Report highlights the growth in the cyber military-industrial complex
Kaspersky's recent advanced persistent threat report highlighted the growth in state-sponsored hacking groups, with the likes of the Kremlin-backed APT29 and Nobelium prime examples of the willingness of nation-states to deploy private-sector hackers for geopolitical ends.
It’s part of a growing cyber military-industrial complex that is emphasized in a recent report from the Atlantic Council, which attempts to shed some light on what has often been a murky and secretive industry.
"State cyber capabilities are increasingly abiding by the “pay-to-play” model—both US/NATO allies and adversaries can purchase interception and intrusion technologies from private firms for intelligence and surveillance purposes," the report says.
Into the shadows
The murky nature of this industry is largely something that suits both sides, but it has made a detailed analysis of it hard. The paper attempts to correct that and shed some light on both the active players in the market and their capabilities.
The researchers were able to identify a wide range of actors offering a panoply of interception and intrusion technologies before exploring how these entities accessed the market and who they are selling to.
The authors believe that they have been able to identify a number of firms headquartered in both the Middle East and Europe that are actively selling their wares to adversaries of NATO and the United States. What's more, many of these firms are not shy in promoting their wares, with an active presence at major international trade shows, such as Security & Policing UK and Milipol France.
A booming industry
The scale of the industry was reflected in the finding that 75% of companies selling these technologies have done so outside of their home continent. The companies, which the authors brand as "irresponsible proliferators", have found especially willing buyers outside of NATO and the United States.
"By marketing to these parties, these firms signal that they are willing to accept or ignore the risk that their products will bolster the capabilities of client governments that might wish to threaten US/NATO national security or harm marginalized populations," the authors warn. "This is especially the case when the client government is a direct US or NATO adversary."
The global nature of the industry illustrates the growing proliferation of advanced cyber capabilities around the world, with these companies increasingly willing to use their nation-state clients to provide them with an air of respectability and legitimacy. It's an argument that rests on flimsy ground, however, not least due to the fact that nation-states are willing and able to shift the focus of attacks into other intelligence areas once capabilities have been established.
In total, the researchers analyzed over 200 firms operating in the surveillance space, including Israeli firm Cellebrite, which develops a range of forensics and phone hacking tools that are commonly deployed in countries such as China and Russia. Indeed, the company’s technology was used during the Chinese crackdown of anti-government forces in Hong Kong.
National security concerns
The authors argue that both the nature of the technology and its customers should trigger significant national security concerns, with the breadth of sales signifying considerable problems with oversight, especially as the firms appear to show no real willingness to self-regulate who they sell to or for what purpose.
The phrase “irresponsible proliferators” is deliberately provocative, with the authors hoping that it will encourage lawmakers to do more to regulate the sector and help protect what are often extremely vulnerable groups.
Various governments have made moves in this direction in recent years, with the European Union adopting more stringent rules on surveillance technology in a bid to make the industry more transparent than it currently is. Meanwhile, the US has also introduced new licensing rules to help regulate the sale of intrusion tools, with the likes of Israeli spyware firm NSO Group among those who have been blacklisted.
“While some argue for an arms-control treaty for cyberspace, regulating cyber capabilities themselves is largely ineffective,” the authors say. “Instead, shaping the behaviors of companies proliferating cyber capabilities, and limiting their activities where they conflict with national security priorities, should be the top priority.”
Tackling the industry
To do this, you first have to be aware of the true extent of the industry and the behavior of those operating in it. The authors hope that their report will be a useful first step towards achieving this. With the UN recently warning against the use of cyber-mercenaries, it is clear that there is growing concern about the use of cyber-criminals to cause real damage in the real world.
“It is undeniable that cyber-activities have the ability to cause violations both in armed conflicts and in peacetime, and thus that a whole variety of rights are engaged,” Jelena Aparac, Chair Rapporteur of the Working Group on the use of mercenaries, said. “This includes the right to life, economic social rights, freedom of expression, privacy, and the right to self-determination.”
Successfully controlling the industry is made that much harder by the obfuscation that surrounds it, with various shell companies and resellers making it hard to truly identify either the buyers or the sellers. Nonetheless, there is a growing appreciation that even tools developed for “friendly” regimes often end up in unsavory hands, and therefore there is a strong need to better govern tools that can do so much harm, not least by limiting the access to the kind of cyber-surveillance events that allowed the researchers to examine the industry in the first place.