Cyber-Spies For Hire

Reports of malicious and targeted cyber-attacks are becoming increasingly common around the world. In early February, for example, Australia’s security agencies revealed they were investigating an attempt to hack on the country’s parliament and hadn’t ruled out another country being behind it. 

As more complex and potentially damaging attacks into critical national infrastructure systems are discovered, calls are growing louder for international rules to govern this emerging battlefront. 

Efforts towards cyber-arms control have predominantly centred around a model where the “arms” relates to weaponised code – specific hacking tools or the software vulnerabilities that enable them.  Attempts have been made to curtail the proliferation and spread of what are called “zero-day exploits”, the flaws in a program’s code that allow malicious attackers to interfere with the systems that run them. 

A recent Reuters expose of the operations of a clandestine wing of the United Arab Emirates’ (UAE) National Electronic Security Authority (NESA) exposed another component of offensive cyber-attacks, expertise. This issue sparked further international attention when the FBI announced charges in mid-February against Monica Witt, a former US Air Force analyst, accused of espionage and defecting to Iran.

Cyber Mercenaries
The Reuters investigation detailed how some former employees of the US National Security Agency (NSA), operatives with expertise in digital penetration techniques, online intelligence gathering and offensive cyber-operations, were contracted via a Maryland-based firm to work for the UAE. 

The investigation makes specific mention of one of the tools, Karma, that these contractors employed on behalf of the UAE against specific targets. 

This hacking tool allowed its operators to gain uninvited and remote access to a target’s Apple phone through an unspecified flaw which is now believed to have been fixed by Apple. Reuters reported that the targets of these attacks ranged from human rights activists, to American journalists.

The article raised questions about whether these contractors might have provided their NESA employees with advanced cyber-capabilities developed by their former employer, the NSA. But the subtext of the Reuters investigation is that the expertise of these former intelligence officers is just as attractive to their new employers as any tools they might bring with them. In a separate article, specifically examining Karma, Reuters alleges that it was purchased by the Emirati government from a vendor outside of the country. 

In effect, the UAE had hired a team of out-of-work specialist engineers who couldn’t bring the tools they had used in the US with them, so it then bought them the tools they needed to get the job done. This suggests that there are two components required to kit out any state or group with advanced cyber-capability: the tools and the expertise. 
Tools and Expertise

Global efforts are underway to govern the tools used in cyber-attacks, such as the Global Commission on the Stability of Cyberspace, which introduced a series of international norms about the use of cyberspace to promote the stability of the internet and good practice of everyone involved. 

Other efforts have been on the legislative level, such as specific additions to the Wassenaar Arrangement, an export control arrangement that seeks to curtail the spread of civilian technologies that can be put to militarised use. But the expertise of cyber operatives has so far seen limited attention. In the scenario described by Reuters, NESA and its Project Raven could not have operated without either the tools or the expertise. The tool itself, Karma, and the expertise and experience required to use it and train others to do so, both require significant investment. 

The dangers of state investment in the collecting of software flaws and the creation of powerful tools which then exploit these previously unknown weaknesses was painfully demonstrated through the leaking of the vulnerability stockpiled by the NSA, EternalBlue. 

This was the backbone of the WannaCry attack which made international headlines in 2018 through its impact on the British NHS and other international business and government services.

But concerns should be growing about the capability that states invest in the skill sets of the people who discover and then weaponise flaws in the software which power our increasingly interconnected and internet-dependent lives. 

Governments across the world are gearing up for what they see as the next domain of warfare by trying to recruit existing talent to government projects or through training the next generation of cyber-security experts who they hope will give them an advantage. 

There’s a risk that in global efforts which focus on states’ use of cyber tools and exploitation of vulnerabilities in programming code, there is a legislative and governance gap developing. 

This could see states invest in training the cyber-spies, saboteurs or soldiers of the future only to find those critical skills and the capability they provide being snapped up by the highest bidder.

The Conversation

You Might Also Read: 

Spyware Proliferates To 45 Countries:

 

« Top Six Cyber Secure Countries
Criminal Groups Offer Big Salaries For Cyber Skills »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

TBG Security

TBG Security

TBG provides a portfolio of services including cyber security, compliance and continuity solutions.

Rollbar

Rollbar

Rollbar is a full-stack error monitoring platform for web and mobile applications. We help developers find and fix bugs fast. Built by developers for developers.

Institute for Cybersecurity & Privacy (ICSP) -  University of Georgia

Institute for Cybersecurity & Privacy (ICSP) - University of Georgia

The goal of ICSP is to become a state hub for cybersecurity research and education, including multidisciplinary programs and research opportunities, outreach activities, and industry partnership.

Cyber Security Centre - Daffodil International University

Cyber Security Centre - Daffodil International University

Cyber Security Centre, DIU is a non-profitable organization which is focused on applied research in cyber security.

Araxxe

Araxxe

Araxxe delivers Revenue Assurance, End-to-End Billing Verification and Interconnect Fraud Detection solutions to communication companies worldwide.

Workz Group

Workz Group

Workz connects and protects mobile subscribers of today and tomorrow by providing secure removable or embedded SIMs and remote provisioning solutions for consumer, M2M and IOT devices.

Tehtris

Tehtris

TEHTRIS XDR Platform was developed to control and improve the IT security of private and public companies against advanced cyber threats such as cyber espionage or cyber sabotage activities.

Upper Peninsula Cybersecurity Institute - Northern Michigan University

Upper Peninsula Cybersecurity Institute - Northern Michigan University

Upper Peninsula Cybersecurity Institute at Northern Michigan University offers non-degree and industry credentials relevant to emerging careers in cybersecurity.

eCentre@LindenPointe

eCentre@LindenPointe

The eCenter@LindenPointe provides assistance to the development, management and promotion of STEM (Science, Technology, Engineering, Mathematics) related business ventures.

OpsHelm

OpsHelm

OpsHelm provides a Software-as-a-Service solution to help businesses ensure that all of their cloud environments have their security bases covered.

Buchanan Technologies

Buchanan Technologies

Buchanan Technologies is a leading IT consulting and outsourcing services firm. Our methodology transforms everyday technology investments into streamlined, secure and scalable solutions.

CertNexus

CertNexus

CertNexus is a vendor-neutral certification body, providing emerging technology certifications and micro-credentials for business, data, developer, IT, and security professionals.

RealDefense

RealDefense

RealDefense develops and markets various privacy, security and optimization technologies and services for consumers and small businesses.

Tychon

Tychon

Tychon develops advanced enterprise endpoint management technology that enables commercial and government organizations to bridge the gap between security and IT operations.

M7 Services

M7 Services

M7 Services are a comprehensive Managed Services Provider (MSP) with a focus on delivering cutting-edge information technology solutions and unparalleled customer service.

PriorityZero

PriorityZero

PriorityZero is a European company focused on remote security assessments and consulting services that operates on a global scale.