Selling Digital Insecurity

By James Shires & Isabella Wilkinson


Addressing the sale of digital insecurity requires addressing its root causes and a coherent response from states, civil society, and the private sector.


Offensive cyber capabilities pose a significant threat to national and international security. In many cases, these capabilities are a legitimate national security tool. However, such capabilities can also cause significant – and often unpredictable – damage. 

The use of these capabilities to spread disinformation, mount disruptive cyberattacks, and launch hack-and-leak operations has derailed elections, silenced dissenting political voices, disrupted the lives of individuals, communities, companies, and even entire governments. 

Although the most advanced offensive cyber capabilities are still held by states, there is a growing global marketplace for digital insecurity, with capabilities ranging from openly advertised services to more opaque, bespoke contracts and cybercriminal markets. 

Recently, the White House announced an executive order including several new measures to combat risks posed by commercial spyware to human rights and US national security. As noted in the UK’s recent Integrated Review Refresh, the fusion of cyber threats generated by the sale of digital insecurity demands a coherent response. The UK’s new International Technology Strategy also commits to protecting security interests through ensuring sensitive technology does not fall into hostile hands.  

To address the sale of digital insecurity, states must work with civil society, victims and the private sector. They must also cooperate with major tech companies, particularly those that have been exploited as attack vectors. More controversially, states should cooperate with genuinely responsible companies offering commercial hacking and online influence services – those willing to demonstrate respect for human rights and operate within the boundaries of national and international law – while also maximizing pressure from their investors and financial backers. 

Spying, Subversion & Sabotage 2.0 

The most infamous purveyor of digital insecurity is NSO Group, whose Pegasus spyware has been purchased by over 30 states and used to track foreign politicians, dissidents, and journalists. Pegasus has been associated with severe human rights violations, including arbitrary detention, torture, and assassination. NSO Group has close links to Israel’s government, with Pegasus used to sweeten diplomatic overtures to Gulf states. Today, the company is subject to US sanctions and an EU Parliament investigation

Although NSO Group makes the most headlines, the market for digital insecurity is global. Companies and cybercriminal organizations selling disinformation-, ransomware, or hacking-for-hire are located throughout Europe, the US, India, Russia, and China, and operate worldwide. This marketplace supplies national security actors and a broader range of law enforcement agencies, law firms and private investigators. 

The notorious Internet Research Agency, founded by Wagner Group head Yevgeniy Prigozhin, wrote the commercial disinformation playbook when it deployed troll farms against the 2016 US presidential elections

Other groups combine influence operations with NSO-style hacking. Recent revelations on disinformation ‘black ops’ have exposed ‘Team Jorge’: another group of Israeli contractors who boast manipulating over 30 elections through disinformation and strategic hack-and-leaks. Commercial hackers secretly planted fake evidence on Indian human rights defenders’ devices, and then unsuccessfully attempted to cover their tracks before police arrests. 

Recent reporting on Greek intelligence services hacking a Meta manager’s device with outlawed spyware brings into focus the complex – and contradictory – landscape surrounding state use of hacking tools. 

What’s New About Selling Digital Insecurity? 

States have long sought to gather intelligence on their populations and others, to influence regional or international politics, and to exploit global political economic imbalances for financial gain. States have frequently delegated these tasks to other organizations, from private military companies to organized criminal gangs. Close predecessors of the current spate of commercial influence and hacking include Cold War-era influence operations. 

The advent of the digital age has changed the possibilities for spying, subversion, sabotage, and blackmail in three ways:. 

  • First, low entry costs and swift scalability mean companies can start small, grow quickly, and pivot between different forms of influence and digital compromise. A Middle East-based group codenamed Bahamut has hacked many targets (probably for multiple clients) and used a web of fake accounts to conduct disinformation campaigns. Iranian commercial hackers combined disinformation and attempts to compromise the US 2020 presidential elections’ digital infrastructure. 
  • Second, virtually instant cross-border data flows mean these organizations operate remotely, efficiently, with relative impunity. Groups like Conti offer ransomware-as-a-service, not just commercializing but professionalizing hacking-for-profit, with ‘affiliates’ responsible for damaging operations against critical infrastructure. Today, supposed ‘PR’ companies like Archimedes or Cambridge Analytica can influence elections without ever setting foot in a country. 

Virtually instant data flows across borders mean that cybercriminal organizations can operate with relative impunity.

  • Finally, companies offering offensive cyber services can also masquerade as part of the legitimate cybersecurity industry, appearing to offer ‘penetration testing’ to gauge network security, or build zero-day exploits as a ‘proof-of-concept’ to sell back to software designers to fix their systems. As zero-day and vulnerability markets develop globally, they fuel a pipeline of companies willing to exploit these holes for malign effects. 

Upgrading Policy & Regulation 

States have started to address the fusion of commercial cyber threats with coordinated policy responses. In February, speaking at Chatham House, the US Deputy Attorney General announced the Disruptive Technology Strike Force, targeting actors that deploy disruptive technology to undermine the US and allies through theft, hacking and espionage.

The new US Cybersecurity Strategy commits to making it impossible for ‘malicious actors to use cyber-enabled campaigns’ that ‘threaten national security or public safety’ and outlines steps to attack funding sources of companies dealing in digital insecurity. 

As an influential policy actor and home to a large market for these capabilities, the US should lead the way in this space. Beyond countering state use of these capabilities, action is needed on supply as well as demand. Successful regulation must be rooted in international law (including human rights law) and adapted to digital services’ unique characteristics. 

The US, as an influential policy actor and home to a large market for offensive cyber capabilities, should lead the way in this space.

Countries can ban or license sales to particular entities or countries. Regional and international export control measures – such as the Wassenaar Arrangement and the EU Export Control Regulation for cyber surveillance tools – must strive for harmonized implementation and broad support, to avoid ransomware and cyber surveillance ‘safe havens’. The UN’s Office of Human Rights called for a global moratorium on spyware sales until sufficient human rights guarantees are implemented. While export control is a crucial lever in the regulatory arsenal, it is limited by licensing decision opacity, national security exemptions, and slippery concepts of ‘dual use’. 

Creative Approaches 

Creative approaches from new coalitions are imperative to shape the economic incentives of those selling hacking tools. A recent joint initiative from the Heartland Initiative, European Council on Foreign Relations, Access Now, and the Business & Human Rights Resource Centre convened investors and civil society, discussing ways to use market mechanisms (like shareholder resolutions and ESG reporting) to apply pressure to companies selling digital insecurity.

Joint measures have been tested in other sectors (including in energy, climate, and extractives) yet remain nascent in cyber policy. Initiatives can learn from organizations like Citizen Lab, who sought to marshal investors against selling NSO Group in 2017, and advocacy groups who used US government pressure to prevent its sale to a defence contractor in 2022. 

Investors and civil society can use market mechanisms, like shareholder resolutions and ESG reporting, to apply pressure to companies selling digital insecurity. 

Fundamentally, addressing the sale of digital insecurity requires addressing its root causes. As the Cybersecurity Tech Accord has recently argued, improving cyber defence and the online platform environment are key measures for safeguarding critical infrastructure and democratic processes.

States and others should continuously counter malicious actors directly. But, like all marketplaces, this one can be shaped by different levers: economic, regulatory, and legal. Using these levers carefully can help build a cyberspace that is safer and more beneficial for all. 

James Shires is Senior Research Fellow in Cyber Policy at Chatham House

Isabella Wilkinson is Research Associate, International Security Programme  at Chatham House

You Might Also Read: 

Digital Platform Regulation - Impossible?:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« As A Business Leader, You Must Manage Cyber Risk 
Online Safety Bill UK: WhatsApp, Encryption & The Implications For Privacy »

CyberSecurity Jobsite
Check Point

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

Cyber Security Centre - University of Hertfordshire

Cyber Security Centre - University of Hertfordshire

The Cyber Security Centre provides training, teaching and research in the fast paced topics of cyber security and digital forensics.

Association of Information Security Professionals (AISP)

Association of Information Security Professionals (AISP)

The Association of Information Security Professionals (AISP) represents the interests of information security professionals in Singapore.

Wooxo

Wooxo

Wooxo provides business security and continuity solutions to protect business data for organisation of all sizes.

ClickDatos

ClickDatos

ClickDatos specializes in consulting, auditing, data protection training, accredited by ISO/IEC 27001 certification.

EdgeWave

EdgeWave

EdgeWave provides simple but highly effective data security and advanced threat protection in solutions that are affordable, scalable and easy to use.

Dubai Electronic Security Center (DESC)

Dubai Electronic Security Center (DESC)

Dubai Electronic Security Center (DESC) was founded to develop and implement information security practices in Dubai.

Magix Security

Magix Security

Magix Security assesses the cyber threat, gives you visibility of how vulnerable your business is to attack, and provides cybercrime detection and prevention services.

Cowbell Cyber

Cowbell Cyber

Cowbell Cyber™ offers continuous risk assessment, comprehensive cyber liability coverage, and continuous underwriting through an AI-powered platform.

Datplan

Datplan

Datplan offers a software solution that gives an overview of 8 key cyber risk areas, their threats, and risk management steps.

RedLegg

RedLegg

RedLegg is a master provider of information security services, a boutique, nimble, old-fashioned customer service company that enjoys the technology battlefield.

Vectra AI

Vectra AI

Vectra threat detection & response - see and stop threats across hybrid and multi-cloud enterprises.

Cisilion

Cisilion

Cisilion's mission is simple – to transform and connect business with next-generation IT infrastructure. Our expertise includes enterprise networking, security, data centre & cloud, managed services.

Allstate Identity Protection

Allstate Identity Protection

Allstate make it easy to provide complete identity protection, so everyone can live more confidently online.

Tracebit

Tracebit

Tracebit uses decoys to detect and respond to cloud intrusions in minutes.

BBS Technology

BBS Technology

BBS Technology is a company that develops and delivers next-generation cyber security technologies worldwide.

SignalRed

SignalRed

SignalRed provides the cutting edge next-generation penetration testing and secure development solutions to startups and large enterprises.