Selling Digital Insecurity

By James Shires & Isabella Wilkinson


Addressing the sale of digital insecurity requires addressing its root causes and a coherent response from states, civil society, and the private sector.


Offensive cyber capabilities pose a significant threat to national and international security. In many cases, these capabilities are a legitimate national security tool. However, such capabilities can also cause significant – and often unpredictable – damage. 

The use of these capabilities to spread disinformation, mount disruptive cyberattacks, and launch hack-and-leak operations has derailed elections, silenced dissenting political voices, disrupted the lives of individuals, communities, companies, and even entire governments. 

Although the most advanced offensive cyber capabilities are still held by states, there is a growing global marketplace for digital insecurity, with capabilities ranging from openly advertised services to more opaque, bespoke contracts and cybercriminal markets. 

Recently, the White House announced an executive order including several new measures to combat risks posed by commercial spyware to human rights and US national security. As noted in the UK’s recent Integrated Review Refresh, the fusion of cyber threats generated by the sale of digital insecurity demands a coherent response. The UK’s new International Technology Strategy also commits to protecting security interests through ensuring sensitive technology does not fall into hostile hands.  

To address the sale of digital insecurity, states must work with civil society, victims and the private sector. They must also cooperate with major tech companies, particularly those that have been exploited as attack vectors. More controversially, states should cooperate with genuinely responsible companies offering commercial hacking and online influence services – those willing to demonstrate respect for human rights and operate within the boundaries of national and international law – while also maximizing pressure from their investors and financial backers. 

Spying, Subversion & Sabotage 2.0 

The most infamous purveyor of digital insecurity is NSO Group, whose Pegasus spyware has been purchased by over 30 states and used to track foreign politicians, dissidents, and journalists. Pegasus has been associated with severe human rights violations, including arbitrary detention, torture, and assassination. NSO Group has close links to Israel’s government, with Pegasus used to sweeten diplomatic overtures to Gulf states. Today, the company is subject to US sanctions and an EU Parliament investigation

Although NSO Group makes the most headlines, the market for digital insecurity is global. Companies and cybercriminal organizations selling disinformation-, ransomware, or hacking-for-hire are located throughout Europe, the US, India, Russia, and China, and operate worldwide. This marketplace supplies national security actors and a broader range of law enforcement agencies, law firms and private investigators. 

The notorious Internet Research Agency, founded by Wagner Group head Yevgeniy Prigozhin, wrote the commercial disinformation playbook when it deployed troll farms against the 2016 US presidential elections

Other groups combine influence operations with NSO-style hacking. Recent revelations on disinformation ‘black ops’ have exposed ‘Team Jorge’: another group of Israeli contractors who boast manipulating over 30 elections through disinformation and strategic hack-and-leaks. Commercial hackers secretly planted fake evidence on Indian human rights defenders’ devices, and then unsuccessfully attempted to cover their tracks before police arrests. 

Recent reporting on Greek intelligence services hacking a Meta manager’s device with outlawed spyware brings into focus the complex – and contradictory – landscape surrounding state use of hacking tools. 

What’s New About Selling Digital Insecurity? 

States have long sought to gather intelligence on their populations and others, to influence regional or international politics, and to exploit global political economic imbalances for financial gain. States have frequently delegated these tasks to other organizations, from private military companies to organized criminal gangs. Close predecessors of the current spate of commercial influence and hacking include Cold War-era influence operations. 

The advent of the digital age has changed the possibilities for spying, subversion, sabotage, and blackmail in three ways:. 

  • First, low entry costs and swift scalability mean companies can start small, grow quickly, and pivot between different forms of influence and digital compromise. A Middle East-based group codenamed Bahamut has hacked many targets (probably for multiple clients) and used a web of fake accounts to conduct disinformation campaigns. Iranian commercial hackers combined disinformation and attempts to compromise the US 2020 presidential elections’ digital infrastructure. 
  • Second, virtually instant cross-border data flows mean these organizations operate remotely, efficiently, with relative impunity. Groups like Conti offer ransomware-as-a-service, not just commercializing but professionalizing hacking-for-profit, with ‘affiliates’ responsible for damaging operations against critical infrastructure. Today, supposed ‘PR’ companies like Archimedes or Cambridge Analytica can influence elections without ever setting foot in a country. 

Virtually instant data flows across borders mean that cybercriminal organizations can operate with relative impunity.

  • Finally, companies offering offensive cyber services can also masquerade as part of the legitimate cybersecurity industry, appearing to offer ‘penetration testing’ to gauge network security, or build zero-day exploits as a ‘proof-of-concept’ to sell back to software designers to fix their systems. As zero-day and vulnerability markets develop globally, they fuel a pipeline of companies willing to exploit these holes for malign effects. 

Upgrading Policy & Regulation 

States have started to address the fusion of commercial cyber threats with coordinated policy responses. In February, speaking at Chatham House, the US Deputy Attorney General announced the Disruptive Technology Strike Force, targeting actors that deploy disruptive technology to undermine the US and allies through theft, hacking and espionage.

The new US Cybersecurity Strategy commits to making it impossible for ‘malicious actors to use cyber-enabled campaigns’ that ‘threaten national security or public safety’ and outlines steps to attack funding sources of companies dealing in digital insecurity. 

As an influential policy actor and home to a large market for these capabilities, the US should lead the way in this space. Beyond countering state use of these capabilities, action is needed on supply as well as demand. Successful regulation must be rooted in international law (including human rights law) and adapted to digital services’ unique characteristics. 

The US, as an influential policy actor and home to a large market for offensive cyber capabilities, should lead the way in this space.

Countries can ban or license sales to particular entities or countries. Regional and international export control measures – such as the Wassenaar Arrangement and the EU Export Control Regulation for cyber surveillance tools – must strive for harmonized implementation and broad support, to avoid ransomware and cyber surveillance ‘safe havens’. The UN’s Office of Human Rights called for a global moratorium on spyware sales until sufficient human rights guarantees are implemented. While export control is a crucial lever in the regulatory arsenal, it is limited by licensing decision opacity, national security exemptions, and slippery concepts of ‘dual use’. 

Creative Approaches 

Creative approaches from new coalitions are imperative to shape the economic incentives of those selling hacking tools. A recent joint initiative from the Heartland Initiative, European Council on Foreign Relations, Access Now, and the Business & Human Rights Resource Centre convened investors and civil society, discussing ways to use market mechanisms (like shareholder resolutions and ESG reporting) to apply pressure to companies selling digital insecurity.

Joint measures have been tested in other sectors (including in energy, climate, and extractives) yet remain nascent in cyber policy. Initiatives can learn from organizations like Citizen Lab, who sought to marshal investors against selling NSO Group in 2017, and advocacy groups who used US government pressure to prevent its sale to a defence contractor in 2022. 

Investors and civil society can use market mechanisms, like shareholder resolutions and ESG reporting, to apply pressure to companies selling digital insecurity. 

Fundamentally, addressing the sale of digital insecurity requires addressing its root causes. As the Cybersecurity Tech Accord has recently argued, improving cyber defence and the online platform environment are key measures for safeguarding critical infrastructure and democratic processes.

States and others should continuously counter malicious actors directly. But, like all marketplaces, this one can be shaped by different levers: economic, regulatory, and legal. Using these levers carefully can help build a cyberspace that is safer and more beneficial for all. 

James Shires is Senior Research Fellow in Cyber Policy at Chatham House

Isabella Wilkinson is Research Associate, International Security Programme  at Chatham House

You Might Also Read: 

Digital Platform Regulation - Impossible?:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« As A Business Leader, You Must Manage Cyber Risk 
Online Safety Bill UK: WhatsApp, Encryption & The Implications For Privacy »

CyberSecurity Jobsite
Check Point

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Beyond Security

Beyond Security

Beyond Security is a leader in automated vulnerability assessment and compliance solutions - enabling customers to accurately assess and manage security weaknesses in their networks and applications.

Sintef Digital

Sintef Digital

Sintef Digital carries out research in Information and Communication Technology for industry and the public sector.

SecureMetric Technology

SecureMetric Technology

SecureMetric is one of SE Asia’s leading players in the field of digital security with a focus on Software Licensing Protection, 2-Factor Authentication, Advanced Identity and Access Management, Publi

Meiya Pico Information Co

Meiya Pico Information Co

Meiya Pico is the leading digital forensics and information security products and service provider in China.

Sistem Integra (SISB)

Sistem Integra (SISB)

SISB provide IT Security Infrastructure & Development, Mechanical & Electrical Services, Fire Safety & Detection Services, Facilities Management & Application Development.

Digital Law

Digital Law

Digital Law is the only UK law firm to specialise solely in online, data and cyber law.

CyberCX

CyberCX

CyberCX provides services from strategic consulting, security testing and training to world-class managed services and engineering solutions.

Tetrad Digital Integrity (TDI)

Tetrad Digital Integrity (TDI)

TDI is a world-class consulting firm offering cybersecurity services to government agencies and commercial clients around the world.

Surefire Cyber

Surefire Cyber

Surefire Cyber delivers swift, strong response to cyber incidents such as ransomware, email compromise, malware, data theft, and other threats with end-to-end response capabilities.

Liberty Technology

Liberty Technology

Liberty Technology has a host of highly trained, certified experts who assist our clients with immediate remote support as well as on-site service.

NewsGuard Technologies

NewsGuard Technologies

NewsGuard provides transparent tools to counter misinformation for readers, brands, and democracies.

Redcoat AI

Redcoat AI

Redcoat AI provide a comprehensive security platform that continuously evolves with the threats and opportunities presented by AI.

Phone Monitoring Service

Phone Monitoring Service

Phone Monitoring Service provides cyber security services, ethical hacking services, social media hacking services in the USA, Canada, Europe.

Cyber Security Certification Australia (CSCAU)

Cyber Security Certification Australia (CSCAU)

CSCAU is the world’s first 'for mission' industry council set up to address small and medium-sized business (SMB) cyber resilience through annually updated certifiable standards.

CRYPTIQ

CRYPTIQ

CRYPTIQ empowers businesses to navigate the ever-evolving cybersecurity landscape with confidence and clarity.

VRS Technologies

VRS Technologies

VRS Technologies LLC offers expert IT solutions in Dubai, including AMC, cybersecurity, and tech rentals. Trusted by businesses for reliable, customized services.