Approximately one year ago, on November 3, 2021, the US Commerce Department added four companies, including Israel-based NSO Group, to its Entity List for supporting cyber surveillance and access-as-a-service activities, “that are contrary to the national security or foreign policy interests of the United States.” Foreign governments used NSO Group’s products, notably its Pegasus spyware, to target individuals, such as journalists and activists, and suppress dissent. Just one month later, reporting indicated that Apple tipped off the US Embassy in Uganda that an undisclosed foreign government had targeted the iPhones of eleven embassy employees.
A New York Times report published on November 12 reveals how close the United States was to using Pegasus for its own investigative purposes. The FBI, which previously acknowledged having acquired a Pegasus license for research and development, contemplated use of the tool in late 2020 and early 2021 and developed guidelines for how federal prosecutors would disclose its use in criminal proceedings. The FBI ultimately decided not to buy from NSO, amid the many stories of abuse of the tool by foreign governments, but the revelation underscores the double-edged nature of cyber surveillance technologies designed to support law enforcement and intelligence missions.
There are dozens of firms in the Access-as-a-Service industry developing and proliferating a powerful class of surveillance technologies. We brought together a group of experts to discuss the rise of cyber surveillance and the impact of this industry on the United States and its allies.
#1 What implications can foreign governments’ domestic cyber surveillance programs have on US national security?
Siena Anstis, senior legal advisor, Citizen Lab, Munk School of Global Affairs & Public Policy, University of Toronto:
“The proliferation of spyware presents a national security risk to the United States. These technologies facilitate not only the targeting of human rights defenders and civil society, but also provide an across-the-board opportunity to undertake acts of espionage through their ability to exploit vulnerabilities in popular applications and operating systems that impact everyone. This was well-illustrated by the targeting of US diplomats in 2021 with NSO Group’s Pegasus spyware. No one is safe from being targeted with this highly intrusive, silent, and increasingly hard to detect technology. This risk extends to the US government.”
Winnona DeSombre, nonresident fellow, Cyber Statecraft Initiative, Digital Forensic Research Lab (DFRLab), Atlantic Council:
“We live in an increasingly interconnected world when it comes to data and surveillance. From an individual perspective, US citizens who work on national security regularly interface with relatives and friends abroad who may be surveilled. US military service members use Tiktok, an app whose data flows back to China. Domestic surveillance in another country does not just touch that country’s citizens, but it also touches any US national who interfaces with that country’s people and corporations.”
Lars Gjesvik, doctoral research fellow, Norwegian Institute of International Affairs:
“Way back in ancient 2013, the US intelligence community warned that private companies were developing tools that aided foreign states in targeting US systems. Clearly, this has been of some concern for a decade and has some implications for national security. There is no doubt that such commercially available tools have done great harm when it comes to human rights and targeting civil society, and you have some reported cases like Project Raven where commercial tools start to become a national security problem as well.”
Kirsten Hazelrig, policy lead, The MITRE Corporation:
“There are absolutely direct threats to US interests from the use of cyber surveillance abroad—any newspaper will relay confirmed reports of US officials being targeted abroad by tools such as Pegasus. However, this is simply a new tool for an age-old game of espionage. Perhaps more insidious is how tools and programs can be abused to enable the spread of authoritarianism, degrade human rights, and erode democratic values. I am not sure if anyone fully understands the implications to national security if these capabilities are allowed to spread unchecked.”
Ole Willers, postdoctoral researcher, Department of Organisation, Copenhagen Business School:
“Within the context of cyber surveillance programs, the distinction between domestic and foreign operations is not always as clearcut. Domestic campaigns oftentimes target individuals located in other jurisdictions, including the United States. The targeting of Canadian-based activist Omar Abdulaziz by Saudi Arabian surveillance operations is a prominent example.”
#2 Where do cyber capabilities fit into the spectrum of surveillance technologies?
Anstis: “Spyware technology provides governments with the ability to undertake highly intrusive surveillance. Sophisticated versions of this technology provide complete entry into targeted devices, including the contents of encrypted communication apps, camera, microphone, documents stored on the phone, and more. This impacts not only targeted individuals, but also exposes those who communicate with these people such as friends, family, and colleagues. Governments have a variety of surveillance technologies at their disposal, and spyware is undoubtedly one of the most stealthy and intrusive tools on the market that makes it difficult, if not impossible, for journalists, human rights defenders, activists, and other members of civil society critical of the government to do their work.”
DeSombre: “Cyber capabilities that feed into offensive cyber operations are usually far more tailored than surveillance technology writ large, especially compared to dragnet surveillance technologies. The little bit of overlap occurs when governments want to surveil targets who they believe are of higher value or harder to get to, in which case authoritarian governments will break out the more expensive capabilities like zero-days or purchase expensive spyware licenses like those offered by NSO and Candiru.”
Gjesvik: “The term ‘surveillance technologies’ is quite broad, and it depends greatly on how you define it. But if you think about the capabilities and services provided to intelligence, law enforcement, or military agencies, then it is a question of how sophisticated they are and their scope. The most sophisticated cyber capabilities offered by the top-tier companies probably equal the capabilities of most intelligence agencies, and there is no real difference functionally in them being used domestically or against strategic adversaries.”
Hazelrig: “Surveillance technologies are broad sets of tools that enable a human actor to achieve an objective, be it to improve traffic, indict a criminal, track terrorist movements, stalk a partner, or steal a competitor’s data. Cyber capabilities can range as widely as these objectives and their targets. They may range from low-end spyware to extremely sophisticated technology, and are almost always paired with additional tools and tradecraft that make them impossible to evaluate devoid of operational context.”
Willers: “If we define cyber capabilities in terms of the various activities oriented towards gaining stealth access to digital information, their importance for surveillance operations can hardly be overstated. Whereas traditional surveillance technologies continue to play a role, cyber capabilities offer forms of access that are much more comprehensive. Access to a smartphone is fundamentally different from the traditional wiretap and allows for the real-time surveillance of location patterns, communications, web searches, financial transactions, and more.”
#3 What is the Access-as-a-Service industry and what kind of relationship should the United States and its allies have with it?
Anstis: “The Access-as-a-Service industry describes companies that provide services to different actors—often states—to access data or systems. In the past few years, we have seen an acceleration in human rights abuses associated with this industry and a growing formalization of the sector with private investors and states increasingly interested in the growth of these companies. Considering the litany of human rights abuses that follows the growing availability of the technologies and services offered by this industry, the United States and other states have an obligation to regulate and limit the availability of these technologies and the industry’s business practices.”
DeSombre: “The Access-as-a-Service industry makes offensive cyber operations incredibly simple to pull off—aggregating disparate capabilities that take years of investment to make (zero-days, malware, training, infrastructure, processes) into a single solution that a government can purchase off the shelf and use easily. It is not necessarily a bad industry—the United States and its allies also rely on privatized talent to conduct cyber operations. However, the United States and its allies must be proactive about shaping responsible behavior within the industry to ensure these services are not purchased en masse by authoritarian regimes and adversaries.”
Gjesvik: “Simply put, it is an industry that sells access to digital data and systems. A wide swathe of technologies and services fits into this definition. Considering what relationship Western states should have with it should start with acknowledging that most states rely on private contractors and capabilities to some extent. There are clear problems of democratic oversight and misuse, but having their intelligence agencies and law enforcement lose access to digital evidence and data is probably not something governments would accept, and smaller states would struggle to develop the capabilities themselves. It is hard to decide on a relationship with a surveillance industry without deciding on the role of surveillance in modern societies, and I do not think we have done that.”
Hazelrig: “Access-as-a-Service, or the related but more colorfully named “hacker-for-hire” industry, are loose terms for the criminal actors that sell the information, capabilities, and services necessary to conduct cyber intrusions. These actors sell their wares with little regard as to impact and intent, enabling ransomware and other attacks.”
Willers: “The Access-as-a-Service industry is a niche market that sells data access to state agencies, and it has repeatedly been singled out for facilitating the proliferation of offensive cyber capabilities to authoritarian states. The United States and its allies face a dilemma in that they rely on the Access-as-a-Service industry to provide domestic law enforcement and intelligence agencies with cutting edge technology. Simultaneously, they have a strong incentive to limit the availability of these technologies to other customers. Balancing these interests has proven extremely difficult, which is why I see a need to limit our dependency on the private sector within this context.”
More from the Cyber Statecraft Initiative:
#4 In what ways does government surveillance compare and contrast with corporate surveillance?
Anstis: “Government surveillance is similar to corporate surveillance in that both exploit the fact that we increasingly live our lives on internet-connected devices. The data we generate in our daily interactions, which is then collected by companies and governments, can be used for a variety of purposes that target and exploit us—from the crafting of targeted advertising to location tracking to the mapping of a human right activist’s network. However, government surveillance differs in at least one important respect: governments have the power to not only surveil, but also to detain, torture, kidnap, or otherwise enact acts of violence against an individual. Spyware technologies facilitate the government’s ability to engage in these activities.”
DeSombre: “The podcast I help run just made an episode on this! Effectively, corporate surveillance and government surveillance have two separate goals: corporations collect your data to sell (usually to advertisers who then target you with personalized advertisements), while the government collects data for law enforcement or national security purposes. US government surveillance has hard rules it must follow for collecting on US citizens, although some of this is circumvented by buying corporate data. US and EU companies are now getting increasingly constrained by data privacy laws as well. But these types of regulations on both companies and governments differ vastly from country to country.”
Gjesvik: “When you think about who conducts the surveillance, the big difference would be the extent to which government surveillance is supposedly in the end about protecting its citizens while corporate surveillance is mainly about the interests of the corporation. If it is about who actually does the surveillance then the distinction between governments and private actors can be pretty blurry, as can the level of capabilities.”
Hazelrig: “The technical aspects of government and commercial surveillance are similar, and often share tools and techniques. However, the practices around their use are widely different. For a large part, democratic states limit surveillance through public opinion and law. There is admittedly misuse and abuse, but an intent and organizational structure to ‘do good.’ This is not necessarily true of commercial capabilities that may be sold without understanding of or care about intended use. As the opaque commercial market evolves, we are just beginning to understand the full spectrum of uses and impacts. Democratic states need to develop norms for law enforcement and other acceptable uses of cyber intrusion and surveillance capabilities, and to enforce actions against those that violate these norms and the industry that supplies them.”
Willers: “Both can be problematic considering that privacy is a fundamental human right in the European Union. Access to personal information has become a key asset across many industries, but the gathering of this information is a purely private and for-profit undertaking, however problematic it may be. State surveillance derives from a desire to provide public safety, which can be a good thing as long as it remains proportional and rooted in democratic norms—conditions that cannot be taken for granted.”
#5 How has the Access-as-a-Service industry evolved over the past two decades and where do you see it going from here?
Anstis: “The Access-as-a-Service industry has become increasingly formalized in the past two decades, with growing interest from investors and states in terms of funding the industry, as well as accessing the services and technologies offered. I see the next few years as a critical turning point in the industry’s development. Countless human rights abuses have brought increased awareness that the services and technologies offered by the Access-as-a-Service industry have serious human rights ramifications—as well as national security concerns—that need to be addressed. With ongoing investigations in the European Parliament, the United States, and elsewhere into companies that participate in this industry, I hope that we will see more specific steps aimed at curbing and controlling it.”
DeSombre: “Like every part of the cybersecurity ecosystem since the early 2000s, the Access-as-a-Service industry has grown, professionalized, and turned towards mobile, embedded, and other non-desktop systems. Your laptop is not the only place with interesting data!”
Gjesvik: “This is a pretty opaque industry, and there is not a ton of structured encompassing data available that I am aware of, but there are some broad trends. The first is globalization, a quite substantive expansion of tools and technologies available, and a lot more money to be made as well. Going forward, I am probably most interested in the extent to which the industry is controllable by any state actor. Will recent efforts by the United States and the European Union succeed in limiting the worst excesses? Or will it just accelerate the diversification of suppliers?”
Hazelrig: “So long as there have been criminal hackers, there have been ways for those with the right connections to procure intrusion services. However, about a decade ago, we started to see the emergence of professional firms that sold these services commercially, primarily to governments around the globe. The past couple of years has brought casual proliferation and a booming ‘consumer’ market—shady companies advertise euphemistically-phrased services on mainstream platforms such as LinkedIn, and many online criminal marketplaces have whole sections of specialty products and services from which to choose.”
Willers: “The origins of the Access-as-a-Service industry can be traced back to a combination of privatization dynamics in the telecommunication sector during the 1990s, the rise of digital communication systems, and the political focus on surveillance in the aftermath of the September 11 terrorist attacks. Since then, the industry has developed at the speed of technology, and there is good reason to doubt that the United States remains in a position to control it. Limiting access to technology is difficult, especially when it is as mobile as spyware technology. This is why I doubt that the United States or any other country alone can control the operations of the market.”
Simon Handler is a fellow at the Atlantic Council’s Cyber Statecraft Initiative within the Digital Forensic Research Lab (DFRLab). He is also the editor-in-chief of The 5×5, a series on trends and themes in cyber policy. Follow him on Twitter @SimonPHandler.
The Atlantic Council’s Cyber Statecraft Initiative, under the Digital Forensic Research Lab (DFRLab), works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.