Published by The Lawfare Institute
in Cooperation With
In 2023, it is now possible for any government or private company to get access to your most intimate secrets. How? By paying a company to hack into your phone. Since the early 2010s, news of private companies that sell spyware and other offensive cyber tools has become commonplace. The spread of tools through these “cyber mercenaries” is a risk to both human rights and national security: Authoritarian governments use these tools not just to spy on the United States and its allies, but also to surveil journalists and activists in the name of national security, which has led to the detention, torture, or even assassination of those targeted.
When it comes to nation-state spycraft and hacking, some cyber mercenaries can be “hackers for hire,” who conduct cyber operations on behalf of government customers. A larger number of mercenaries, however, sell offensive cyber tools to government clients that then use them for their own cyber operations, as many governments believe that privatized hacking may violate international law. A basic rule in the Geneva Conventions requires parties to clearly delineate combatants from civilians in any conflict, and people cannot always tell the difference between a military or intelligence operation in cyberspace.
Tools sold by cyber mercenaries do have legitimate uses: Some Western governments and law enforcement agencies (when operating with effective oversight) have used these types of tools to hack into terrorist networks, get intelligence on mass shootings, and even apprehend cartel leaders such as El Chapo. Some companies in the cyber mercenary industry refuse outright to sell to the states with the worst human rights records and sell only to countries with proper judicial review and law enforcement oversight. The industry overall is, however, global and growing, and its worst players are creating life-and-death consequences.
The U.S. and the EU both have initiatives to curb growth and cut irresponsible players from the market. The European Parliament is putting pressure on its member states through the recently formed PEGA Committee investigation: one of the first open policy discussions of cyber mercenaries. The EU is debating how to use export controls against this threat—claiming that using export controls for humanitarian purposes will protect human rights—and the U.S. has begun to do the same.
Nevertheless, export controls by themselves are woefully inadequate for solving the problems that this industry poses. If this is the only tool the U.S. and the EU decide to employ, they risk using an approach that is ineffective, at best, and that damages their own intelligence and law enforcement capabilities, at worst.
Export Controls Are Not a Magic Bullet
Put simply, export controls prevent technology from leaving a state’s own borders and subsequently falling into the wrong hands or use cases. There are two steps: A country’s government will place a type of product or potential client (country, corporation, or individual) on a list. Then, all companies in that country that want to export that product, or sell to a specific client on that list, must get an “export license” from the government to do so. Without this license, they face criminal and civil penalties if they are caught exporting.
These policies emerged out of a need to stop physical items (such as nuclear weapons components) from falling into enemy hands. While export controls have stopped semiconductor sales to China with some success, software code—which can be transferred via USB or email—is a much harder problem to solve. Cyber mercenaries are wise to this: Companies that sell spying software (or “spyware”) have evaded export controls for decades by using tactics as simple as calling their spyware a “network traffic management system” and hoping that EU export license officers do not follow up. Other mercenaries will simply export their products without filing a license at all in flagrant violation of export control. For example, the Israeli firm NFV Systems was shut down earlier this month for selling surveillance technology without a license for at least five years.
Even as countries become better at cracking down on export control violations, some of the shadier companies are turning to intermediaries in other nations to sell to authoritarian countries for them. Some companies even make their own intermediaries. The Israeli company Quadream, for example, sells its primary hacking tool through a sister company in Cyprus that holds Quadream stock, and sells Quadream tools, but is conveniently not subject to Israeli export control laws. Ultimately, because mercenary companies that refuse to abide by export controls can pack up and move jurisdictions, export controls will disproportionately impact the few vendors that want to abide by the controls—likely the same ones that sell only to Western countries. Meanwhile, cyber mercenaries are still able to get lucrative contracts from democratic institutions. For example, NSO Group sold its infamous Pegasus software to 14 EU governments. Pegasus is the same software used by authoritarian governments to threaten activists and dissidents worldwide.
To ensure that fewer jurisdictions become mercenary safe havens, the U.S. and the EU will need as many countries as possible to sign on to a comprehensive export control regime. Many governments, however, may not want to sign on because they also benefit from these deals. For example, the Chinese government has advertised its surveillance companies to African nations as part of its Belt and Road Initiative, and Israel’s spyware sales have consistently been linked to diplomatic gains for the country. Even if a government tries to monitor responsible end-use of these tools, internal corruption may lead to abuse. In Mexico, for instance, NSO malware was found to be targeting not only people of interest to the government but also those of interest to the cartel.
What About the Entity List?
Of course, the U.S.’s own export controls can be used against bad-faith foreign companies, through the Entity List. Any company placed on this Department of Commerce list can no longer receive certain U.S. exports, including technology products. After the U.S. placed NSO Group and other similar companies on the Entity List in 2021, NSO could no longer legally purchase laptops with a Windows operating system or iPhones without explicit approval from the U.S. government, and the company was at risk of bankruptcy. In some senses, this was a huge success: NSO Group is now a toxic entity whose name likely turns off many potential customers. The industry, however, is more than just NSO Group. Hacking tools are sold by hundreds of companies worldwide, and this tactic of putting companies on the Entity List is unsustainable in the long term as the list of publicly known firms (Q Cyber, Circles, Intellexa, etc.) grows ever longer.
While an entity listing can damage a company, focusing on individual companies becomes a game of whack-a-mole. The founders behind the company will usually regroup or re-form under a different name to evade regulators, offering almost the exact same product. Multiple cyber mercenary companies have reorganized after appearing in the public eye. After being caught spying on the U.S. in 2013, the Indian firm Appin Security splintered into multiple other companies, all offering similar products. Some of these companies are still operating today. Tal Dilian, founder of an NSO Group subsidiary, left the group in 2014 and created two more cyber mercenary companies, both of which have concerning human rights records. Because regulators focus on irresponsible companies rather than irresponsible founders, their penalties do not stick when one company disappears, replaced by a “new” entity with the same staff and product. These founders and high-level staff will then continue to source new talent, grow their business, and make the same business decisions to sell to authoritarian regimes. Bad behavior will never truly go away if regulators do not start focusing on the people behind these cyber mercenary companies.
Thinking Outside the Export Control Box
Export control cannot combat cyber mercenaries on its own. Export enforcement against software or murky players is incredibly difficult, and placing individual companies on a list does not scale. It also does not address the two root causes of the issue: that (a) bad-faith individual actors currently lack incentives to play by the rules, and (b) some government clients either knowingly enable or lack the ability to control the spread of these tools. If the U.S. and the EU want to continue to use export controls as a driving force to stop the spread of cyber mercenaries, they need to combine that approach with other efforts that focus on these root causes.
First, the U.S. and the EU need to make clear, public statements that define the characteristics and role of a responsible cyber mercenary. Currently, clear statements are hard to come by. The U.S. government has provided vague and confusing reasons when placing mercenary companies on the Entity List, sometimes even lumping some mercenaries together when they provide ostensibly different services, as the government did with the boutique Singaporean firm Computer Security Initiative Consultancy and Russian contractor Positive Technologies. Laws governing cyber mercenaries are also a patchwork of government acquisitions regulation, restrictions on former intelligence community employees, and export controls. Vague reasons for punishment, with no clear guidance on what behavior the U.S. will permit, only pushes bad-faith players further underground and pushes good-faith players out of the space entirely.
To solve this problem, the U.S. and the EU should jointly and publicly call out (through case law, statements, or policy) what business decisions or operational behavior remains in bounds (and will enable companies to bid on government contracts), versus those that will result in indictments. While each government may have its own secret policies for what makes a good customer of offensive cyber tools (hidden in back rooms accessible only with security clearances or prior government relationships), these policies must be publicly announced to be fully effective, as plenty of hackers become cyber mercenaries without prior government experience.
Second, and in a similar vein, the U.S. and the EU must publicly clarify what makes a good customer of offensive tools, especially if selling to a particular country’s law enforcement will get a company put on the Entity List. The PEGA Committee report, for example, has drawn clear lines for responsible end-use of cyber tools by admitting that these tools can be sold for espionage and national security purposes, but not for political and criminal purposes. The committee also advocates for impartial judicial review and vulnerability disclosure—two elements crucial to ensuring oversight within government intelligence and law enforcement clients. It is still uncertain, however, whether EU member states will transform these recommendations into binding legislation, and how effectively these laws will be enforced.
By clarifying end-use standards through international agreements or binding regulation, the U.S. and the EU can intentionally restrict sales to governments that do not abide by those standards and give their cyber mercenaries reasons to conduct due diligence on potential government clients. Key to this effort will be partnering with friendly countries with large cybersecurity and technology industries, and convincing other countries to stop using spyware diplomacy (as China and Israel are not alone in using this tactic).
Finally, while cyber mercenary companies can morph and disappear, the people in this industry largely stay the same. The U.S. and the EU have a unique opportunity to apply people-centric policies to the cyber mercenary space. Governments can indict particularly egregious founders and offer employment visas to exceptional foreign engineers—both options take key staff away from foreign cyber mercenary companies.
The solution to cyber mercenaries is not export controls—but these controls can and should be part of a wider, more holistic set of policies that prevent these tools from falling into the wrong hands. Addressing the pattern of behavior of key individuals who make up these companies and the actions of their clients is essential to mitigating the issues caused by cyber mercenaries.