The Atlantic Council (Atlantic Council) released a research report on November 8 entitled “Surveillance Technology Expo: The Proliferation of Cyber ​​Capabilities in the International Arms Market”. Reports suggest that spyware and surveillance technology companies in Europe and the Middle East are selling intrusion software to the United States, its intelligence allies and NATO adversaries. On November 3, the U.S. Department of Commerce added Israel-based NSO Group and spyware company Candiru to a list of companies that pose a threat to U.S. national security, a move seen as an important measure in the U.S. fight against spyware. Three House Democrats have since called on the Biden administration to take further action to limit investors in democracies from investing in companies hired by hackers.

National cyber capabilities are increasingly following a “pay-to-play” model – both US/NATO allies and adversaries can purchase interception and intrusion technology from private companies for intelligence and surveillance purposes, the study said. While NSO Group has made headlines several times by targeting government agencies in 2021, there are more and more businesses selling the same harmful products. These suppliers are increasingly looking to foreign governments to buy their goods, and policymakers have not fully recognized this emerging problem and have not had an effective response. Any cyber capabilities sold to foreign governments carry significant risks: these capabilities could be used against individuals and organizations in allied countries, or even individuals and organizations in their own countries.

Since much of the buying and selling of surveillance technology operates in the shadows, there has been little research on the industry as a whole. The report analyzes vendors that have actively provided interception/intrusion capabilities in the international surveillance market over the past 20 years. The companies studied have participated in ISSWorld (ie Wiretapper’s Ball) and the International Arms Show. This dataset focuses on Western companies. , Chinese companies are rarely involved, as the number of Chinese companies participating in ISSWorld has always been low. However, the results of this research work will help policymakers better understand the market as a whole, as well as the major weapons and transactions these players operate. The report clearly identifies companies marketing intercept/intrusion technologies at arms fairs and answers a range of questions, including: Which companies market intercept/intrusion capabilities outside of headquarters areas; which arms fairs and countries attract the majority of these Companies; which companies sell intercept/intrusion capabilities to US and NATO adversaries?

The resulting data shows that the authors assess with high confidence a number of companies headquartered in Europe and the Middle East that are marketing cyber interception/intrusion capabilities to US/NATO adversaries. They argue that companies that provide intercept/intrusion capabilities pose the greatest risk because they support oppressive regimes and also enhance these countries’ strategic capabilities. Many of these companies gather at milpol in France, Security & Policing in the UK, and other arms fairs in the UK, Germany, Singapore, Israel and Qatar.

The study found that 75% of companies likely to sell interception/intrusion technologies have marketed these capabilities to governments outside their home country. Five irresponsible proliferators – BTT, Cellebrite, Micro Systemation AB, Verint and vastech – have exported their capabilities to US/NATO adversaries over the past decade.

The report classifies these companies as potentially irresponsible nuclear proliferators because of their willingness to sell to the United States and NATO’s non-allied governments — particularly Russia and China — outside their own homeland. These companies demonstrate that they are willing to accept or ignore the risk that their products will enhance the capabilities of client governments, potentially threatening US/NATO national security or harming marginalized populations. This is especially the case when the subject government is a direct adversary of the United States or NATO.

This global shift is important for two reasons. First, it points to a widening trend toward the global proliferation of cyber capabilities. Second, in the surveillance and offensive cyber capabilities market, many of these companies have long justified their business models by pointing to the perceived legitimacy of their customers. However, their marketing strategy contradicts this claim. The ability to initially focus on one target could expand to other intelligence uses, as recent allegations against several former U.S. intelligence officers working for the UAE have confirmed. When these companies start selling to NATO members and their adversaries, it should raise national security concerns for all customers.

See also: Former U.S. intelligence employee indicted for providing cyber espionage technology services to other countries

The report concludes by recommending that the U.S. and NATO take four steps to alleviate this current unfavorable situation. One is to establish know-your-customer (KYC) policies with companies in the field; the other is to work with arms exhibitions to limit the participation of irresponsible proliferators in these activities; the third is to strengthen the loopholes in export control; the fourth is to shame irresponsible suppliers and customers.

The findings come amid a surge in surveillance equipment suppliers attending the international arms trade show, including the well-attended French police agency and the UK-based Home Office for Security and Policing.

These risks are not hypothetical. The weapons expo exhibitor data collected by the researchers included U.S. contractor CyberPoint. CyberPoint, the precursor to DarkMatter (dark matter), was targeted by U.S. law enforcement after designing cyber capabilities for the United Arab Emirates and leading to spying on U.S. citizens.

The report provides the most comprehensive summary of the intrusion and surveillance industry to date, but the researchers note that many more companies may exist. Because they searched in English, “the data set grossly underestimates the presence of Chinese companies in this space.” The report recommends that policymakers focus their efforts on reining in companies that sell these capabilities directly to adversaries, or those willing to ignore that their capabilities could be abused risky company.

The proliferation of cyber and surveillance capabilities is a thorny policy issue. Preventing harm caused by the industry is an important policy objective that should be taken seriously. However, efforts to regulate the industry through export controls and global mechanisms have so far met with little success. Most importantly, the study shows that there is a large body of private companies willing to act irresponsibly on their own: their marketing capabilities have the potential to be a tool of repression by some governments, or a strategic tool of a non-NATO ally. The United States, NATO, and its allies still have policy tools they can use to prevent the irresponsible proliferation of privately developed offensive cyber capabilities.