They also argue that numerous companies that market internationally, especially to adversaries of NATO, are “irresponsible proliferators” and deserve more attention from policymakers.
These companies include Israel’s Cellebrite, which develops phone hacking and forensics tools, and which sells around the world to countries including the US, Russia, and China. The company has already faced significant blowback because of, for example, its role during China’s crackdown in Hong Kong and the discovery that its technology was being used by a Bangladeshi “death squad.”
“When these firms begin to sell their wares to both NATO members and adversaries,” the report says, “it should provoke national security concerns by all customers.”
The trade is increasingly global, according to the report, with 75% of companies selling cyber surveillance and intrusion products outside their own home continent. Lead author Winnona DeSombre, a fellow with the Atlantic Council’s Cyber Statecraft Initiative, argues that such sales signal potential problems with oversight.
“There does not seem to be a willingness to self-regulate for a majority of these firms,” she says.
By marking such firms as “irresponsible proliferators,” DeSombre hopes to encourage lawmakers around the world to target some companies for greater regulation.
“When these firms begin to sell their wares to both NATO members and adversaries, it should provoke national security concerns by all customers.”
Governments have recently made moves toward some forms of control. The EU adopted stricter rules on surveillance tech last year, with the goal of increasing industry transparency. And within the last month, the US has enacted stricter new licensing rules for selling intrusion tools. The notorious Israeli spyware company NSO Group was one of several companies added to a US blacklist because of allegations that spyware it supplied to foreign governments was then used to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers. NSO has consistently denied wrongdoing and argued that it strictly investigates abuse and shuts off offending customers.
Nevertheless, one of the report’s authors says it is important to realize the true scale of what is happening.
“The most basic takeaway from this paper is that we are dealing with an industry,” says Johann Ole Willers, a fellow at the Norwegian Institute of International Affairs (NUPI) Centre for Cyber Security Studies. “That is a fundamental insight. It’s not enough to target NSO Group.”
United Nations human rights experts recently raised alarms about what they called “growing use of mercenaries in cyberspace.”
“It is undeniable that cyber-activities have the ability to cause violations both in armed conflicts and in peacetime, and thus that a whole variety of rights are engaged,” Jelena Aparac, chair of a United Nations working group on the issue, said in a statement. The group called on international lawmakers to more effectively regulate the industry in order to protect “the right to life, economic social rights, freedom of expression, privacy, and the right to self-determination.”