The Threat Intelligence Industrial Complex: Eisenhower Warned You. The PDF Is £499 Per Seat.

How a handful of American cybersecurity firms quietly became the world's unelected prosecutors, and why nobody's asking the right questions.

Let's talk about a kind of power that is most effective when it doesn't look like power at all. When it arrives not in the form of a formal declaration, a Security Council resolution, or a strongly-worded diplomatic communiqué, but as a PDF. Forty-seven pages, tastefully formatted, with an executive summary for people who are very busy being important, and an appendix full of hexadecimal strings for people who are merely important. At the bottom, a logo. Not a flag. A logo.

Welcome to the Threat Intelligence Industrial Complex, where the geopolitical order is maintained not by treaties or armies or the solemn weight of international law, but by private companies with names that sound like they were generated by feeding the word "cyber" into a blender with the collected works of Tom Clancy.

To understand how we got here, you have to understand a problem that intelligence agencies face and are constitutionally incapable of solving: they cannot tell anyone what they know without explaining how they know it. In the espionage business, this is called "burning sources and methods," and it is considered approximately as desirable as burning the building down. So when the NSA or GCHQ discovers that a nation-state has just spent six months burrowing through someone's critical infrastructure like a particularly patient digital badger, they are faced with an uncomfortable choice. They can act on the intelligence quietly, tell no one, and watch the geopolitical moment evaporate unexploited. Or they can tell the public, in which case they have to explain how they found out, which means explaining capabilities they would very much prefer adversaries didn't know they had.

Enter the private sector, stage right, carrying a laptop bag and a valuation of several billion dollars.

The genius of the arrangement, and one must grudgingly admire its architecture, the way one admires a particularly elegant confidence trick, is that private threat intelligence firms can publish what governments cannot. They have no state secrets to protect. They have no diplomatic sensitivities. What they have is telemetry. Enormous, legally acquired (we are told), contractually consented-to (the terms were thirty-seven pages, so presumably yes) visibility into global network traffic, endpoint behaviour, and the digital fingerprints left behind by people who hack things for a living.

And so a division of labour has emerged that is, depending on your tolerance for institutional euphemism, either a masterclass in public-private partnership or a remarkably convenient arrangement for everyone except the accused.

Let us consider, for a moment, the case of CrowdStrike, whose 2016 investigation into the Democratic National Committee breach is one of the most consequential pieces of private forensic work in modern history. CrowdStrike identified two separate intrusion groups, named them with the kind of whimsical authoritarian flair that has since become an industry standard, Fancy Bear, Cozy Bear, names that suggest a Russian nesting doll set designed by someone who reads too many spy novels, and published its findings. These findings formed the bedrock of the public case for Russian state involvement in the interference campaign.

The FBI, for reasons that were never entirely clarified, did not conduct an independent forensic examination of the servers. They reviewed CrowdStrike's images and analysis instead. At the time, this seemed like a reasonable division of labour. In retrospect, it is the kind of detail that, if inserted into a thriller novel, would be described by reviewers as "slightly too on the nose."

Now, this is not to say CrowdStrike was wrong. It may well have been entirely correct, and subsequent government assessments broadly supported its conclusions. The point is not the accuracy. The point is the architecture. A private company with a business model, investors, clients, and a brand to protect became the primary public evidence-bearer for a finding that shaped sanctions policy, triggered diplomatic expulsions, and spent several years as the central exhibit in the most politically polarising event in recent American history.

One might describe this as "outsourcing." One might describe it as "pragmatic." One might also describe it as the geopolitical equivalent of asking your neighbour to give evidence in a murder trial because the police couldn't attend. But we live in polite times, so "outsourcing" will do.

If CrowdStrike is the origin story, Mandiant's 2013 APT1 report is the moment the genre found its form. In a document that reads like a cross between a military intelligence briefing and a particularly aggressive sales brochure, Mandiant attributed a sustained, years-long campaign of economic espionage against American companies to a specific unit of the People's Liberation Army. Unit 61398. Building located at 208 Datong Road, Pudong New Area, Shanghai. Here is a photograph of the building. Here are the usernames. Here, because why not, are the individual hackers' probable online personas.

It was, by any measure, a stunning piece of work. It was also a private company publicly accusing a sovereign nation's military of committing acts that, in a more legally coherent world, would be adjudicated by some form of international body operating under agreed rules of evidence, rather than dropped as a PDF on the internet at 8 AM Eastern.

China denied everything, as it was always going to, because the alternative, "fair point, you've got us", has not yet been introduced as a feature of great power relations. The report reshaped US-China cyber diplomacy for years. A private firm from Alexandria, Virginia had effectively done what the State Department couldn't or wouldn't: named names, shown the evidence, and forced the issue into the open.

The State Department, one imagines, sent a nice note. Perhaps a fruit basket.

The more recent iteration of this dynamic involves Microsoft, which has quietly become perhaps the single most influential attributor of state-sponsored cyber activity on the planet. This is, when you stop to think about it, extraordinary. Microsoft is a company that sells software and cloud services. It is also, by virtue of its position in the global technology supply chain, uniquely positioned to observe malicious activity at a scale no intelligence agency could match through traditional means. Its visibility is genuinely unprecedented.

It is also a company with significant government contracts. A company that has, at various points, been awarded tens of billions of dollars in cloud infrastructure deals with the US Department of Defense and intelligence community. A company that, when it publishes reports attributing cyber operations to China or Russia or Iran, does so with the full authority of its brand, its market position, and its implicit relationship with the government ecosystem it serves.

None of this means Microsoft's analysis is wrong. Much of it is almost certainly correct, built by some of the sharpest threat analysts in the industry. The question is not whether their technical findings are accurate. The question is whether anyone has thought particularly hard about whether a company with those financial relationships and those institutional dependencies should be the one making the call.

The answer, in the current architecture, is that no one has had to think about it, because no framework exists that would require anyone to think about it.

This is where the Eisenhower comparison becomes, if anything, an understatement. In 1961, Eisenhower warned about the emergence of a military-industrial complex, a structural entanglement between defence contractors and the state apparatus that would, over time, create incentives misaligned with the public interest. He was right, as it turned out, in ways that took decades to fully appreciate.

The Threat Intelligence Industrial Complex is that warning, but with better branding.

The incentive structures are, one must admit, beautifully designed, at least from the perspective of the industry. Attributing attacks to nation-states is good for business in a very direct sense. It elevates the threat landscape, which justifies larger security budgets, which means larger contracts, which funds more analysts, which produces more reports, which elevate the threat landscape further. It is a self-reinforcing ecosystem in which the finding that a sophisticated nation-state is targeting your sector is worth, conservatively, several multiples of the finding that someone's intern clicked on a phishing link. The former generates briefings, keynote slots, congressional testimony, and the kind of brand recognition that turns a cybersecurity company into a household name.

The latter generates a ticket in the helpdesk queue.

There is also the matter of the revolving door, which in this industry spins with a velocity that would make a Washington lobbyist blush. The senior leadership of the major threat intelligence firms reads like an alumni directory of the NSA, GCHQ, Cyber Command, and the intelligence agencies of their respective Five Eyes partners. This is not a coincidence or a conspiracy. It is a labour market functioning as labour markets do: people with specific, classified skills leave government service and go where those skills are valued. Along the way, they bring institutional knowledge, professional relationships, and, presumably, a well-developed sense of which findings tend to land favourably in Washington and which don't.

The uncomfortable question, which is also the interesting question, is what all of this looks like from the other end of the attribution.

When the United States government accuses China of a cyber operation, China has diplomatic channels, international forums, and the general weight of great power status to push back. It is a deeply imperfect process, but it is a process. When CrowdStrike or Microsoft accuses China of a cyber operation, China has... a press release it can post on its foreign ministry website, which Western journalists will quote in the fourteenth paragraph.

There is no appeals process. There is no evidentiary standard subject to external review. There is no mechanism by which the accused can compel disclosure of the forensic methodology, request independent verification, or challenge the findings in any forum that the attributing firm is obliged to attend. The accused can hire their own cybersecurity firm to publish a counter-report, and occasionally does, and then two private companies are arguing about geopolitics in PDFs while the rest of us try to work out what actually happened.

International law, which is already doing its best with very limited tools, has nothing to say about any of this. There is no Geneva Convention for attribution reports. The Tallinn Manual, which is the closest thing the international legal community has produced to a framework for cyber operations, runs to over a thousand pages and is written primarily for state actors. It does not have a chapter on what happens when a company in Sunnyvale decides to publicly name a unit of a foreign military.

The defenders of this arrangement, and there are many, make an argument that deserves to be taken seriously before being gently set aside. Private firms, they say, can publish what governments cannot. They introduce transparency into a domain that would otherwise be entirely opaque. They create accountability, even imperfect accountability, where none would otherwise exist. The alternative is not some ideal world of internationally supervised forensic tribunals; the alternative is silence. And silence, in this domain, tends to favour the attackers.

This is true, as far as it goes. It just doesn't go very far.

Because the distribution of this privatised prosecution power is not neutral. The major threat intelligence firms are, with limited exceptions, American or British. The infrastructure they sit on, the cloud platforms that give them visibility, the operating systems that report telemetry, the endpoint agents that whisper network behaviour to central repositories, is predominantly American. The institutional relationships that lend their findings credibility are relationships with American and allied governments. The findings that receive the most amplification, the most official validation, the most follow-on policy consequence, are findings about the adversaries of those same governments.

This is not necessarily because the firms are captured or corrupt. It may simply be because they see what their infrastructure lets them see, and their infrastructure was built by people who were, understandably, more interested in deploying it against known adversaries than against themselves or their allies.

The result is a system that functions, with great technical sophistication and genuine analytic rigour, as a megaphone pointed in one direction. Not because anyone planned it that way. Because no one planned it at all.

But, we cannot complain about sitting in the passenger seat. It is worth pausing here to extend some of the blame more equitably, because fairness demands it and because the alternative narrative, plucky world versus American cyber-hegemony, is a little too comfortable for everyone involved. The European Union has spent the better part of two decades producing regulatory frameworks of extraordinary ambition and operational capacity roughly equivalent to a strongly-worded letter. China has its own threat intelligence apparatus, naturally, though its findings tend to attribute everything to foreign hostile forces with a consistency that suggests either remarkable adversarial focus or a thesaurus with only one entry. Russia's contributions to the discourse are, let us say, creative. The Global South, meanwhile, is largely absent from the conversation entirely, which is its own form of answer.

History, as is its habit, has a parallel ready. It doesn't require anything so dramatic as the examples one might reach for in darker moods. It simply requires noting that when private entities accumulate the functions of sovereign power, the power to accuse, to condemn, to shape the terms of international dispute, without acquiring the accountability structures that sovereign power, however imperfectly, eventually develops, you get outcomes that are structurally predictable even when they are individually defensible.

The machines in this story are not punch-card tabulators. They are threat intelligence platforms, endpoint detection agents, and network monitoring dashboards that together produce a picture of global cyber activity so granular it makes the surveillance capabilities of thirty years ago look like a man with a notebook standing outside a building. The companies that operate them are not villains. Most of the analysts who work there are doing genuinely important work, tracking genuinely dangerous operations conducted by genuinely hostile actors.

The problem is not the people. The problem is the architecture. The problem is that we have allowed a function of extraordinary geopolitical consequence to be performed by entities that answer to boards of directors and venture capitalists and, occasionally, to the implicit approval of intelligence communities they used to be part of, rather than to any framework of democratic accountability or international legitimacy.

The Threat Intelligence Industrial Complex is not a scandal. That is precisely what makes it interesting. It is simply what happens when a genuine capability gap meets a functioning market and no one bothers to ask, before the whole thing scales to global significance, who exactly has authorised these people to do this.

The answer, of course, is no one.

Which is to say: all of us.

The logo at the bottom of the PDF thanks you for your attention.

References

Eisenhower, D.D. (1961) Farewell Address to the Nation. Washington D.C., 17 January. Available at: https://www.archives.gov/milestone-documents/president-dwight-d-eisenhowers-farewell-address (Accessed: 1 May 2026).

Mandiant (2013) APT1: Exposing One of China's Cyber Espionage Units. Mandiant Intelligence Center, February. Available at: https://services.google.com/fh/files/misc/mandiant-apt1-report.pdf (Accessed: 1 May 2026).

Microsoft Threat Intelligence (2023) 'Volt Typhoon targets US critical infrastructure with living-off-the-land techniques', Microsoft Security Blog, 24 May. Available at: https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques (Accessed: 1 May 2026).

NSA, CISA, FBI, ACSC, CCCS, NCSC-NZ and NCSC-UK (2023) People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. Joint Cybersecurity Advisory, 24 May. Available at: https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF (Accessed: 1 May 2026).

Schmitt, M.N. (ed.) (2017) Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations. Prepared by the International Group of Experts at the invitation of the NATO Cooperative Cyber Defence Centre of Excellence. Cambridge: Cambridge University Press.

Alperovitch, D. (2016) 'Bears in the midst: intrusion into the Democratic National Committee', CrowdStrike Blog, 14 June. Available at: https://www.crowdstrike.com/en-us/blog/bears-midst-intrusion-democratic-national-committee/ (Accessed: 1 May 2026).

Citizen Lab (no date) Research. University of Toronto. Available at: https://citizenlab.ca (Accessed: 1 May 2026).

NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) (no date) Publications. Available at: https://ccdcoe.org (Accessed: 1 May 2026).

Lawfare (no date) Available at: https://www.lawfaremedia.org (Accessed: 1 May 2026).