Selling Digital Insecurity

Uploaded on 2023-04-26 in NEWS-Cybersecurity News, INTELLIGENCE--International, FREE TO VIEW

By James Shires & Isabella Wilkinson

Addressing the sale of digital insecurity requires addressing its root causes and a coherent response from states, civil society, and the private sector.

Offensive cyber capabilities pose a significant threat to national and international security. In many cases, these capabilities are a legitimate national security tool. However, such capabilities can also cause significant – and often unpredictable – damage. 

The use of these capabilities to spread disinformation, mount disruptive cyberattacks, and launch hack-and-leak operations has derailed elections, silenced dissenting political voices, disrupted the lives of individuals, communities, companies, and even entire governments. 

Although the most advanced offensive cyber capabilities are still held by states, there is a growing global marketplace for digital insecurity, with capabilities ranging from openly advertised services to more opaque, bespoke contracts and cybercriminal markets. 

Recently, the White House announced an executive order including several new measures to combat risks posed by commercial spyware to human rights and US national security. As noted in the UK’s recent Integrated Review Refresh, the fusion of cyber threats generated by the sale of digital insecurity demands a coherent response. The UK’s new International Technology Strategy also commits to protecting security interests through ensuring sensitive technology does not fall into hostile hands.  

To address the sale of digital insecurity, states must work with civil society, victims and the private sector. They must also cooperate with major tech companies, particularly those that have been exploited as attack vectors. More controversially, states should cooperate with genuinely responsible companies offering commercial hacking and online influence services – those willing to demonstrate respect for human rights and operate within the boundaries of national and international law – while also maximizing pressure from their investors and financial backers. 

Spying, Subversion & Sabotage 2.0 

The most infamous purveyor of digital insecurity is NSO Group, whose Pegasus spyware has been purchased by over 30 states and used to track foreign politicians, dissidents, and journalists. Pegasus has been associated with severe human rights violations, including arbitrary detention, torture, and assassination. NSO Group has close links to Israel’s government, with Pegasus used to sweeten diplomatic overtures to Gulf states. Today, the company is subject to US sanctions and an EU Parliament investigation

Although NSO Group makes the most headlines, the market for digital insecurity is global. Companies and cybercriminal organizations selling disinformation-, ransomware, or hacking-for-hire are located throughout Europe, the US, India, Russia, and China, and operate worldwide. This marketplace supplies national security actors and a broader range of law enforcement agencies, law firms and private investigators. 

The notorious Internet Research Agency, founded by Wagner Group head Yevgeniy Prigozhin, wrote the commercial disinformation playbook when it deployed troll farms against the 2016 US presidential elections

Other groups combine influence operations with NSO-style hacking. Recent revelations on disinformation ‘black ops’ have exposed ‘Team Jorge’: another group of Israeli contractors who boast manipulating over 30 elections through disinformation and strategic hack-and-leaks. Commercial hackers secretly planted fake evidence on Indian human rights defenders’ devices, and then unsuccessfully attempted to cover their tracks before police arrests. 

Recent reporting on Greek intelligence services hacking a Meta manager’s device with outlawed spyware brings into focus the complex – and contradictory – landscape surrounding state use of hacking tools. 

What’s New About Selling Digital Insecurity? 

States have long sought to gather intelligence on their populations and others, to influence regional or international politics, and to exploit global political economic imbalances for financial gain. States have frequently delegated these tasks to other organizations, from private military companies to organized criminal gangs. Close predecessors of the current spate of commercial influence and hacking include Cold War-era influence operations. 

The advent of the digital age has changed the possibilities for spying, subversion, sabotage, and blackmail in three ways:. 

  • First, low entry costs and swift scalability mean companies can start small, grow quickly, and pivot between different forms of influence and digital compromise. A Middle East-based group codenamed Bahamut has hacked many targets (probably for multiple clients) and used a web of fake accounts to conduct disinformation campaigns. Iranian commercial hackers combined disinformation and attempts to compromise the US 2020 presidential elections’ digital infrastructure. 
  • Second, virtually instant cross-border data flows mean these organizations operate remotely, efficiently, with relative impunity. Groups like Conti offer ransomware-as-a-service, not just commercializing but professionalizing hacking-for-profit, with ‘affiliates’ responsible for damaging operations against critical infrastructure. Today, supposed ‘PR’ companies like Archimedes or Cambridge Analytica can influence elections without ever setting foot in a country. 

Virtually instant data flows across borders mean that cybercriminal organizations can operate with relative impunity.

  • Finally, companies offering offensive cyber services can also masquerade as part of the legitimate cybersecurity industry, appearing to offer ‘penetration testing’ to gauge network security, or build zero-day exploits as a ‘proof-of-concept’ to sell back to software designers to fix their systems. As zero-day and vulnerability markets develop globally, they fuel a pipeline of companies willing to exploit these holes for malign effects. 

Upgrading Policy & Regulation 

States have started to address the fusion of commercial cyber threats with coordinated policy responses. In February, speaking at Chatham House, the US Deputy Attorney General announced the Disruptive Technology Strike Force, targeting actors that deploy disruptive technology to undermine the US and allies through theft, hacking and espionage.

The new US Cybersecurity Strategy commits to making it impossible for ‘malicious actors to use cyber-enabled campaigns’ that ‘threaten national security or public safety’ and outlines steps to attack funding sources of companies dealing in digital insecurity. 

As an influential policy actor and home to a large market for these capabilities, the US should lead the way in this space. Beyond countering state use of these capabilities, action is needed on supply as well as demand. Successful regulation must be rooted in international law (including human rights law) and adapted to digital services’ unique characteristics. 

The US, as an influential policy actor and home to a large market for offensive cyber capabilities, should lead the way in this space.

Countries can ban or license sales to particular entities or countries. Regional and international export control measures – such as the Wassenaar Arrangement and the EU Export Control Regulation for cyber surveillance tools – must strive for harmonized implementation and broad support, to avoid ransomware and cyber surveillance ‘safe havens’. The UN’s Office of Human Rights called for a global moratorium on spyware sales until sufficient human rights guarantees are implemented. While export control is a crucial lever in the regulatory arsenal, it is limited by licensing decision opacity, national security exemptions, and slippery concepts of ‘dual use’. 

Creative Approaches 

Creative approaches from new coalitions are imperative to shape the economic incentives of those selling hacking tools. A recent joint initiative from the Heartland Initiative, European Council on Foreign Relations, Access Now, and the Business & Human Rights Resource Centre convened investors and civil society, discussing ways to use market mechanisms (like shareholder resolutions and ESG reporting) to apply pressure to companies selling digital insecurity.

Joint measures have been tested in other sectors (including in energy, climate, and extractives) yet remain nascent in cyber policy. Initiatives can learn from organizations like Citizen Lab, who sought to marshal investors against selling NSO Group in 2017, and advocacy groups who used US government pressure to prevent its sale to a defence contractor in 2022. 

Investors and civil society can use market mechanisms, like shareholder resolutions and ESG reporting, to apply pressure to companies selling digital insecurity. 

Fundamentally, addressing the sale of digital insecurity requires addressing its root causes. As the Cybersecurity Tech Accord has recently argued, improving cyber defence and the online platform environment are key measures for safeguarding critical infrastructure and democratic processes.

States and others should continuously counter malicious actors directly. But, like all marketplaces, this one can be shaped by different levers: economic, regulatory, and legal. Using these levers carefully can help build a cyberspace that is safer and more beneficial for all. 

James Shires is Senior Research Fellow in Cyber Policy at Chatham House

Isabella Wilkinson is Research Associate, International Security Programme  at Chatham House

You Might Also Read: 

Digital Platform Regulation - Impossible?:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« As A Business Leader, You Must Manage Cyber Risk 
Online Safety Bill UK: WhatsApp, Encryption & The Implications For Privacy »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Cristie Data

Cristie Data

Cristie have been a trusted, innovative and leading edge data storage, backup and virtualisation solutions provider across all sectors of industry for over 40 years.

Forensic Control

Forensic Control

Forensic Control specialise in providing simple & straightforward Cyber Security to organisations, helping them assess, prevent and respond to cyber threats.

Beta Systems Software

Beta Systems Software

Beta Systems automate IT-based business processes, control access rights, monitor processes, secure the network and optimize the infrastructure management of corporate IT.

Innovative Solutions (IS)

Innovative Solutions (IS)

Innovative Solutions is a specialized professional services company delivering Information Security products and solutions for Saudi Arabia and the Gulf region.

Garner Products

Garner Products

Garner design, manufacture, and sell equipment that delivers complete, permanent, and verifiable data elimination.

Lewis Brisbois

Lewis Brisbois

Lewis Brisbois offers legal practice in more than 40 specialties, and a multitude of sub-specialties including Data Privacy & Cybersecurity.

Support Link Technologies (SLT)

Support Link Technologies (SLT)

Support Link Technologies are an IT Solutions Company committed to achieving customer satisfaction through excellent customer service.

OneLayer

OneLayer

OneLayer provide enterprise grade security dedicated for private LTE/5G networks. We ensure that the best IoT security toolkit is implemented in your cellular environment.

NetGain Technologies

NetGain Technologies

NetGain Technologies helps small to medium-sized businesses gain access to expert IT talent. We provide strategies that use technology as a driving force behind business growth.

Vertex Cyber Security

Vertex Cyber Security

Vertex provide Cyber Security Services to small to large businesses including Advise, Consulting, Adding Security Partnership, Penetration Testing, ISO 27001-2 and Audits.

AT&T Cybersecurity

AT&T Cybersecurity

AT&T Cybersecurity’s Edge-to-Edge technologies provide threat intelligence, collaborative defense, security without the seams, and solutions that fit your business.

LOCH Technologies

LOCH Technologies

LOCH Wireless Machine Vision platform delivers next generation cybersecurity, performance monitoring, and cost management for all 5G and for broad-spectrum IoT, IoMT and OT wireless environments.

Hummingbird International

Hummingbird International

Hummingbird International, LLC offers services for the collection, audit, computer recycling and safe disposal of laptops, monitor/LCD, hard drives, and IT disposal.

Sardine

Sardine

Sardine is a leader in financial crime prevention. Using unparalleled device intelligence and behavior biometrics, Sardine applies machine learning to detect and stop fraud before it happens.

Ionize

Ionize

Ionize offers solutions to help you uplift your capability across the full-spectrum of cyber security - assessment, remediation, monitoring, governance and ongoing education.

Qodea

Qodea

Qodea (formerly Appsbroker CTS) is Europe's largest Google Premier only transformation partner.