Good News: U.S. Investment in Spyware Skyrockets!

Good News: U.S. Investment in Spyware Skyrockets!

In 2024, the number of U.S. investors in the spyware market skyrocketed, and the country became the largest investor by deal count, according to new research from the Atlantic Council. The researchers say these investments undermine U.S. government efforts to control abusive spyware, but we think they present an opportunity to exert more control over the industry.

Spyware is not inherently bad. Abusive spyware is used to violate human rights, rather than for lawful purposes.

The increase in U.S. investment is a key finding of an update to the Atlantic Council's 2024 Mythical Beasts report. That report mapped the global spyware industry through the end of 2023. At the time, vendors were concentrated in Israel, India, and Italy. The U.S. was the third-largest investor by deal count.

The increase in the number of U.S. investors shown in the update is striking. The original report found 12 U.S.-based investors. Now there are 31.

The authors claim this rapid increase is concerning because it "effectively undermines recent, concerted U.S. government efforts to constrain the spyware market." They cite government actions intended to combat abusive spyware such as issuing entity listings, sanctions, visa restrictions, a joint statement, and an executive order. According to the report, some of the recent investments have gone to vendors with dubious records. AE Industrial Partners's late 2024 investment in Paragon Solutions is cited as a "notable example."

We don't believe Paragon is the best example of abusive spyware. The company's strategy has, after all, been to stay in the U.S. government's good books. In 2023, the Financial Times described these efforts:

American approval, even if indirect, has been at the heart of Paragon's strategy. The company sought a list of allied nations that the US wouldn't object to seeing deploy [Paragon's product] Graphite. People with knowledge of the matter suggested 35 countries are on that list, though the exact nations involved could not be determined. Most were in the EU and some in Asia, the people said.

"Everything they did was with the strategy that at the end of the day, the US should see them as the good guys," said one person familiar with the decisions.

Despite these efforts, its spyware was used this year to target journalists and activists, including some who had been critical of Italian Prime Minister Giorgia Meloni's right-wing government. After that incident, the company cut ties with the Italian government, reportedly because it had breached the terms of the contract forbidding the targeting of journalists or members of civil society.

In our view, this looks like an example of a company trying to mitigate abuse. It vetted clients and took action when it found its products had been misused.

U.S. investors have incentives to ensure that their companies toe the U.S. government's line. Good behavior can result in lucrative government contracts. Paragon, for example, signed a one-year contract with U.S. Immigration and Customs Enforcement in the dying months of the Biden administration. On the flip side, abuse can result in U.S. government action such as sanctions that slash the value of a business.

An investor allowing a spyware company to do business recklessly may as well just light their cash on fire.

The U.S. government has an opportunity to clearly communicate to investors what reckless versus responsible behavior looks like. That would preemptively shape the spyware vendors’ behavior. It’s better than the government reacting after the fact with sanctions and punishments.

Of course, the wild card here is the Trump administration's attitude to abusive spyware. It's still in the national interest to shape the industry to be more responsible, but we've not yet seen convincing evidence that the administration cares enough to make it a priority issue.

Trump Caves on TikTok

This week the U.S. and Chinese governments have reportedly reached an in-principle agreement that will see a domesticated version of TikTok operate in the United States.

This deal is a win for China, which has a track record of manipulating the information environment at home and abroad. Under this deal, the U.S. government is failing to fully mitigate these propaganda risks.

The details haven't been finalized, but the broad outline is that a U.S. spin-off entity will run a new version of the app and will license TikTok's content-recommendation algorithm from its Chinese parent company, ByteDance.

The Wall Street Journal reports that TikTok engineers will recreate content-recommendation algorithms using technology licensed from ByteDance in China. User data will be managed in Oracle data centers in Texas. However you look at this, "American TikTok" will not be a completely independent entity.

TikTok's success in the U.S. to date gave rise to specific national security concerns. The first is that the app could be used to collect data about, or even monitor, U.S. citizens. The second is that its recommendation algorithm could be manipulated to benefit the Chinese Communist Party.

In terms of protection of user data, the new deal is a step forward. A separate app, with a separate U.S.-managed company in control of user data should result in a stronger firewall between U.S. user data and China-based administrators and engineers.

TikTok tried to address this concern starting four years ago with what was known internally as Project Texas. This effort coupled storing user information in an Oracle data center in Texas with logical controls to minimize data access from China.

We wrote about the futility of this effort back in 2022. The data may have been physically located in the U.S., but TikTok still controlled the software stack and, therefore, the user data.

So this new arrangement is definitely an improvement, but we are not sure it makes much difference. On the U.S. user data concerns, America's data ecosystem is so leaky that there are plenty of other options for Chinese intelligence services to get U.S. user data if they need it. Better isolating TikTok data closes the front door but leaves all the windows wide open.

This brings us back to the second concern when it comes to TikTok in the U.S.: algorithm manipulation to influence Americans to China's benefit.

The deal, as described by the Wall Street Journal, does very little to address this concern. Presumably, a 2022 arrangement whereby Oracle audits TikTok's algorithm will remain in place, but that would still leave TikTok's engineers with their hands on the levers. It simply allows Oracle to occasionally see where those levers are set.

After trade talks that included discussion of the TikTok deal had concluded, U.S. Treasury Secretary Scott Bessent said Chinese negotiators are "interested in Chinese characteristics of the app, which they think are soft power. We don't care about Chinese characteristics. We care about national security."

He didn't clarify what he meant here. But we'd define social media with Chinese characteristics as having strong censorship and narrative control by the government. So Bessent thinks … algorithm manipulation is a soft power and not a national security concern?

We disagree. It's a standard tool that the Chinese government uses both domestically and internationally to shape public opinion to its advantage.

Leaked documents published in early August, for example, show that Chinese company GoLaxy has been using artificial intelligence (AI) technology to monitor and manipulate public opinion. According to the documents the company used its technology to counter opposition in Hong Kong to a 2020 national security law designed to crack down on political dissent. In the lead-up to the 2024 Taiwanese election, it also tried to undermine the country's Democratic Progressive Party.

Both operations align with China's national security priorities. The documents also contain evidence that the company is preparing for operations in the United States. Researchers from Vanderbilt University found "GoLaxy has assembled data profiles of at least 117 members of the U.S. Congress and over 2,000 American political figures and thought leaders."

The documents shed light on the latest in the long history of Chinese influence campaigns. Letting it put its hands on the levers of TikTok's algorithm would give China the capability to run those campaigns on the most influential social media platform in the US.

A state media editorial in Chinese Communist Party outlet, The People's Daily, described the TikTok deal as a "win-win." We agree. It's a win for TikTok and a win for the Chinese government. U.S. national security? Not so much.

Three Reasons to Be Cheerful This Week:

1. Kiwis sanction Russian military hackers: New Zealand has imposed sanctions on Unit 29155 of Russia's GRU military intelligence agency. The unit has been linked to assasination and sabotage operations across Europe. This Between Two Nerds episode discusses how the unit got involved in cyber operations.
2. Government red teams make AI safer: Both OpenAI and Anthropic have fixed vulnerabilities in AI models based on input from U.S. and U.K. government researchers. It sounds like good practical work that addresses real safety issues. CyberScoop has further coverage.
3. CISA pledges support for the CVE program: The U.S. Cybersecurity and Infrastructure Security Agency has expressed strong support for the Common Vulnerabilities and Exposures program and has published a road map for it. Hopefully that will result in more funding too!

Shorts

APT1 Report Revisited

Kim Zetter's Zero Day has a great article revisiting Mandiant's APT1 report from 2013 that blew the lid off prolific hacking by China's People's Liberation Army.

This report drastically changed the evolution of the threat intelligence industry and how cybersecurity firms marketed themselves.

One nugget that we found interesting was that Mandiant was able to intercept APT1 communications simply by asking victims if they could take control of compromised hosts that were being used as Operational Relay Boxes (ORBs).

The lead author of the APT1 report, Visi Stark, told Zetter they'd occasionally approach victims and say, "Hey listen. Your server is compromised by the Chinese and [is being] used to compromise other organizations. We'll build you out a new server if you'll leave this one in place and let us kit it out."

Monitoring these ORBs allowed Mandiant to observe terabytes of stolen data.

Risky Biz Talks

In our latest "Between Two Nerds" discussion, Tom Uren and The Grugq talk about the limits of a state’s cyber power.

From Risky Bulletin:

AI chatbot disinformation doubles in a year: The internet's top AI chatbots provide answers with false claims twice as much as they did last year.

The disinformation rates of the top 10 leading chatbots have doubled, going from 18 percent in August 2024 to 35 percent a year later, according to a study from disinformation-fighting group NewsGuard.

Chatbots reproduced false claims on topics such as health, politics, international affairs, companies, and business brands.

The change appears to have been caused by the fact that AI chatbots now try to answer questions on all topics, even controversial ones or real-time news events. This is different from last year, when AI chatbots refused to answer 31 percent of prompts.

[more on Risky Bulletin]

U.S. largest crypto ATM operator sued for profiting from scams: The District of Columbia Office of the Attorney General has filed a lawsuit against the largest crypto ATM operator in the U.S., Athena Bitcoin.

The lawsuit alleges the company knew its Bitcoin ATMs were being used to collect funds from scam victims, but instead of stopping the transfers, it charged large hidden fees and then refused to provide refunds to victims.

Officials say that 93 percent of all deposits made across the seven Bitcoin ATMs the company operates in D.C. were the result of scams.

[more on Risky Bulletin]

Most U.K. school hacks are caused by their own students: The U.K.'s privacy watchdog highlighted a strange trend in the country where students are increasingly behind the hacks of their own schools.

The U.K. Information Commissioner's Office says it studied 215 insider-caused breaches in the U.K. educational sector between 2022 and mid-2024 and found that students were behind 57 percent of the intrusions.

Where a stolen password was used to breach a school system, students were involved in almost all cases (97 percent).

"Dares, notoriety, financial gain, revenge, and rivalries" were cited as main reasons for the hacks, which sounds about right if I channel my inner child.

[more on Risky Bulletin]