International Cybersecurity Research Made in Hamburg
 

Regulating the Global Spyware Industry

Mischa Hansel

 17 November 2022

The growth of the global surveillance industry and the proliferation of access-as-a-service in particular has become a serious national security and human rights concern in recent years. For example, Pegasus software was allegedly used to target Hanan Elatr's mobile phone, just months before her husband Jamal Khashoggi was murdered in the Saudi consulate in Istanbul. Then there is also Project Raven, a case where former US intelligence officers employed state-of the-art-cyber surveillance tools on behalf of the UAE. It did not take long for Emirati intelligence services to use these tools to spy on US citizens.

At first glance, export control and non-proliferation policies seem ill equipped to deal with these problems for several reasons. First, because of the complexity of components and supply chains operational surveillance capacities require. Even the key multilateral export control regime - the Wassenaar arrangement - covers only a small portion of all these components, albeit since 2013. Second, regulatory efforts also struggle to keep pace with fast innovation cycles. Furthermore, the multiple-use nature makes it very difficult to clearly differentiate between legitimate and illegitimate uses. This latter issue was a particular concern during the implementation of Wassenaar’s ‘cyber amendments’, as such definitional struggles could have encroached on, or even prevented, the work of security researchers or incident responders.

Despite these challenges, some technical characteristics of the cyber domain could actually work in favour of export control and non-proliferation policies. States could, for example, expose ICT vulnerabilities and techniques on which certain tools or services depend on, thus remotely neutralize already exported goods. Case in point is the 2015 cooperation between the FBI and Rook Security, which developed of a software to detect malware produced by Hacking Team, a notorious Italian cybersurveillance provider. States can also include catch-all clauses within export control requirements to cope with high levels of technological innovation. This essentially requires vendors and licensing agencies to consider human rights and security implications, even of yet unlisted technologies – an approach recently pursed by the EU.

Coalition-Building

Even among members of the Wassenaar arrangement, implementation of the cyber amendments varies significantly and geopolitical conflicts have further complicated efforts. While the Wassenaar framework is unique and should certainly be preserved, some compliance and enforcement deficits might better be addressed within smaller fora and among like-minded actors. One such example is the Transatlantic Technology Council, where one working group emphasised shared principles and areas of export control cooperation, envisaging stronger coordination of licensing decisions amongst other issues. Future transatlantic cooperation would ideally also include innovative enforcement instruments, for example coordinated blacklisting of noncompliant vendors.  The US and the EU could also combine their substantial regulatory powers, for example by limiting eligibility for public contracts to only those cybersecurity companies with a proven record of not selling to geopolitical rivals or abusive regimes. They might also require full disclosure of any foreign parent or sister companies in countries of concern.
Other important exporting states, for example the UK or Israel, could be invited to join such a coalition in selected areas. Furthermore, coalition building should not stop at the inter-state level but include non-state stakeholders as well. Vendors themselves might be encouraged to create, adopt and diffuse proper risk-management and compliance procedures to mitigate against human rights abuse by end-users. It is also worth recalling how much the process of renegotiating the Wassenaar cyber amendments benefitted from the input of security researchers, incident responders and industry. To facilitate a constant dialogue with non-state experts, the actual implementation of export control rules at the national and regional level has to become more transparent as well.  By including mandatory public reporting on licensing decisions, the EU dual-use regulation could set an important example in this regard, not only strengthening accountability but also enabling policy evaluation and advice by non-state actors.
Beyond coalition building and the deepening of cooperation on implementation and enforcement, increasing policy coherence by institutional linkages to other regimes could pave the way towards more viable multilateral export controls in this area.

Increasing Policy Coherence

Forcing exporters to disclose vulnerabilities that have been exploited by human rights abusers would strengthen the enforcement of export controls and responsible vulnerability disclosure policies – both  in accordance with UN cyber norms. Another way to increase policy coherence would be to focus on surveillance technology imports and to consider their impact on export controls. Even public institutions within liberal democracies are purchasing AI surveillance technology of Chinese or Russian origin. While this does not necessarily directly affect the local human rights situation, such purchases nevertheless increase the profitability of products that arguably are used for human rights violations in other places, in turn diminishing regulatory leverage.
Laws that restrain transnational commercial activities of former intelligence officials with deep knowledge of state surveillance practices and tools are also relevant. A new US law, for example, bars retired intelligence officers from selling their services to foreign governments or companies under effective state control for 30 months. Lastly, there is a need to prevent the reuse and misuse of exploits or other state cyber capabilities by criminal actors, such as with EternalBlue, an exploit developed by the NSA that was later modified and re-used by actors in Russia, China and North Korea. Overall, non-proliferation and export control policies have yet to be integrated in and supported by the broader instruments of national, regional and inter-regional foreign and security policies to have a meaningful impact on the global cyber surveillance market.