Existing concepts of legitimate and illegitimate use do not adequately address the complexities of the challenges states now face concerning cyber intrusion markets. In an effort to move the debate forward, the principles introduced in the paper are underpinned by a fresh distinction between ‘permissioned’ and ‘unpermissioned’ intrusion.
At the root of the challenges described in the previous chapter is what is usually termed the ‘dual use’ nature of cyber intrusion capabilities and their component parts. However, the ‘dual use’ label is itself unhelpful in this context. ‘Dual use’ commonly refers to distinct military and civilian uses, which certainly applies to cyber intrusion capabilities. But in relation to cyber intrusion capabilities, ‘dual use’ also refers to a wider distinction between legitimate and illegitimate use. There is, however, extensive disagreement about what counts as a legitimate use; and this is especially so in the realm of intelligence collection, where the use of commercial cyber intrusion capabilities against individuals and organizations is usually authorized by governments according to national laws and procedures. This disagreement lies at the heart of most policy debates on the matter, with different stakeholders, such as civil society, governments and the cybersecurity industry tending to talk past one another: what some see as a clear malicious hack, others see as a legitimate state intelligence operation.
Such deep differences are also evident in the characterization of the problem overall as one of either proliferation or misuse. In line with nuclear and other weapons policy arenas, the proliferation characterization suggests that the key issue is the spread of commercial cyber intrusion capabilities beyond their ‘legitimate’ users – whether to cybercriminals or beyond a certain group of states. In contrast, the misuse characterization suggests that the possession (and purchase) of such capabilities is not in itself an issue; instead, it is ‘illegitimate’ uses, not a greater number of users, that are the primary concern. Although these two framings are clearly connected, the distinction matters for policy responses. In a proliferation framing, the goal is to limit the growth of the market; in a misuse framing, the goal is to steer the market (of whatever size) away from certain kinds of use.
This paper offers a fresh perspective on the debate concerning cyber intrusion capabilities by moving away from concepts of dual or legitimate versus illegitimate use. Instead, it draws an important distinction between ‘permissioned’ and ‘unpermissioned’ intrusion.
Permissioned intrusion takes place with the permission of the user, owner or operator of a relevant device, system or network. Unpermissioned intrusion takes place, as the term suggests, without at least one of these permissions.
Inevitably for such a complex subject, both terms include a wide variety of activity. The paradigmatic case of permissioned intrusion is cybersecurity-focused activities such as red-teaming and penetration testing. Unpermissioned intrusion, in contrast, encompasses a wide range of activities from law enforcement takedowns of cybercrime infrastructure and the capture of evidence for arrests of exploiters of minors, to cybercriminal ransomware, corporate espionage and surveillance of journalists.
This new distinction between permissioned and unpermissioned intrusion is important because it moves the focus of debate away from what is or is not a legitimate state use of cyber intrusion capabilities. Rather than dividing uses down a highly contentious line of legitimacy, it instead seeks to ringfence uses on which there is a great deal of – albeit not total – agreement that these should be supported and encouraged (i.e. permissioned uses).
Ultimately, the aim is to minimize concerns over the impact on permissioned uses of regulation and policy concerning unpermissioned uses. This is an issue that has stymied many previous high-profile interventions, including various attempts by states to introduce export controls into their domestic legislation (discussed in more detail in the next chapter).
As a pair, the terms permissioned and unpermissioned are also useful precisely because they are not already prevalent. For example, the terms authorized and unauthorized [cyber intrusion] could arguably be used in the same way as permissioned/unpermissioned in this paper. However, lack of ‘proper’ authorization is – as noted above – often part of the definition of intrusion itself, and the term is also frequently used in the context of law enforcement or intelligence agencies receiving a warrant from a minister or judge. Within the scope of this paper, use of the terms authorized/unauthorized risks reintroducing the confusion regarding legitimacy, described above, between government warrants on the one hand and owner/operator/user permission on the other. The reason the distinction is set out in the paper, and in the principles put forward, in terms of permission rather than authorization is not due to any difference in the intrinsic meaning of the terms; rather it reflects the differing extent to which the two terms are already used in relation to commercial cyber intrusion capabilities.
There are three further aspects of this distinction that need to be set out at this point.
First, permission implies – but does not always include – prior knowledge: the buyer of penetration-testing services knows that the contractor will attempt to infiltrate their networks (permissioned intrusion); but the owner of a device that is compromised by spyware has no idea this is the case (unpermissioned intrusion). However, the user of a device may give permission to all kinds of applications on their device, for a wide variety of reasons, but not be aware of the subsequent behaviour of any one application. Alternatively, user/owner/operator permission may be given for features such as automatic updates in general, which does not equate to knowledge of any specific update – or permission for an update to disrupt usual functions. Permission is therefore not necessarily an indicator of prior knowledge, or any guarantee against malicious or otherwise disruptive behaviour.
The user of a device may give permission to all kinds of applications on their device, for a wide variety of reasons, but not be aware of the subsequent behaviour of any one application.
Second, this paper deliberately excludes manufacturer permission from the definition (including only user, owner and operator). In many instances, the inclusion of manufacturer permission would be unnecessary. For example, in high-profile cases discussed later in this paper, the use of mobile spyware without permission of the user/owner/operator was investigated and challenged most robustly by the device manufacturer. However, there is a significant subset of cases where manufacturers work with states to enable access to their users’ or customers’ systems or devices, whether freely or when compelled to do so. Such ‘backdoors’, as they are termed, clearly therefore have the permission of the manufacturer, but not of the user, owner or operator.
Backdoors are conceptually very similar to cyber intrusion capabilities; indeed, a backdoor identified by anyone but the manufacturer would be a central part of the market discussed below. In addition, even manufacturer-developed backdoors indirectly affect markets for commercial cyber intrusion capabilities, by increasing vulnerabilities and potentially opening access vectors for other actors. However, this paper does not consider manufacturer-developed backdoors further, because of the distinct dynamics – usually based on state obligations – around their creation and maintenance. It does, however, return to the overlaps in governance requirements between cyber intrusion capabilities and other methods of state intelligence collection, including backdoors, in Principle 7.
Third, the aim of the paper is to examine not only the use of cyber intrusion capabilities, but the markets behind those uses. This distinction is also more complex than first appears. Some uses of cyber intrusion capabilities are by actors operating in financially motivated settings, whether unregulated cybercriminal ‘black’ markets or regulated penetration-testing ‘white’ markets. In such cases, policy aimed at changing market dynamics also directly changes use: if an actor does not have a financial incentive to conduct a ransomware attack or offer a penetration-testing service, they will not do so.
However, the most controversial uses of cyber intrusion capabilities – by states for intelligence collection – are conducted not for financial motives, but for reasons of law enforcement, national security and espionage. In such cases, market interventions directly affect the incentive structure for actors in the supply chain of such capabilities to their eventual end user, and only indirectly affect the decisions of that end user. Here, any market intervention based on kinds of use (permissioned or unpermissioned, legitimate or illegitimate, etc.) relies on the knowledge, ability and incentive of actors in the supply chain to distinguish between those different kinds of use. This is far from guaranteed: some actors in the supply chain, such as vulnerability researchers, exploit brokers, system integrators and access-as-a-service providers, often claim (rightly or wrongly) not to know the specific purposes their commercially sold capabilities are put to, and rarely have incentives to improve their knowledge or act on it.
Although they affect the decisions of commercial entities, market interventions need to go beyond the level of those entities. As nearly all markets are influenced by state policy and regulation, market interventions should also focus on actions by states – especially in countering what the companion paper in this series calls ‘state permissive behaviours’ facilitating market growth. This current paper therefore focuses on state interventions regarding commercial cyber intrusion capabilities, considering their multiple roles as users, regulators, investors and detectors.