Selling digital insecurity

Addressing the sale of digital insecurity requires addressing its root causes and a coherent response from states, civil society, and the private sector.

Expert comment Published 29 March 2023 4 minute READ

Dr James Shires

Former Senior Research Fellow, International Security Programme

Offensive cyber capabilities pose a significant threat to national and international security. In many cases, these capabilities are a legitimate national security tool. However, such capabilities can also cause significant – and often unpredictable – damage. 

The use of these capabilities to spread disinformation, mount disruptive cyberattacks, and launch hack-and-leak operations has derailed elections, silenced dissenting political voices, disrupted the lives of individuals, communities, companies, and even entire governments. 

Although the most advanced offensive cyber capabilities are still held by states, there is a growing global marketplace for digital insecurity, with capabilities ranging from openly advertised services to more opaque, bespoke contracts and cybercriminal markets. 

This week, the White House announced an executive order including several new measures to combat risks posed by commercial spyware to human rights and US national security. As noted in the UK’s recent Integrated Review Refresh, the fusion of cyber threats generated by the sale of digital insecurity demands a coherent response. The UK’s new International Technology Strategy also commits to protecting security interests through ensuring sensitive technology does not fall into hostile hands.  

To address the sale of digital insecurity, states must work with civil society, victims and the private sector. They must also cooperate with major tech companies, particularly those that have been exploited as attack vectors. More controversially, states should cooperate with genuinely responsible companies offering commercial hacking and online influence services – those willing to demonstrate respect for human rights and operate within the boundaries of national and international law – while also maximizing pressure from their investors and financial backers. 

Spying, subversion and sabotage 2.0 

The most infamous purveyor of digital insecurity is NSO Group, whose Pegasus spyware has been purchased by over 30 states and used to track foreign politicians, dissidents, and journalists. Pegasus has been associated with severe human rights violations, including arbitrary detention, torture, and assassination. NSO Group has close links to Israel’s government, with Pegasus used to sweeten diplomatic overtures to Gulf states. Today, the company is subject to US sanctions and an EU Parliament investigation. 

Although NSO Group makes the most headlines, the market for digital insecurity is global. Companies and cybercriminal organizations selling disinformation-, ransomware, or hacking-for-hire are located throughout Europe, the US, India, Russia, and China, and operate worldwide. This marketplace supplies national security actors and a broader range of law enforcement agencies, law firms and private investigators

The notorious Internet Research Agency, founded by Wagner Group head Yevgeniy Prigozhin, wrote the commercial disinformation playbook when it deployed troll farms against the 2016 US presidential elections. 

Although NSO Group makes the most headlines, the market for digital insecurity is global.

Other groups combine influence operations with NSO-style hacking. Recent revelations on disinformation ‘black ops’ have exposed ‘Team Jorge’: another group of Israeli contractors who boast manipulating over 30 elections through disinformation and strategic hack-and-leaks. Commercial hackers secretly planted fake evidence on Indian human rights defenders’ devices, and then unsuccessfully attempted to cover their tracks before police arrests. 

Recent reporting on Greek intelligence services hacking a Meta manager’s device with outlawed spyware brings into focus the complex – and contradictory – landscape surrounding state use of hacking tools. 

What’s new about selling digital insecurity? 

States have long sought to gather intelligence on their populations and others, to influence regional or international politics, and to exploit global political economic imbalances for financial gain. States have frequently delegated these tasks to other organizations, from private military companies to organized criminal gangs. Close predecessors of the current spate of commercial influence and hacking include Cold War-era influence operations

The advent of the digital age has changed the possibilities for spying, subversion, sabotage, and blackmail in three ways:. 

First, low entry costs and swift scalability mean companies can start small, grow quickly, and pivot between different forms of influence and digital compromise. A Middle East-based group codenamed Bahamut has hacked many targets (probably for multiple clients) and used a web of fake accounts to conduct disinformation campaigns. Iranian commercial hackers combined disinformation and attempts to compromise the US 2020 presidential elections’ digital infrastructure. 

Second, virtually instant cross-border data flows mean these organizations operate remotely, efficiently, with relative impunity. Groups like Conti offer ransomware-as-a-service, not just commercializing but professionalizing hacking-for-profit, with ‘affiliates’ responsible for damaging operations against critical infrastructure. Today, supposed ‘PR’ companies like Archimedes or Cambridge Analytica can influence elections without ever setting foot in a country. 

Virtually instant data flows across borders mean that cybercriminal organizations can operate with relative impunity.

Finally, companies offering offensive cyber services can also masquerade as part of the legitimate cybersecurity industry, appearing to offer ‘penetration testing’ to gauge network security, or build zero-day exploits as a ‘proof-of-concept’ to sell back to software designers to fix their systems. As zero-day and vulnerability markets develop globally, they fuel a pipeline of companies willing to exploit these holes for malign effects. 

Upgrading policy and regulation 

States have started to address the fusion of commercial cyber threats with coordinated policy responses. In February, speaking at Chatham House, the US Deputy Attorney General announced the Disruptive Technology Strike Force, targeting actors that deploy disruptive technology to undermine the US and allies through theft, hacking and espionage.

The new US Cybersecurity Strategy commits to making it impossible for ‘malicious actors to use cyber-enabled campaigns’ that ‘threaten national security or public safety’ and outlines steps to attack funding sources of companies dealing in digital insecurity. 

As an influential policy actor and home to a large market for these capabilities, the US should lead the way in this space. Beyond countering state use of these capabilities, action is needed on supply as well as demand. Successful regulation must be rooted in international law (including human rights law) and adapted to digital services’ unique characteristics. 

The US, as an influential policy actor and home to a large market for offensive cyber capabilities, should lead the way in this space.

Countries can ban or license sales to particular entities or countries. Regional and international export control measures – such as the Wassenaar Arrangement and the EU Export Control Regulation for cyber surveillance tools – must strive for harmonized implementation and broad support, to avoid ransomware and cyber surveillance ‘safe havens’. The UN’s Office of Human Rights called for a global moratorium on spyware sales until sufficient human rights guarantees are implemented. While export control is a crucial lever in the regulatory arsenal, it is limited by licensing decision opacity, national security exemptions, and slippery concepts of ‘dual use’. 

Creative approaches cont.

Creative approaches from new coalitions are imperative to shape the economic incentives of those selling hacking tools. A recent joint initiative from the Heartland Initiative, European Council on Foreign Relations, Access Now, and the Business & Human Rights Resource Centre convened investors and civil society, discussing ways to use market mechanisms (like shareholder resolutions and ESG reporting) to apply pressure to companies selling digital insecurity.

Joint measures have been tested in other sectors (including in energy, climate, and extractives) yet remain nascent in cyber policy. Initiatives can learn from organizations like Citizen Lab, who sought to marshal investors against selling NSO Group in 2017, and advocacy groups who used US government pressure to prevent its sale to a defence contractor in 2022. 

Investors and civil society can use market mechanisms, like shareholder resolutions and ESG reporting, to apply pressure to companies selling digital insecurity. 

Fundamentally, addressing the sale of digital insecurity requires addressing its root causes. As the Cybersecurity Tech Accord has recently argued, improving cyber defence and the online platform environment are key measures for safeguarding critical infrastructure and democratic processes.

States and others should continuously counter malicious actors directly. But, like all marketplaces, this one can be shaped by different levers: economic, regulatory, and legal. Using these levers carefully can help build a cyberspace that is safer and more beneficial for all.