EMILIO IASIELLO
Recently, more than 35 nations have signed a new international agreement to collaborate on reigning in the “hacker for hire” commercial market, in which private interests sell tools and services to support offensive cyber activities. Under the Pall Mall Process, a joint commitment to act against an issue, the signatories will try to discourage irresponsible behavior of these organizations to improve the transparency around their activities while trying to codify ways to compel oversight and instill accountability. In addition to governments, major information technology companies such as Apple, BAE Systems, Google, and Microsoft were also in attendance. The meeting comes at a time when cyber spying and cyber espionage have increased substantially and is being conducted by both state and nonstate actors to support a wide range of surveillance, espionage, monitoring, and other forms of cyber malfeasance. Notably absent was Israel where several leading companies producing this technology are based, countries like Thailand, Mexico, Spain, and Hungary did not sign the agreement.
Per the United Kingdom’s (UK) National Cyber Security Centre, the commercial cyber spying sector is on pace to double in size every ten years. This comes on the heels of a UK Government Communications Headquarters (GCHQ) warning that more than 80 countries had purchased this type of technology over the past ten years, basing such findings on an aggregation of both classified and unclassified data. Indeed, this industry has proven quite profitable as more countries and organizations seek to outsource an invasive capability to exploit the digital space for their benefit. Granted, some of these purchases supported law enforcement entities, though a substantial number of customers used these tools in questionable human rights violations activities and can be abused by both government and private sector interests to support data theft, and other espionage-related operations.
Worse, the currently unchecked industry as a whole has been estimated to be worth approximately USD 12 billion with no signs of slowing down. The ease of purchasing companies’ tools and services and the various associated price points have lowered the bar considerably for any government, agency, or even private sector organization to have an immediate capability to perform nefarious activities against targets and competitors. The surveillance technologies offered are sophisticated and often leverage current vulnerability information to increase their effectiveness. Given the fact that many of these vendors’ tools exploited 20 of 25 zero-day vulnerabilities Google’s Threat Analysis Uncovered in 2023, it is unsurprising that the appetite to obtain these technologies is substantial.
Over the past year or so, the United States has taken a series of steps to try and rein in this industry. Recently, the U.S. Department of State issued new policy on the matter, which would empower the Department of State to impose visa restrictions on individuals associated with the misuse of commercial spyware. This action comes nearly a year after the Biden Administration issued an Executive Order barring U.S. government agencies from using commercial spyware Also during that period, the United States, as well as 48 governments, supported following Guiding Principles on Government Use of Surveillance Technologies to demonstrate their commitment to adhering to democratic principles and respecting human rights. Though not legally binding, the joint statement highlighted how these governments would work within their respective systems to establish guardrails to ensure that commercial spyware was used within the parameters of, civil liberties and the rule of law. Finally, it should be noted that the United States was the first government to take on this industry when it sanctioned the NSO Group (as well as another Israeli company) whose Pegasus spyware had been linked to several incidents of domestic surveillance, targeting journalists, and monitoring political oppositionist individuals and groups.
However, despite such progress, there have been incidents that suggest that some countries prefer to straddle the gray line. Poland recently acknowledged that it had used the Pegasus spy tool in the previous administration. And despite after the Executive Order barring U.S. government agencies from obtaining private sector surveillance technology, the Federal Bureau of Investigation still acquired the technology, though it asserts it did not knowingly use the tool. So even if countries are shifting policy stances on these tools, it may take some time to socialize in their internal bureaucracies to make sure they are not being utilized by their intelligence and law enforcement assets. The rigor with which they police their own ranks will help attest to how serious they are in mitigating their use.
The multi-nation pack harkens back to similar gestures of solidarity on contentious global issues. In 2015, members of the G20 agreed to an anti-hacking pledge in which all states ensured the secure use of Information and Communications Technology by respecting and protecting the principles of freedom from unlawful interference of privacy. Among the nations signing this pledge were notable adversaries like China and Russia, but also included more democratic leaning governments like Germany, the United Kingdom, and the United States, all countries that have been linked to offensive cyber operations. Unfortunately, historic multinational pledges have been all about show and little substance or follow up. They have not yielded any changes of state behavior, nor have nations suspected of breaking their pledges been called out for breaking the very pledge to which they had agreed. This offers little confidence that this current pledge to rein in the hacker-for-hire marketplace will result in any noticeable impact on the industry other than visible slaps on the wrist.
An agreement is certainly an encouraging first step in getting some sort of control over the commercial spyware market. However, there has been little insight so far as to how these governments intend to carry out this mission; how they will track the sale of such technology, who purchases it, and how it’s used. Enforcement will be exceptionally important and a fine line to walk, especially for democratic countries that must marry the freedoms afforded to both individuals and private companies. Furthermore, it will be imperative to understand howgovernments will define, classify, and punish potential infractions, and if criteria will be consistent across all signatories, or be solely at the discretion of the individual government. Transparency is essential with respect to ensuring that democratic governments are representing democratic principles and establishing the bar by which responsible nations will adhere to curbing commercial spyware abuses.
The ongoing demand for this technology is indicative of the belief that cyberspace continues to be the Wild West and that it is better to have the capability and not need it, than not have the necessary tools and you do. This is a great opportunity for governments to start earning back the trust of people, and the only way they can demonstrate their commitment toward reducing the uncontrolled use of this technology, and not slipping back to their “rules for thee, not for me” ways.
No comments:
Post a Comment