Tech at the Leading Edge March 1, 2023

Makings of the Market: Seven perspectives on offensive cyber capability proliferation

By Jen Roberts and Emma Schroeder

The marketplace for offensive cyber capabilities (OCC)—the combination of tools; vulnerabilities; and skills, including technical, organizational, and individual capacities used to conduct offensive cyber operations—continues to grow globally. These capabilities, once developed primarily by a small handful of states, are now available for purchase from this international private market, both legal and illegal, to a widening array of both state and nonstate actors. These capabilities, and their proliferation, pose an expanding set of risks to national security and human rights around the globe.

However, these capabilities also have legitimate use in state security and defense—the boundaries of which are ill-defined. Many states have clear incentives to participate in this market, to acquire these capabilities, and more types of actors are able to find financial opportunity as this market grows. Regulation, transparency, and reshaping of this market are necessary to counter the threats this unbounded proliferation poses, and states, independently and in cooperation, have the impetus and the opportunity to do so.

To dive deeper on this topic, we asked seven experts to offer their perspectives on these threats and how policymakers can help counter them: 

Briefly, what are the principal equities/interests in the proliferation of cyber capabilities?

“There are five main players interested in the proliferation of cyber capabilities: capability vendors, governments, middlemen and resellers, large technology companies, and civil society organizations.  

Capability vendors (i.e., zero-day brokers, Access-as-a-Service firms, spyware vendors etc.) sell capabilities to governments, occasionally through middlemen or resellers (especially if they do not have pre-existing relationships with people in government technology acquisition programs). These capabilities usually involve abusing platforms and services offered by tech companies—like breaking into phones, exploiting chat platforms, or hosting malware on cloud services. Some of the operations using these capabilities target legitimate national security threats, but others will target civil society organizations, especially if the government has a wide definition of national security and little outside accountability. The privatization of this industry also means that governments who previously could not afford to build spying capabilities at home can now do so, cheaply.  

Because all players are operating in a space full of secrecy and information asymmetry, each part of the system can and will be abused. Some capability vendors sell to governments they shouldn’t sell to, some middlemen will repackage and resell vulnerabilities they’ve already sold to others, and some governments will abuse these tools to target vulnerable populations or engage in “spyware diplomacy”—allowing their domestic spyware companies to sell to a foreign government in order to curry diplomatic favor. Western governments, large technology firms, and civil society have overlapping interests in this space: curbing the abuse caused by its inherent secrecy and thereby see fewer abuses of human rights, fewer countries engaging in cyber operations, and fewer actors abusing technology services.”  

Winnona DeSombre-Bernsen, non-resident fellow, Cyber Statecraft Initiative, Digital Forensic Research Lab (DFRLab), Atlantic Council

What benefits and risks do companies like Zerodium, along with similar middlemen, pose as their role grows larger in the proliferation of offensive cyber capabilities?

“Zerodium and other middlemen operate as market makers, buying and selling the same product in a marketplace. Market making is not inherently bad—the problem arises when they connect vendors to customers both internationally and domestically without providing any transparency to the people they’re buying from or selling to.  While these firms enable ways to capture supply from sources that wouldn’t be able to reach buyers directly or would be averse to a direct relationship, they also result in a murky supply chain. There is a lack of understanding around vulnerability sourcing, who the talent is, and who else they’re selling things to. Because of that, governments are unable to drive the direction of the supply chain for future assurance.  

Zerodium is able to operate this way because government customers appreciate the lack of transparency: historically, independent exploits have been written by seedy individuals, and the less government has to interact with them, the better. However, this is no longer the case. Exploits are now available from reputable individuals and companies. If government customers continue to want this ambiguity, they will continue to enable brokers like Zerodium to operate outside of the best interests of the US market. Increased transparency from all parties will make sure offensive cyber capabilities end up in the proper hands.” 

Sophia D’Antoine, founder and managing partner, Margin Research

If there is a legitimate state interest in shaping the flow of offensive cyber capabilities to friendly states, how does this activity differ from conventional arms sales? Is the US government signaling differently in the two spaces?

“The differences between conventional arms and offensive cyber capabilities are immense. Deniable ambiguity muddies every step of the way in attempting to meaningfully curtail the sale of offensive cyber capabilities. First, offensive cyber capabilities are often multi-role by nature; they are tools of network breaching, surveillance, and potential attack depending on how they are used. Second, their footprint is substantially smaller than their physical counterparts, which makes interdiction—or threat thereof—challenging to impossible. Third, offensive cyber capabilities require relatively little except for high quality personnel to produce reliable outputs. While experts may be in relatively short supply, manufacturing and supply chains are much thinner and therefore harder to subject to scrutiny, transparency, and enforcement.  

Only a great deal of collaborative international intent and investment can even remotely make a dent in shaping the flow of offensive cyber capabilities. Efforts will need to include incentivizing the positive actors to continue participating responsibly, disincentivizing sales to less desirable users, creating a culture of due diligence on sale and use, exerting diplomatic pressure on “flexible” nations willing to host unscrupulous sellers or creating a pipeline of expat talent, and a stronger accounting of key human talent in this space and their doings. Considering the quantity of actors benefiting from the existing ambiguities, it is not clear to me that the motivation even exists to support a shift like that, let alone to invest in it strategically.”  

Dr. Daniel Moore, cyber warfare researcher, author of “Offensive Cyber Operations”

There has been a lot of focus on Israel and NSO Group, but there are plenty of other countries home to similar activities. What kind of effects might Israel changing the character of its regulation of these firms have on where similar companies choose to do business?

“Despite receiving most of the attention, Israel is far from the only nation with a bustling digital surveillance industry. Indeed, over the last decade, the Israeli government has implemented additional controls on the export of hacking tools which has caused some local companies to consider moving abroad. The most common destination for this relocation effort so far has been Cyprus, but there is also some expansion in the Middle East and Asia – especially into the United Arab Emirates and Singapore.  

As Western governments continue to move towards tighter controls on the sale and development of hacking tools, they will likely face internal pressures from their own defense and intelligence communities which may effectively temper rapid change. The sale of military-related products has long been seen as a key tool in the nation state diplomatic toolbox for building and maintaining relations between foreign partners. 

Assuming some level of significant regulatory progress in the future, however, I expect to see more spyware companies move into tax haven territories that offer greater corporate secrecy. This is already beginning to occur. While the shift so far is limited and only anecdotal, it may lead to a situation where these companies are harder to identify, track and regulate.”  

Christopher Bing, media fellow, Alperovitch Institute

Besides jurisdiction and the fact that many states want some of these companies to operate, what are policymakers biggest challenges to imposing penalties and positive shaping the behavior of companies across the marketplace for offensive cyber capabilities?

“The challenges are varied and speak to the core of transferring concepts from the physical to the digital world. The nature of the asset, i.e., data—which can be easily transmitted and transformed—makes transfers difficult to detect or trace across national boundaries. These traits coupled with the complex and global nature of the ecosystem comprised of varying cultures and legal jurisdictions create an intricate mix. Beyond these foundational aspects there is then: 

  • The strategic national advantage and agency that offensive cyber capabilities provide. 
  • Pace of policy response historically against dynamic, fast changing and modular ecosystems reliant on technical definitions at a trans-government level.  
  • An assumption that only companies and not individuals with no legal entity are capable of being material market or capability shapers and makers. 
  • Lack of transparency, insight, and monitorability of this global ecosystem when compared to physical equivalents such as small arms, chemical and radiological weapons etc. 
  • Lack of evidence that an ecosystem which in part has its roots in counterculture, creativity, and anti-authoritarianism can be sufficiently shaped and controlled globally to achieve policy aims. 
  • Ways in which software can be broken down into component parts distributed across many suppliers so as to not provide described functionality as written in legislation and yet reassembled elsewhere in the destination country to provide said functionality. 
  • Existence of alternative financial systems which are resilient to Western government-imposed sanctions in situations of non-compliance or disagreement. 
  • Existence of vast and growing amount of capability as open source which can be integrated to provide capability further lowering bar of entry. 

These examples highlight the complexities and competing forces in a market which are only now starting to be contested. Any one of these could be material in its own right but when combined, highlight the enormity and complexity of the challenge to policymakers. Especially so when we recognize this list isn’t comprehensive. 

However, this does not mean we should not try and learn from previous lessons as we look to address the challenge.” 

Ollie Whitehouse, founder, BinaryFirefly

For governments and corporations, there is generally more public awareness of this proliferation and its impacts but so far that attention has translated to only limited action from both groups. What role should different kinds of companies play in raising awareness, shaping, and providing appropriate incentives or disincentives to this market for offensive cyber capabilities?

“Microsoft recognizes the urgency of the threat posed by cyber mercenaries and the proliferation of offensive cyber capabilities and believes that progress can only happen through strong multistakeholder partnerships. Therefore, we welcome the growing number of governments that are taking action. The charges brought in the United States against former US intelligence and military personnel accused of being cyber mercenaries is one such example. The European Parliament’s investigation of spyware use in Europe is another. These developments follow years of work by non-governmental organizations (NGOs), which tirelessly support and draw attention to the victims of cyber mercenaries—innocent citizens around the world.  

Similarly, industry recognizes its own role in addressing this issue, but acknowledges that more needs to be done. The volume of abuse connected with this market is increasing exponentially and indeed, it seems likely that the current public revelations may only be the tip of the iceberg. Companies have a key role to play and should focus efforts around:  

  1. Taking steps to counter cyber mercenaries’ use of products and services to harm people 
  2. Identifying ways to actively counter the cyber mercenary market 
  3. Investing in cybersecurity awareness of customers, users and the general public 
  4. Protecting customers and users by maintaining the integrity and security of products and services and  
  5. Developing processes for handling valid legal requests for information.

Some transformative business practices include adhering to established corporate responsibility principles grounded in the protection of human rights and adopting policies that ensure private sector transparency.” 

Monica Ruiz, program manager, Digital Diplomacy, Microsoft

How do you expect the clients present in the market for offensive cyber capabilities to change over the next 3 years?

“The market for offensive cyber capabilities has already demonstrated its ability to grow  to meet ever-expanding demand. The affordability of these capabilities, relative to the cost of building them domestically, allows governments previously unable to procure surveillance capabilities the avenue to do so. The PEGA committee inquiry particularly calls out governments like Hungary and Greece who do not have large cyber operations capabilities but were able to purchase spyware for political suppression among other uses. 

Even in cases where governments have attempted to crack down on companies operating within their countries, like Israel, the talent pool shifts to other states like Cyprus, North Macedonia, and Turkey to circumvent regulation. Growth is thus driven by demand and not limited by any highly effective regulatory scheme. The future of real governance over this market is dependent on governments, technology companies, and civil society partners enacting scalable and transparent policies for both vendors and clients. Done right, the international community can still effectively shape this market to greatly reduce widespread human rights abuses and national security harms.”  

Jen Roberts, program assistant, Cyber Statecraft Initiative, Digital Forensic Research Lab (DFRLab), Atlantic Council

The Atlantic Council’s Cyber Statecraft Initiative, under the Digital Forensic Research Lab (DFRLab), works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.

Related Experts: Jen Roberts, Winnona DeSombre Bernsen, and Emma Schroeder