In Perspective | The crackdown on cyber mercenaries
Last week, the US Commerce Department sanctioned blacklisted four companies for “malicious cyber activities”. The crackdown adds some friction to the development of such cutting-edge technologies and signals a deterrence to other democratic allies
Last week, the US Commerce Department sanctioned blacklisted four companies for “malicious cyber activities”, including the NSO Group, which makes and deploys the Pegasus spyware on behalf of its clients.
The impact of the decision appeared to deal a significant blow to the Israeli company — Wall Street cast fresh doubts on its ability to pay back a debt of $300 million, its CEO-designate resigned, and Israel’s government appeared to distance itself from the controversies of what it said was a private company.
The move was a long time coming, especially since the NSO Group is now believed to have enabled significant human rights abuses and has served clients that have targeted American allies, including elected state functionaries of NATO members such as France.
The blacklist included another Israeli company, Candiru, and Russian firm Positive Technologies and Singapore-based Computer Security Initiative Consultancy. The Israeli companies were sanctioned because they “supplied spyware to foreign governments that used these tools to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers”.
The Russia- and Singapore-based companies were acted upon “based on a determination that they traffic in cyber tools used to gain unauthorized access to information systems, threatening the privacy and security of individuals and organisations worldwide”.
The most significant implication of the commerce department decision is that it draws a clear red line: Practices that threaten “threaten the rules-based international order” are in the crosshairs of the most powerful military and economic power of the world.
It is notable that the commerce department calls out how these companies have enabled “transnational repression”.
The message is clear: “Today’s action is a part of the Biden-Harris Administration’s efforts to put human rights at the center of U.S. foreign policy, including by working to stem the proliferation of digital tools used for repression.”
And it holds implications for a country like India, which aspires to and is seen in the same league as democracies that uphold a rules-based order. It affirmed a shared objective to uphold the principle of open societies most recently during the first in-person summit of the Quad partners along with the US, Australia and Japan.
India — its judiciary and civil society included — is at a moment of reckoning on how to treat subversive cyber technologies such as Pegasus, which can indeed serve significant national security purposes but are technically more than capable of launching clandestine surveillance operations that defy Constitutional principles.
But the commerce department decision by no means translates into a full crackdown on companies that create hacking tools.
A recent report by the Atlantic Council has detailed the sweeping proliferation of cyber arms globally, and both US/Nato allies, as well as their adversaries, can purchase these. At least 59 companies are developing and selling such cyber capabilities, the report notes with “high confidence” — a further 22 companies are listed under “medium confidence” and 143 under “low confidence”.
This means there is now a shadowy international arms market for cyber tools that can be used to launch espionage attempts by countries against their own citizens as well as those of another country.
For several of these companies, the clients are US law enforcement agencies, which means the crackdown seen in the case of NSO, Candiru and the others may not fall on them.
Take for example the case of Cellebrite, another Israeli company. Cellebrite’s tools, like NSO’s, are also positioned for lawful interception. The FBI and several US police departments are known to use it to break into people’s iPhones. But, as the Atlantic Council report notes, the company also has “both Chinese and Russian” customers — countries where transparency regarding how such tools are used is unlikely to be of the same standard as what the US expects.
The American crackdown, thus, is likely to leave out cyber mercenaries as long as they play by rules established by the US and Nato. As it is, the proliferation of such subversive technology is not hard — independent cyber actors have been able to sell such capabilities clandestinely through the dark web.
What the US crackdown does, then, is that it adds some friction to the development of such cutting-edge technologies (the most powerful of such tools are built by companies like NSO that can afford to pay developers for the talent) and signals a deterrence to other democratic allies. But it is also likely to only push a shadowy industry deeper underground, where public scrutiny will only become tougher.