infrastructure. Furthermore, all types of consumers of cyber security—from general citizens to the most powerful government state authorities on the planet—have a strong dependence on private providers for their core cyber security needs. The commodification of cyber security therefore has a number of distinct dynamics when compared with conventional private security arrangements.

After highlighting a number of distinct characteristics of cyber security commodities and commodification, this paper will conclude by outlining how markets for cyber security are deserving of an ongoing and wider research agenda. The escalating social significance of the cyber security industry and the increasing expenditure by many groups in society necessitates a demonstrable need for further social, political, and academic scrutiny of this phenomenon (see also Deibert, 2018). This paper aims to underline the pressing need for inter-disciplinary research into the considerable social implications of the buying and selling of cyber security commodities.

A note on the conceptual definition of a ‘cyber security commodity’

Cybersecurity is a contested concept. New America identifies more than 400 unique definitions of cybersecurity currently in use by academics, international organisations, standards-setting bodies, private sector organisations, and state governments around the world (Maurer & Morgus, 2014). While the term can be inclusive of an overwhelming range of security concerns that relate to digital communication, Schatz et al., (2017: 66) have systematically derived a representative definition of cybersecurity from across these groups as:

The approach and actions associated with security risk management processes followed by organizations and states to protect confidentiality, integrity and availability of data and assets used in cyber space. The concept includes guidelines, policies and collections of safeguards, technologies, tools and training to provide the best protection for the state of the cyber environment and its users.

A ‘cyber security commodity,’ therefore, refers to how such “guidelines, policies and collections of safeguards, technologies, tools, and training” are bought and sold through private economic exchange. In practice, it can be difficult to distinguish the inherent ‘commodity’ of cyber security from other more routine functions and purposes of digital activity. As an illustrative example, a consumer may purchase a MacBook motivated in part by the security reputation of Apple, but it is hard to identify how much weight the cybersecurity factor played within this purchase, and whether this could be therefore considered an expenditure on ‘cybersecurity’. Likewise, organisations who use cloud services or purchase network administration tools may have multiple considerations in mind, only one of which is cyber security. Therefore the ‘commodity’ of cyber security can often be embedded within other concerns, features, or services in a way that is not easy to conceptually distinguish or isolate.

To address this conceptual overlap, this paper will consider something as a ‘cyber security’ commodity if (a) the vendor provides clear marketing and guidance around how the product or service will improve the security of the digital assets or data of the consumer, and (b) that is likely that cyber security considerations are a significant motivating factor for the purchase by most customers (i.e. more than just an incidental aspect, such as in the MacBook example above). This definition would focus more on products, services and contexts where security plays a more prominent role such as anti-virus software purchases. Finally, the phrase ‘cyber security’ is often generally used interchangeably with other phrases such as ‘information security’ or ‘digital security’, but this paper will stick to primarily using the phrase ‘cyber security’.

Trends in the commodification of ‘cyber security’ and their damaging impacts on ‘public goods’

This section will outline five notable trends within the world of commercial cyber security that illustrates concerning ramifications for broader ‘public goods’. It will articulate various ways in which the buying and selling of cyber security has created social implications and dilemmas for wider society.

  1. (i)

    Government use of cloud-service providers

Amazon Web Services (2021a) boasts of being the ‘trusted cloud for government’ delivering “the security and reliability governments need across all classification levels: unclassified, sensitive, secret, and top secret”. It claims to provide services to over “6,500 government agencies”, with the primary advertised benefit being “security – comprehensive security capabilities to satisfy the most demanding information security requirements” (AWS, 2021a). The US Defence Department are expected to contract AWS (amongst several other cloud providers) to a multi-billion dollar deal to provide secure data management over the coming years (Bartz & Shepherdson, 2021). The relationship between the US military and AWS (amongst other cloud providers) is a standout illustration of a major trend in the commodification of cyber security whereby even the most resourced government agencies who are handling top-level sensitive information are migrating their data management to commercial providers. Similar trends are occurring over the world with the Australian government likewise entering into a ‘whole of government’ deal with AWS (Barbaschow, 2019b).

Across the globe, government trust levels in cloud service providers are increasing and even with the most sensitive of data-stores, governments are opting to rely on commercial entities to securely manage their data needs. While it should be noted that governmental use of cloud service providers is not solely motivated by cyber security concerns and has other intended benefits including savings, efficiencies and new capabilities, cyber security is a major factor in the migration. Protecting your own network, its servers, and its assets is a significant logistical and resource burden, and cloud service providers can offer cost-savings, hands-on assistance, and an overall better security posture for government agencies (in many instances). As the example of AWS and the US Military underlines it appears that strategic judgements are being made that the cyber security skills and protection provided by cloud service providers is stronger and more trustworthy than what could be developed and maintained ‘in-house’ within government agencies. Trusting the cyber security expertise of an organisation like Amazon Web Services could be a better strategy than employing your own set of network engineers to build, run, maintain, and secure vital networks and services, thus freeing up public agencies from burdensome ‘defensive’ work.

The contracting of commercial entities to provide security for their digital assets is therefore analogous to the contracting of private security companies to protect government buildings (see Bergin et al., 2018). However, it should be noted that the role of such cloud service providers in these circumstances is more significant than a simple ‘guarding’ function, but instead extends to roles such as maintaining custody of key data hosted at their own premises (or on sub-contracted premises) and becoming a blended part of the core infrastructure of government administration. In the case of AWS for instance, they advertise that they provide multiple services such as computing resources, ‘big data analytics applications’ and provide ‘storage and disaster recovery’ (AWS, 2021b), thus becoming firmly integrated with government administrative business in addition to the cyber security roles of monitoring for ‘unauthorized behaviour’ or limiting access to its API where necessary (ibid). The relationship between a cloud service provider and a government agency thus blends the responsibilities of cyber security and general network administration creating overlaps between public and private ‘cyber space’ and embeds commercial operators directly within government administrative infrastructure and functions. It becomes increasingly difficult therefore to practically and conceptually delineate between public and private responsibilities and the division of labour around cyber security and network administration (unlike in the simpler security guard at a government building example).

This development raises pressing questions of sovereignty and democracy. As articulated by Irion (2012), governmental use of cloud service providers poses notable challenges to ‘data sovereignty’ as these arrangements pass significant control of the digital assets of public authorities to commercial entities, raising critical questions about the ongoing confidentiality of such data, in addition to jurisdictional concerns about the movement and storage of that data (Irion, 2012: 41). There are obvious concerns for instance that public data will enter into other jurisdictions, and be subject to alternative legal regimes, accessible to foreign governments. Even when authorities place geographical and jurisdictional restrictions on their cloud providers, issues of sovereignty still persist. The US CLOUD Act for instance provides powers to US law enforcement authorities to subpoena data stored in cloud servers that are operated by US companies even in circumstances where “this data is physically located in another country” and in situations where this request may be “violating the legal norms of a foreign jurisdiction” (Rojszczak, 2020).

Beyond the ongoing issues of ‘data sovereignty’ are the challenges these cloud service arrangements may play for other aspects of sovereignty and democracy. Shearing and Stenning (1981) articulated a number of early concerns with the growth and mission creep of private security to challenge and potentially supplant the sovereign power of the public police. Likewise, they had concerns about the ability of the state to suitably control powerful private security companies and their activities (Shearing & Stenning, 1983) whilst underlining the democratic implications regarding how commercial security is allocated and governed (Shearing & Stenning, 2016).

The use of cloud providers by government authorities creates analogous concerns. As cloud service providers become more intimately embedded within active government administrative functions they gain a significant amount of leverage over governments, and as governments develop institutional dependency on commercial entities for cyber security and administrative capacities, the prospects for state authorities to suitably govern such cloud providers becomes weaker. Entities such as Amazon, Microsoft and other smaller operators such as CloudFlare become a part of the government administrative infrastructure in a way that is not easy to disentangle and thus it can be anticipated how this may impact upon the ability of states to otherwise regulate, sanction, manage or govern the practices of those companies. If and when governments enter into disputes with such companies the dispute resolution will likely be shaped by the dependency on their cloud services, and furthermore, when there are civil society controversies around practices of such institutions – for example working conditions at Amazon factories (see Sainato, 2020) – there is a conflict of interest at play if state authorities are expected to challenge and act adversely to one of their major cyber security providers.

In this respect, the developing cyber security trend of governments relying upon commercial entities to secure their digital assets and services poses clear issues for sovereignty, ‘data sovereignty’, and also the democratic expectation that government authorities can impartially govern such entities. When governments engage with cloud service providers they may improve their cyber security posture, but this involves a trade-off with other social implications. It remains to be seen if and how such companies will leverage nation states to their advantage and similarly, what will occur in circumstances where the companies are found to have violated agreements or fall into positions of financial strife. It is not clear how governments will manage such circumstances while still honouring the best interests of their citizens, as such, this cyber security purchase by governments creates ongoing dilemmas and negative social implications that need to be recognised.

  1. (ii)

    The use of encrypted-phone handsets by organised crime

Another concerning development within the commodification of cyber security with considerable social implications has been the use of encrypted-phone handsets by organised crime (see Cox, 2019, 2020a, 2020b; Hamilton, 2019). There have been a number of high profile law enforcement investigations that have successfully revealed the widespread use of encrypted-phone handsets amongst organised crime including the 2018 takedown of Phantom Secure (Cox, 2020a), the 2020 takedown of EncroChat by European police agencies (Cox, 2020b) and the revelation in 2021 that the FBI and AFP ran an encrypted app called ANOM which was distributed to organised crime preloaded on modified mobile phone handsets (Xiao, 2021).

Organised crime groups are attempting to develop cyber security strategies in order to conduct criminal activity out-with the purview and surveillance capabilities of law enforcement agencies (Davis & Arrigo, 2021). This is exemplified by the efforts of Mexican kingpin Joaquín “El Chapo” Guzmán who developed an encrypted network in the late 2000s to run the operations of the Sinaloa cartel (Hamilton, 2019). Scottish organised crime groups are reported to have established and controlled ‘MPC’, an encrypted phone handset company (Cox, 2019), and Australian ‘Comanchero’s’ are reported to have the distribution rights for ‘Ciphr’ phones in Australia (Morri & Yeomans, 2020; Murray, 2021). There is a clear trend of organised crime consuming, developing, and often commercially distributing encrypted-phone handsets to cater to their need for secure digital communications. Correspondingly there is a live and vibrant market for encrypted-phone handsets.

It should be noted at this juncture that ‘encrypted-phone handsets’ here refers to vendors of niche phone handsets that make overt claims about the additional security features of the phone. Popular Apple and Android smartphones have encryption features, and there are many popular end-to-end encrypted messaging apps such as Signal and WhatsApp, but this present discussion pertains to specialised handsets where the chief marketing message is around heightened security of the phones communications and content, targeted at a narrow audience of consumers. Examples of such handsets in Australia include devices sold by NCrypt, Cryptophone Australia, NSI Global Counter Intelligence and Diamond Secure, amongst others. Taking NCrypt as an example, it advertises itself as providing products that avoid the “prying eyes and sketchy practices of corporations, governments and hackers” (NCrypt, 2021). They provide handsets that are preloaded with a security and privacy focused distribution of Linux along with anonymous SIM cards (ibid). Furthermore, outlets such as Cryptophone Australia (2021) offer the ability to “detect IMSI Catcher activity”, a common law enforcement tactic of capturing local mobile phone traffic.

While these specialised handsets may have a range of legitimate applications for individuals or groups who require heightened levels of privacy and security such as lawyers, activists, journalists, or those who may feel threatened by corporate espionage, it is also increasingly clear that such handsets are a regular feature of contemporary organised crime groups. In this respect it should be considered that the buying and selling of this form of cyber security has negative externalities in that it becomes an aid to the functioning of organised crime. Such devices are used to plan and orchestrate violence, intimidation, kidnapping, money laundering, weapons trading, public corruption, and drug trafficking amongst other offences (see Shaw, 2020; Dearden, 2020). While the private security literature has critiqued how private security companies have created notable adverse impacts on the security of vulnerable and marginalised groups in society (see Diphoorn, 2016; Singh, 2005; Kempa & Singh, 2008) or has been compromised by links and associations with organised crime (see Turbeville Jr, 2007; Zedner, 2006), such handsets can be similarly exploited to facilitate organised crime activities and contribute to associated victimization of marginalised groups.

While it is difficult to evaluate whether these encrypted phone handsets have created new opportunities for offending or increased the overall level of offending by organised crime groups, they have evidently aided in the day-to-day operations of organised crime. Moreover, despite recent law enforcement successes in breaking certain encrypted networks, crime groups have demonstrated persistence in using encrypted handsets. In Australia crime groups have migrated to Ciphr phones following the takedown of Phantom Secure and in Europe crime groups have reportedly migrated to Sky ECC phones after the compromise of EncroChat (Murphy, 2021). It appears therefore, that organised crime will continue to seek vendors of phone handsets that promise heightened levels of cyber security and consider strategies for ensuring the anonymity of their digital activities. As such, the commodification of these phones represent another example of how the buying and selling of cyber security creates impacts on public goods, in this example through facilitating organised crime.

  1. (iii)

    Commodification of tools for security-minded hacking and vulnerability exploitation

The commodification of tools for security-minded hacking and vulnerability exploitation can also create considerable social impacts. Primarily intended to be used in the context of vulnerability testing by ‘white hat’ operators who apply the tools for testing and improving the defences of networks, systems, and devices, these items can often be redeployed for malicious use creating concerning social consequences. A notable example is Rapid 7’s ‘Metasploit’ that is a powerful framework that features a library of vulnerabilities, exploits, payloads and in-built functionality to perform hacking-related activities such as network or host scanning, ‘fuzzing’ of software, traffic sniffing, payload delivery, in addition to providing evasion and anti-forensic techniques to protect the anonymity or presence of the hacking party (see their documentation for a full guide of its capabilities – Rapid7, 2021a). As articulated by Herr and Rosenzweig (2016: 316), “Metasploit gets to the core contradiction of pen-testing … the act of such testing, up to a point, is largely indistinguishable from malicious hacking”.

Metasploit is available either for free, or in a commodified ‘pro’ version which features extra capabilities, and Rapid 7 describe their product as aimed at helping security teams to “manage security assessments”, “improve security awareness” and “empower”’ network defenders (Rapid7, 2021b). Despite the developer’s intention that Metasploit will be used primarily as a tool by network administrators to test, analyse, and patch systems, the tool is often applied for malicious purposes. Metasploit is often associated with malicious hacking activity with Insikt Group reporting that Metasploit was used in 10.5% of malware command and control servers that were deployed in 2020 (Cimpanu, 2021; Insikt Group, 2021). At least one academic study has found indicators of Metasploit being used in attacks in the wild (Ramirez-Silva & Dacier, 2007) and other reports have connected the use of Metasploit and ransomware attacks (Millman, 2021; Osborne, 2021a; Roche, 2021).

Metasploit is one particular example, but other commercial tools that can be foreseeably repackaged for malicious hacking activity also includes Nessus, Cobalt Strike, Netsparker and many others. It should be made clear that many of these tools can be deployed constructively, legitimately and for the purposes of improving cyber security (and most often are), but they also carry clear possibilities of being abused and applied for malicious purposes. They represent products of the cyber security industry that carry notable dangers of being easily redirected towards aggressive, predatory, and victimising behaviour.

Consequently, the US Department of Commerce (2021) has placed additional export controls on “cybersecurity items” and “intrusion software” in an attempt to curtail the trade of such commodities to China and Russia (amongst other markets), indicating concern with the proliferation of such products. This points to how security-minded hacking and vulnerability exploitation tools are an example of what the private security literature calls a “contested commodity” (Loader & White, 2018). There are clear ethical and legal questions about what should be commodified or not, and ‘intrusion software’ face forms of restricted trade as a result. The foreseeable social impacts of such products raise a number of questions of whether the trade of this type of cybersecurity product should be permissible and whilst the value of such tools should be balanced against their productive capacity to raise security standards, they none the less represent another example of how cyber security commodities can create negative externalities and ongoing safety dilemmas by facilitating illicit hacking behaviour.

  1. (iv)

    Vulnerabilities within cybersecurity products

As outlined in Zedner’s (2003) ‘six paradoxes of security’, it is argued that in many circumstances practices and discourses around security can be counter-productive. This section provides illustrative examples of where the purchase of cyber security commodities can be similarly self-defeating or inadvertently create escalating risk. Notably, there has been a trend of enterprise cyber security software being compromised which has created risks that have amplified over a large number of companies such as with SolarWinds’ ‘Orion’ platform and Kaseya (see Osborne, 2021a; Vaughan-Nichols, 2021).

Organisations strategically utilise third-party platform-providers such as SolarWinds or Kaseya to monitor their network performance, manage network devices, provide data management, and provide IT services for their staff and general business infrastructure. A large selling point of such products is “IT Security” (see Kaseya, 2021; SolarWinds, 2021). Kaseya (2021) articulates how their product can “empower your team to manage IT” and “maintain device and network security”, whilst SolarWinds (2021) hosts customer reviews emphasising how their ‘NetFlow Traffic Analyzer’ allows for better network-use oversight and thus “better planning and [to] ensure security”.

Ironically, however, engaging with these products can put the assets of consumers and business at higher risk in certain circumstances. Products like Kaseya and Orion have become ‘honey-pots’ for sophisticated threat actors who invest a large amount of resources and attention into compromising those platforms in order to compromise the larger network of clients. Kaseya is reported to provide services for 40,000 organisations worldwide (Osborne, 2021b) and SolarWinds Orion software is reported to have 300,000 customers (Goodin, 2020). Crucially, many of these clients are government agencies (ibid), and also include other corporate clients or organisations such as NGOs. Consequently, sophisticated and well-resourced APTs are targeting such platforms with Russian intelligence believed to be behind the SolarWinds hack that compromised organisations such as Microsoft, the Pentagon and the US Treasury, Justice and Energy departments (Temple-Raston, 2021). Likewise, a similar hack of Kaseya services resulted in 800 to 1500 of small to medium-sized businesses being a victim of ransomware attacks (Osborne, 2021b).

This provides an example of cyber security efforts being counter-productive as outlets like Solarwinds and Kaseya become attractive targets for ‘supply-chain’ attacks where sophisticated, well-resourced and determined hacking teams compromise the platform, creating significant impacts for a large number of organisations at once. Such cybersecurity products can thus inadvertently expose customers who are seeking an improved security posture into being exposed to new or higher risks of breaches and victimisation. Cybersecurity commodities can thus also be counter-productive similar to conventional security products (see Zedner, 2003), and can create significant amplified social impacts when large numbers of public and commercial entities are compromised at once.

  1. (xxii)

    Unethical practices from cyber security vendors

Finally, while Gibson (2007: 2) refers to the “tarnished reputation” of private security actors and others underline how it is often susceptible to being linked or infiltrated by organised crime groups (see Prenzler & Sarre, 2012: 44), the cyber security industry does not carry an equivalent reputation for unethical or illegal behaviour. It is not similarly perceived as a “cowboy industry” (see Mills & Fowler, 2020) by wider stakeholders. However, it should be noted that there are many examples of unethical behaviour on the part of those selling cyber security commodities that can create damaging social consequences.

Kaseya, as an example, has been accused by former employees of failing to suitably respond to known vulnerabilities and instead prioritised commercial activities such as sales, leaving customers exposed to the significant risk of ransomware attacks outlined above (Gallagher & Martin, 2021). The anti-virus vendor AVAST is being investigated for selling user data including browsing history (Kan, 2020) and VPN provider Windscribe is accused of not encrypting its servers and using deprecated security settings thus significantly misleading customers about steps taken to protect their cyber security (see Goodin, 2021). Companies selling cyber security can often act in unethical, irresponsible, and illegal ways, creating damage and negative impacts for broader ‘public goods’. Similar to conventional security companies, cyber security companies can misrepresent, mislead, and defraud customers regarding their products and services, and are deserving of equivalent levels of scrutiny and critical attention.


As argued by Leander (2015: 117) “security markets are not simply ‘private’”. In other words, the buying and selling of security has implications for groups beyond the vendor and consumer. This paper has chosen to demonstrate the ways that this is also true for the commodification of cyber security. The various social impacts of commercial cyber security trends and their implications for public goods have been identified for the purposes of arguing that the commodification of cyber security ought to be similarly targeted for equivalent levels of academic, political, and social critique as the conventional private security industry has been subject to. To date, the academic literature on private security has not conceptualised or adequately considered cyber security as private security. This paper aims to redress this and articulate a research agenda for critical inquiry of the buying and selling of cyber security. Specifically, Loader et al., (2014: 485) urge us to “re-conceptualize security markets not simply as places to which individuals and organizations are free to turn to satisfy their demands for protection, but as morally charged and contested practices of governance that play potentially significant roles in determining conduct, shaping subjectivities and reproducing social relations and inequalities.” It is argued that this should also include markets for cyber security and that there is a significant need for greater levels of inquiry and investigation into the practices, impacts, and social consequences of buying and selling cyber security commodities.

However, before proceeding with such a task the ways in which the commercial cyber security differs to ‘conventional’ security should also be considered. There are limits to comparing conventional security commodities with cyber security commodities, and it is crucial to recognise a number of unique properties, elements, and contextual realities to cyber security. For instance, while Zedner (2003: 166) considers that achieving security is often a “vain fantasy” that can be pursued too aggressively and foolishly through the use of private security commodities, cyber security is more of an inescapable pursuit and expenditure for all concerned. While ‘perfect’ cyber security is never achievable and similarly out-of-reach as ‘perfect’ conventional security, it is none the less entirely structurally necessary for digital infrastructure to be minimally secure in order to function. Likewise, it an ongoing and perpetual task to secure digital infrastructure with new threats constantly emerging.

Therefore, while the purchase of conventional private security is more often a discretionary additional expenditure (although it can be required for insurance purposes and so forth), cyber security is more closely embedded within the structural design of digital infrastructure or services. Digital threat profiles change at greater rates than conventional security threats with cyber security administration being a constantly evolving task dependent on new services, threats, adversaries, infrastructure, and newly discovered vulnerabilities. While White (2011: 88) had described spending on conventional security products and services as a form of “security fetishism” premised on “subjective feelings of insecurity”, efforts to secure digital assets are much more technically-motivated and necessary for ensuring the fundamental performance of digital services or functions. Thus, cyber security expenditure is a recurring, unavoidable purchase or investment and less of a discretionary, emotion-based purchase like conventional security commodities can often be.

Additionally, while ‘conventional’ security has also been the traditional remit of the state, and the state is likely to play an ongoing role in ‘anchoring’ the provision of security in a given society (see Loader & Walker, 2007), the same is not necessarily true of cyber security (see Button, 2020). In the domain of cyber security the state are not the preeminent providers of security, and even in respect to their own security needs, governmental authorities will inevitably have core dependence on the services and infrastructure provided by commercial entities. As argued by Cavelty (2015: 89) “almost all critical cyber-assets are in the hands of private enterprise nowadays” with state authorities in the diminished position of being “incapable of providing the public good of (cyber) security on its own”, thus, either dependent or co-dependent upon the abilities, infrastructure, and capacity provided by private enterprise. In terms of conventional security, state entities can often provide the foundational minimal-level of security for various communities with private security inserted as an additional feature to security landscapes. However, when it comes to cyber security any seeker of protection is more likely to rely upon commercial providers than find public authorities who can provide the necessary resources or services. Ultimately, cyber security is not necessarily dominated by the state and never will be, and in this respect the power to provide security in this space lies mostly with commercial entities thus creating a landscape that will always be heavily shaped and populated by commercial security commodities (see also Carrapico & Farrand, 2017).

Regulation is another key area where cyber security commodities differ to conventional security commodities. How to regulate private security employees and companies is an active policy and scholarly concern (see for example, White, 2010; Button & Stiernstedt, 2018; Loader & White, 2017). Companies or individuals seeking to enter the private security industry typically need to seek state licensing. For example in Victoria, Australia, practioners are subject to criminal record checks, and expected to hold certain certifications to perform basic duties (see Victoria Police, 2021). To perform cyber security tasks one does not require a license or to be listed on a public register.

In general, individuals and companies are freer to practice cyber security in commercial contexts without an equivalent barrier to entry and the trade of commodities are less restricted. Indeed, nearly every private sector organisation has some equivalent of a Chief Information Security Officer (or CISO) that is responsible for managing strategies and programs that protect a company’s networks and data (Button, 2020: 42–43). Of course, many companies that are contracted to provide an enterprise’s cybersecurity are obligated to align their practices with multiple regulatory frameworks where relevant such as the European Union’s GDPR regime (as an example). Regulatory protocols set by privacy and data protection regulators establish minimum standards that private (and public) sector organisations must comply with—such as ensuring a reasonable level of data security through encryption and pseudonymisation, completing a data protection impact assessment, and maintaining data breach notification policies. In terms of regulatory controls that target the security of technological devices themselves, nationally recognized security standards frameworks, such as the U.S. National Institute for Standards and Technology ‘s (NIST) Cybersecurity Framework (CF), or internationally recognized security standards frameworks, such as the International Standards Organisation’s (ISO) 2700-series information security standards provide ‘best-practice’ recommendations for both industry manufacturers and service providers. There are also some limitations for exporting certain cyber security goods such as US restrictions on the trade of encryption software and commodities (see Bureau of Industry & Security, 2021). Most notably however, individuals and companies who work in cyber security are not screened by public authorities or required to be specifically licenced for performing the labour of cyber security in a similar manner to conventional private security practioners. Thus, practices of cyber security are not treated equivalently to conventional private security activities and have very different regulatory dynamics.

This incongruity is perhaps connected in part to a weaker political and emotional salience of cyber security concerns compared with conventional security for the broader public. As an example, Prenzler and Sarre (2012) outlines how regulation of private security in Australia was driven by “recurring conduct standards” that produced political dilemmas around public safety concerns. Government authorities felt compelled to act as a response to scandals and high-profile incidents such as the death of a prominent cricketer from an encounter with a private security worker (ibid: 43). However, most cyber security practices have not been subject to the same level of political scrutiny nor had equivalent impacts on public consciousness that has galvanised into intense political pressure to regulate the industry. While there are legal and political pressures from governments encouraging companies to harden their networks or prevent avoidable data breaches, matters of cyber security carry less intense public fears and emotions, particularly when compared to conventional insecurities around areas such as robbery, assault, or vandalism that pre-occupy ‘law and order politics’ (Scheingold, 2011). Therefore, cyber security commodities and cyber security practitioners occupy less concern and attention from the wider public and political authorities in a way that is distinct from matters related to conventional private security practices. In this respect, the trade of cyber security commodities invites less public interest and controversy in comparison to the conventional private security industry which is also compounded by a lack of general technical understanding of the malfeasance that features in the cyber security industry.

Ultimately, there are a number of conceptual differences between cyber security commodities and more conventional private security commodities. It is not the aim of this paper to argue that they are the same, but to identify areas in which they share overlapping dynamics, particularly with respect to their impacts on wider public goods. More importantly it is argued here that the wider private security literature should recognise the buying and selling of cyber security as within its scope of conceptual interest, and to do so with a recognition of how the trade of cyber security may have its own distinctive features and elements. Crucially, the cyber security industry is growing in size, influence and social significance, and therefore is requiring further scholarly attention. This paper explored only a sample of trends in the field of cyber security commodification and how they present broader dilemmas for sovereignty, democracy, public safety, and a number of wider ‘public goods’.

The commodification of cyber security requires ongoing socially-minded scrutiny that probes empirical questions about its impacts upon a range of ‘public goods’ or communities, in addition to conceptual inquiries that explore the unique dynamics and features of cyber security commodities and practices. The buying and selling of cyber security poses a range of conceptual, empirical and normative inquiries, in addition to an ongoing series of technical, legal, social, and political dilemmas that require deeper engagement. To that end, this paper is also a beginning point of a research agenda to consider the implications of buying and selling cyber security. Such a set of inquiries would require cross-disciplinary expertise, collaborations, and understanding to accommodate the technical frameworks that shape sites of cyber security commodification and activity. Additionally, such an enterprise would require methodological innovation to capture technical dynamics of how cyber security services, infrastructure, and practices work in situ within their digital contexts, in combination with more traditional humanities focused research tactics including interviews, ethnography, industry analysis, policy analysis, cultural analysis, legal inquiries, and other methods. To begin to envision such inquiries, it must first be conceptually recognised that the commodification of cyber security presents normative dilemmas for wider society that can be every bit as “troubling” as practices of the private security industry (Loader et al., 2014).


The buying and selling of cyber security commodities can create wider social dilemmas for ‘public goods’. But despite being another example of a commercial security commodity, it has yet to be significantly conceptualised by the private security literature as within its scope of interest. Considering cyber security commodities and the cyber security industry as an example of private security can draw attention to useful critiques of the conventional private security industry that can be re-applied and redeployed to this expanding industry. As shown, there are a number of trends within the commodification of cyber security that create concerning impacts on wider communities, and that the buying and selling of cyber security often generates contentious side-effects much like conventional private security. An ongoing research agenda is therefore required to bring the appropriate level of academic and social scrutiny to practices of cyber security commodification that have thus far been under-developed and lacking. The practices of the cyber security industry and the wider commodification of cyber security is urgently deserving of critical social inquiry.