Selling Digital Insecurity

Uploaded on 2023-04-26 in NEWS-Cybersecurity News, INTELLIGENCE--International, FREE TO VIEW

By James Shires & Isabella Wilkinson

Addressing the sale of digital insecurity requires addressing its root causes and a coherent response from states, civil society, and the private sector.

Offensive cyber capabilities pose a significant threat to national and international security. In many cases, these capabilities are a legitimate national security tool. However, such capabilities can also cause significant – and often unpredictable – damage. 

The use of these capabilities to spread disinformation, mount disruptive cyberattacks, and launch hack-and-leak operations has derailed elections, silenced dissenting political voices, disrupted the lives of individuals, communities, companies, and even entire governments. 

Although the most advanced offensive cyber capabilities are still held by states, there is a growing global marketplace for digital insecurity, with capabilities ranging from openly advertised services to more opaque, bespoke contracts and cybercriminal markets. 

Recently, the White House announced an executive order including several new measures to combat risks posed by commercial spyware to human rights and US national security. As noted in the UK’s recent Integrated Review Refresh, the fusion of cyber threats generated by the sale of digital insecurity demands a coherent response. The UK’s new International Technology Strategy also commits to protecting security interests through ensuring sensitive technology does not fall into hostile hands.  

To address the sale of digital insecurity, states must work with civil society, victims and the private sector. They must also cooperate with major tech companies, particularly those that have been exploited as attack vectors. More controversially, states should cooperate with genuinely responsible companies offering commercial hacking and online influence services – those willing to demonstrate respect for human rights and operate within the boundaries of national and international law – while also maximizing pressure from their investors and financial backers. 

Spying, Subversion & Sabotage 2.0 

The most infamous purveyor of digital insecurity is NSO Group, whose Pegasus spyware has been purchased by over 30 states and used to track foreign politicians, dissidents, and journalists. Pegasus has been associated with severe human rights violations, including arbitrary detention, torture, and assassination. NSO Group has close links to Israel’s government, with Pegasus used to sweeten diplomatic overtures to Gulf states. Today, the company is subject to US sanctions and an EU Parliament investigation

Although NSO Group makes the most headlines, the market for digital insecurity is global. Companies and cybercriminal organizations selling disinformation-, ransomware, or hacking-for-hire are located throughout Europe, the US, India, Russia, and China, and operate worldwide. This marketplace supplies national security actors and a broader range of law enforcement agencies, law firms and private investigators. 

The notorious Internet Research Agency, founded by Wagner Group head Yevgeniy Prigozhin, wrote the commercial disinformation playbook when it deployed troll farms against the 2016 US presidential elections

Other groups combine influence operations with NSO-style hacking. Recent revelations on disinformation ‘black ops’ have exposed ‘Team Jorge’: another group of Israeli contractors who boast manipulating over 30 elections through disinformation and strategic hack-and-leaks. Commercial hackers secretly planted fake evidence on Indian human rights defenders’ devices, and then unsuccessfully attempted to cover their tracks before police arrests. 

Recent reporting on Greek intelligence services hacking a Meta manager’s device with outlawed spyware brings into focus the complex – and contradictory – landscape surrounding state use of hacking tools. 

What’s New About Selling Digital Insecurity? 

States have long sought to gather intelligence on their populations and others, to influence regional or international politics, and to exploit global political economic imbalances for financial gain. States have frequently delegated these tasks to other organizations, from private military companies to organized criminal gangs. Close predecessors of the current spate of commercial influence and hacking include Cold War-era influence operations. 

The advent of the digital age has changed the possibilities for spying, subversion, sabotage, and blackmail in three ways:. 

  • First, low entry costs and swift scalability mean companies can start small, grow quickly, and pivot between different forms of influence and digital compromise. A Middle East-based group codenamed Bahamut has hacked many targets (probably for multiple clients) and used a web of fake accounts to conduct disinformation campaigns. Iranian commercial hackers combined disinformation and attempts to compromise the US 2020 presidential elections’ digital infrastructure. 
  • Second, virtually instant cross-border data flows mean these organizations operate remotely, efficiently, with relative impunity. Groups like Conti offer ransomware-as-a-service, not just commercializing but professionalizing hacking-for-profit, with ‘affiliates’ responsible for damaging operations against critical infrastructure. Today, supposed ‘PR’ companies like Archimedes or Cambridge Analytica can influence elections without ever setting foot in a country. 

Virtually instant data flows across borders mean that cybercriminal organizations can operate with relative impunity.

  • Finally, companies offering offensive cyber services can also masquerade as part of the legitimate cybersecurity industry, appearing to offer ‘penetration testing’ to gauge network security, or build zero-day exploits as a ‘proof-of-concept’ to sell back to software designers to fix their systems. As zero-day and vulnerability markets develop globally, they fuel a pipeline of companies willing to exploit these holes for malign effects. 

Upgrading Policy & Regulation 

States have started to address the fusion of commercial cyber threats with coordinated policy responses. In February, speaking at Chatham House, the US Deputy Attorney General announced the Disruptive Technology Strike Force, targeting actors that deploy disruptive technology to undermine the US and allies through theft, hacking and espionage.

The new US Cybersecurity Strategy commits to making it impossible for ‘malicious actors to use cyber-enabled campaigns’ that ‘threaten national security or public safety’ and outlines steps to attack funding sources of companies dealing in digital insecurity. 

As an influential policy actor and home to a large market for these capabilities, the US should lead the way in this space. Beyond countering state use of these capabilities, action is needed on supply as well as demand. Successful regulation must be rooted in international law (including human rights law) and adapted to digital services’ unique characteristics. 

The US, as an influential policy actor and home to a large market for offensive cyber capabilities, should lead the way in this space.

Countries can ban or license sales to particular entities or countries. Regional and international export control measures – such as the Wassenaar Arrangement and the EU Export Control Regulation for cyber surveillance tools – must strive for harmonized implementation and broad support, to avoid ransomware and cyber surveillance ‘safe havens’. The UN’s Office of Human Rights called for a global moratorium on spyware sales until sufficient human rights guarantees are implemented. While export control is a crucial lever in the regulatory arsenal, it is limited by licensing decision opacity, national security exemptions, and slippery concepts of ‘dual use’. 

Creative Approaches 

Creative approaches from new coalitions are imperative to shape the economic incentives of those selling hacking tools. A recent joint initiative from the Heartland Initiative, European Council on Foreign Relations, Access Now, and the Business & Human Rights Resource Centre convened investors and civil society, discussing ways to use market mechanisms (like shareholder resolutions and ESG reporting) to apply pressure to companies selling digital insecurity.

Joint measures have been tested in other sectors (including in energy, climate, and extractives) yet remain nascent in cyber policy. Initiatives can learn from organizations like Citizen Lab, who sought to marshal investors against selling NSO Group in 2017, and advocacy groups who used US government pressure to prevent its sale to a defence contractor in 2022. 

Investors and civil society can use market mechanisms, like shareholder resolutions and ESG reporting, to apply pressure to companies selling digital insecurity. 

Fundamentally, addressing the sale of digital insecurity requires addressing its root causes. As the Cybersecurity Tech Accord has recently argued, improving cyber defence and the online platform environment are key measures for safeguarding critical infrastructure and democratic processes.

States and others should continuously counter malicious actors directly. But, like all marketplaces, this one can be shaped by different levers: economic, regulatory, and legal. Using these levers carefully can help build a cyberspace that is safer and more beneficial for all. 

James Shires is Senior Research Fellow in Cyber Policy at Chatham House

Isabella Wilkinson is Research Associate, International Security Programme  at Chatham House

You Might Also Read: 

Digital Platform Regulation - Impossible?:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« As A Business Leader, You Must Manage Cyber Risk 
Online Safety Bill UK: WhatsApp, Encryption & The Implications For Privacy »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Linklaters LLP

Linklaters LLP

Linklaters is an international law firm. Practice areas include Information Management and Data Protection.

Law Enforcement Cyber Center (LECC)

Law Enforcement Cyber Center (LECC)

LECC is designed to assist police, digital forensic investigators, detectives, and prosecutors who are investigating and preventing crimes that involve technology.

National Cyber Security Centre (NCSC) - Norway

National Cyber Security Centre (NCSC) - Norway

NCSC is part of the Norwegian Security Authority, and is Norway's national cyber security hub and the national CERT.

KZ-CERT

KZ-CERT

KZ-CERT is the national Computer Emergency Response Team for Kazakhstan.

Cobalt Labs

Cobalt Labs

Pen Testing as a Service for Modern SaaS Businesses. Cobalt is redefining the modern pen test for companies who want serious hacker-like testing built into their development cycle.

Romanian Association for Electronic Industry & Software (ARIES)

Romanian Association for Electronic Industry & Software (ARIES)

ARIES is the Romanian Association for Electronic Industry and Software, the biggest and most influental organization created for the IT&C industry in Romania.

Abusix

Abusix

Abusix specializes in Internet security, network abuse handling, antispam and fraud prevention.

Sopher Networks

Sopher Networks

Sopher is a secure communication and collaboration platform for business and personal use.

Kippeo Technologies

Kippeo Technologies

Kippeo is a security systems integrator providing innovative solutions that look at all the parameters and connect all the dots.

MPC Alliance

MPC Alliance

A consortium of developers and practitioners of multiparty computation (MPC), committed to accelerating market awareness and adoption of MPC to increase the security and privacy of online services.

Hubraum

Hubraum

Hubraum is Deutsche Telekom’s tech incubator, helping startups to create new business opportunities in areas including data analytics, AI, robot process automation and cyber security.

Iowa Cyber Hub

Iowa Cyber Hub

Iowa Cyber Hub is a cybersecurity education partnership between Iowa State University and Des Moines Area Community College.

Char49

Char49

Char49 specialize in Penetration Testing, Red Team Assessment, Social Engineering and Security Research.

Fortify 24/7

Fortify 24/7

Fortify 24×7 provides a robust portfolio of managed cybersecurity solutions to help you identify and prevent attacks.

Harrison Clarke

Harrison Clarke

Harrison Clarke is a leading staffing and recruiting firm in the Cloud, Cybersecurity, Data & AI space.

Rite-Solutions

Rite-Solutions

Rite-Solutions is an award-winning software development, systems engineering, and information technology firm.