Lawfare Daily: The State of the Spyware Industry with Jen Roberts and Sarah Graham

[Intro]

Sarah Graham: Reporting suggests that brokers and resalers really perhaps distort the price of capabilities and the exploits they rely on. And this could really drive up costs. And despite that, really introduce more risks to the entire supply chain, therefore constituting a really important––but so far, relatively understudied––force in the market itself.

Justin Sherman: It's the Lawfare Podcast. I'm Justin Sherman, contributing editor at Lawfare and CEO of Global Cyber Strategies with Jen Roberts and Sarah Graham of the Atlantic Council to discuss their new report “Mythical Beasts,” on the state of the global spyware industry.

Jen Roberts: So, these capabilities are being utilized against Americans. They are a counterintelligence risk for American security, and a large part of the industry doesn't necessarily operate within the U.S. parameters, so we have less oversight and ability to shape this market.

Justin Sherman: Today, we're talking about the global spyware market, how it's evolved in the last few years, and the future of the risks to the United States.

[Main episode]

Let's kick off with both of you telling us a bit about yourselves and what you are working on currently.

Jen Roberts: Sure, I'll kick off. Hi, my name is Jen. I'm an associate director with the Atlantic Council Cyber Statecraft Initiative. We're a think tank that's based in Washington, D.C.

Over at the council, I work on our proliferation of offensive cyber capabilities. This has primarily focused on spyware for the past two years, but sort of encompasses wider market dynamics of offensive cyber.

Sarah Graham: And hi, I'm Sarah. I'm a research consultant with the Atlantic Council's Cyber Statecraft Initiative, and have been working on co-authoring this particular spyware piece with Jen and more broadly working on some follow-up works to it as well.

Justin Sherman: We're going to talk today about the––as you just alluded to, and as we heard in the intro––about the state of the global spyware industry, and trends in everything from investments in spyware to the capability of resalers themselves. You have a new report out, as Sarah just referenced, that will form the basis of this conversation called “Mythical Beasts: Diving into the Depths of the Global Spyware Market,” which is published with the Atlantic Council.

It also builds on some past work you’ve done in the vein of what Jen was saying, including a 2024 report that similarly snapshotted the spyware market. So, we're going to get into all of that in a minute. But just to start us off with some definitions here, what is spyware? How do you define spyware?

And then typically, if we're talking about spyware versus other kinds of hacking or cyber intrusion capabilities, how are those typically distinguished in their definitions?

Jen Roberts: Sure. So this new report called “Mythical Beasts: Diving into the Depths of the global spyware market, as Justin you alluded to, is part of a larger series that we have done at the Atlantic Council, which dives into the supply chain of the global spyware market.

When we're talking about spyware, there has been some debate over how to even define. Spyware. So in the report we spend a lot of time scoping what we mean by spyware, and that definition is spyware is software that facilitates unauthorized remote access to an internet-enabled target device for the purpose of surveillance or data extraction.

This differentiates itself from other offensive cyber tools, both in terms of scope and scale. For example, out of 195 countries in the world, at least 80, are known to have procured spyware from commercial vendors. In a report from Google a couple years back, they found that over 50% of all of their zero-day exploits were utilized by spyware vendors.

So this is a really big sector of the offensive cyber capabilities market, and it's particularly an invasive type of malware. It can gain––oftentimes without any user interaction––access to your applications, your search history, calls, your texts, photos, locations, microphones, recording, geographic data. Anything that you can sort of think of, spyware sort of captures once it's on your device.

So this industry is pretty prolific. It's pretty obscure. And what the Mythical Beast Report tries to do is inject information about this industry and its supply chain, so that policymakers and researchers alike understand the, the scope and scale of this market.

Justin Sherman: Several things in there. We’ll dig into––just to note, as many listeners know, of course, zero-day, as you're referring to, being a flaw that has been discovered for zero days, i.e., folks don't know it's there.

So, you touched on this a little bit, but just to pull this out explicitly. This is an industry, it's a market, and so it's therefore meeting some kind of demand.

What are some of those demands from a buyer standpoint that these spyware companies are meeting?

Jen Roberts: Sure. So this commercial industry of spyware vendors sells primarily to states that either A) cannot develop their own offensive cyber tools, or B) can develop them, but don't necessarily want to utilize them for the scope of a certain attack that they're conducting.

So, if they deem it not necessarily as high of a priority, they might not want to burn a capability that they have in the chance that it gets discovered. So essentially, a large part of this market in this industry is going to states that want these tools for national security purposes or other purposes, that necessarily cannot develop them themselves

Justin Sherman: To, to start getting into what you found in this study, let's first get the rundown on what you actually examined.

So briefly describe to us the data on which the report is based, and maybe some more detail on, you know, how many of these vendors and entities did you look at? Where are they geographically? And are there––just to give additional color to this––a few names of spyware players you looked at that might be familiar to listeners?

Sarah Graham: Sure.

So, this report is the second edition, as you mentioned of the Mythical Beast Project released last year. And so to give a little bit of color to the initial dataset, initially we reported on 435 entities in the spyware ecosystem, and this includes vendors, suppliers, holding companies, investors, partners, subsidiaries, and individuals. So quite a few.

The updated dataset digs into a few things. First, we reexamined all of the existing entities to bring them to present. And present, here, meaning the end of 2024. And so, by this we mean that we sought evidence of activity in 2024 or the absence of evidence of closure to suggest that, that they're still active. Or we sought evidence of legitimate business closures in a few cases.

So, first we brought everything up to date by a year, and then second, we brought in quite a few new entities, bringing our total up to 561. So, to give a little bit of color to this, this includes four new vendors, 10 new suppliers, three new countries, as well as 20 new U.S.-based investors alone.

And I'll note that this is a mix of new evidence found in corporate registries, and some of the evidence is historical. So maybe it wasn't disclosed previously or we didn't account for it the first time around.

And I'm sure we'll dive deeper into this, but a lot of the U.S.-based investment flow is into some of the larger or higher profile spyware vendors, as you mentioned, that listeners might be familiar with, including Paragon, Cognyte, and Candiru, just to name a few.

Justin Sherman: You referred a couple times to this, and again, as you mentioned, this builds on past work, but there are two, at least two major developments that you and your co-author identified since 2024.

And the first of those relates to U.S. investors. The second of those relates to, I should say, the role of U.S. investors in the spyware market, and the second major development in the spyware industry in the last year or so relates to resalers and brokers.

So, we'll take those one at a time here first. What does the number of US investors in the global spyware market look like? What is the nature? Of those investments, when we say investments, is that, you know, they're putting money into a very early-stage company? They're, they're trying to get a return on something that's quickly growing? What does an investment look like?

And then, how does that represent an evolution over time compared to, you know, if we go back a couple years ago, the role that U.S. investors played in this industry?

Jen Roberts: U.S. investment into spyware really kicked off in 2024. We have the addition of 20 new U.S.-based investors that all invested in spyware for the first time in 2024 specifically.

This is a pretty major uptick from the past two years. There's a chart in our report that shows this visually if you're a more visual person, but if we take years of activity and measure it over time in 2023, we had five active US investors in spyware, and in 2024 we had. 24. So that's quite a big spike in investment.

And as Sarah mentioned a little bit earlier, that these investors are investing in firms that are pretty well-established. So pretty late-seed investment here.

Specifically, in late 2024, a U.S. company called AE Industrial Partners invested in Paragon Solutions. Paragon Solutions is an Israeli-domiciled spyware vendor of Graphite and has a U.S. subsidiary, Paragon Solutions US.

Paragon was recently entangled in a scandal with the Italian government, that was utilizing this spyware to surveil human rights defenders and other members of civil society. And then in early 2025, another American company, Integrity Partners, invested in Saito Tech, Candiru’s––what, another name that it historically went by.

And Candiru’s Saito tech has been on the U.S. Commerce Department's Entity List since 2021. So, what we're seeing here is both a contradiction and a critical enforcement gap between U.S. policy and U.S. investment.

The U.S. government over the past couple of years has really sunk a lot of time and energy into cracking down on the proliferation and misuse of this market, including, most recently, visa restrictions and sanctions against some of these actors.

So, to see U.S. investments spike so much this year is quite interesting, because there has been sort of a lot of U.S. policy attention on this issue set, and the investment community and U.S. policy interests don't necessarily seem to be aligning right now.

Justin Sherman: I'm glad you mentioned the Entity List where, just as an aside, we're going to come back to that later in the episode. But just as you noted, right, of course, the Entity List is focused on, generally, the export of goods and services and technologies, et cetera, to a particular entity, but not necessarily investment.

And so that's an interesting point there. So, you talked about U.S. investors. Are there––this is in some ways a leading question––but are, you know, are there other countries besides the United States that are home to some of these investors in the spyware companies?

And if so, what are some of those countries where either lots of entities or lots of money is flowing into the spyware sector?

Jen Roberts: Sure. So about 50% of our data set, perhaps even more now, is represented through investors, through sort of four main countries. The United States, now, is the largest one, followed by Israel, then Italy, then the UK.

It's important to note that Israel and Italy are two hubs of the spyware ecosystem in general. In the first report we identify in our first trend––it's called the Three I’s––three jurisdictions where there is a concentration of spyware activity. They all happen to start with I, so it's easy to remember: Israel, Italy, and India.

So, two of the biggest investors outside of the U.S. into spyware are also large stakeholders in sort of the market writ large.

Justin Sherman: Interesting. Since those are distinct, as we're saying, but, but they overlap.

So, the second major development you identified in the spyware industry from 2023 to today is a greater presence of spyware resalers and spyware brokers. So, we'll talk about the development itself in a second, but to give us the definitions here, to set the foundation, define that for us as what, you know, what is a spyware resaler versus a spyware broker? And then how do they differ from other entities that play a role in the spyware industry?

Sarah Graham: This is a really great set of questions, because I think that these entities in particular are really tricky to define. And we worked in this report to balance the tension between being really precise in all of our entity definitions, all of these different vendors and suppliers that we've been talking about, but also wanting to still make some space for acknowledging areas where things might be a bit murky.

So, brokering and reselling entities definitely fall into this latter category. And in the report, we group these under our “partners” definition. Part of this definition reads that a partner is a company that is connected to a spyware vendor, though the relationship can take a few different forms. For example––and most relevant here––is that a partner can be unrelated to the development of spyware itself, but contributes to the technical or business operations of the vendor.

And so this is where the brokers and the resalers really come into view. There's two notes to highlight on this. First, how we conceptualize them: we can think of them as intermediaries between buyers and vendors or other suppliers in the supply chain, and they facilitate or broker a deal. Or, through the total purchase and then resale of those products. So, for example, we've seen evidence of these entities creating access to regional markets which might not otherwise have strong relationships between prospective buyers and vendors.

And overall, these entities are somewhat different from others in the marketplace because of the role they play. They sit very much downstream of, of the original vendors and play this sort of connective or fluid role. And second, the note that I want to highlight is how we differentiate in identifying them. While a lot of the data that we rely on in this report comes from corporate registries and public information from reporting, for example, the brokering and reselling data comes from a few non-standard sources and sort of adds to this murky aspect of it, which is that it tends to come from patchy or uneven data sets, you might say.

So, hack and leaks, that might really focus in on a particular case or from voluntary transparency disclosures, as is the case for example, in recent years with the Mexican government. Or otherwise from some really high-skilled, high-focused investigative journalism.

So overall, we really only have perhaps a snapshot of the full role of these entities.

Justin Sherman: With those distinctions in mind then, what did you find vis-à-vis a greater presence of those resalers and brokers in the market in the last few years? And then what exactly does that mean when you say that they, they have a greater presence in that market?

Sarah Graham: So, in terms of greater presence, I think we can think about this in two ways: in terms of numbers and then the effect that these entities have within the marketplace.

So, starting with numbers, overall, it is frankly a relatively small slice of the total number of 561 entities. So, by the numbers in the first report, only two entities were identified. This was RCS Labs and Vaztec. And in these cases, their involvement only came to light through the hacked and leaked data, as I mentioned, from Hacking Team, the Italian spyware vendor that now operates as Memento Labs.

In contrast, in our update, we identify seven more entities. So, some of these are historical, but throughout our research we found more evidence pointing us to look at these sorts of regional markets where, where brokers and resalers are filling a gap between where, where there might be elsewhere, a high vendor concentration, as Jen mentioned, for example, in the Three I’s trending areas and then sort of directing into perhaps more regional markets in Latin America or Southeast Asia, for example.

So, overall, the first one here is greater in terms of number. But then the second one we refer to here as greater in terms of effects. So, we see these entities having a greater presence in part because of our suspected impact they have on the overall market. And by this I mean that reporting suggests that brokers and resalers really, perhaps, distort the price of capabilities and the exploits they rely on. And this could really drive up costs.

And despite that, really introduce more risks to the entire supply chain, therefore, constituting a really important––but so far, relatively understudied––force in the market itself.

Justin Sherman: Did your data provide any insights into which entities are actually purchasing spyware––whether from these brokers or resalers or the original vendor––and what they might be using the purchase spyware for?

Sarah Graham: We do look into this a little bit, but something that I want to point out is, as Jen laid out upfront, we're really focused on the supply chain and really understanding all of the components that go into the spyware ecosystem and not so much on who the ultimate buyers are or for example, what they might be used for, whether these are legitimate uses or, or potential abuses.

And so overall there's a lot of great work by other organizations that we've relied on and who look a lot more on sort of the effects side of the market, including Citizen Lab and Amnesty Tech, who listeners might be familiar with and want to dig in more there to understand a bit more on sort of the effects side.

Justin Sherman: Got it. That's, that's helpful. So, on top of these two major developments, you––the two of you and your other co-author additionally identify six defining characteristics of the spyware industry based on the data and the analysis. So I, I want to––we're not going to do all six, unfortunately, we don't have––I wish we had more time, but we are going to focus on a few that are super, super interesting.

So, one is that, as you alluded to with the three, is you found a disproportionate geographic concentration of these spyware entities in Israel, in India, and in Italy. And so explain this to us a little bit more. Are there known explanations or hypotheses for why this is the case? And what in particular makes the concentration of the spyware entities in these countries, quote unquote disproportionate?

Jen Roberts: Sure. So these, these six trends that we identified, we identified in the first Mythical Beast Report, and we wanted to include them in this report as well because they have held relatively constant.

We didn't see any big, swooping changes across these six trends. So this is really exciting as researchers, but I also think for, for policymakers and folks that are tracking the industry, that the spyware ecosystem, the spyware market, has not evolved at a pace so rapid, that policy action and other sort of research cannot be conducted into the shape and scope of it.

Which is very interesting for, for folks that are interested in, in spyware. But diving specifically into why perhaps Israel, India, and Italy, I would say two reasons.

First, perhaps that's just where the talent is. These countries might just have a larger scale of highly skilled workers who are capable and have the means to, sort of, to tech up and focus in on these industries.

It could be because of defense structures within these ecosystems. It could also be because there are permissive environments that allow sort of companies to, to have less regulation from, from the state in these, in these jurisdictions. And what makes these countries quote unquote disproportionate is just seeing, not only are they home to a bunch of spyware vendors that we observe in the, in the global market for spyware. They have a, a quite a large stake of vendors themselves, but they also have––like I mentioned earlier about investors, Israel and Italy have a wide host of investors in the spyware market. So, concentration of not only vendors, but also other arms of this ecosystem.

Investors, individuals, suppliers, holding companies and all of the like. So, it's not just spyware vendors who are domiciled in these jurisdictions––it's truly across the categories that we have defined in the dataset, they are present in these three jurisdictions.

Justin Sherman: Just, I, I just want to add one question here, which is, you know, not to––I'm curious if you have a specific opinion, because ,as you say this, I'm thinking, okay, you know, the hypothesis, for example, on ‘they have the talent,’ right, is compelling to me in some cases. For example, Israel, we certainly hear, read more than enough about Unit 8200 in Israel and various others that are highly sophisticated in cyber.

But, you know, no shade to Italy, for example. But, you know, but it seems a little strange that for instance, one would have a huge concentration of spyware if it was just based on talent coming out of, of Italy versus, you know, the U.S. or China or something.

So, not to say––I mean, you, you study this much more than I do, but I'm just curious if you have a, either of you have a particular view on, on which of those hypotheses or which other hypothesis might be the most compelling.

Jen Roberts: Justin, I agree with you at first glance. I was also sort of surprised to see Italy in, in this list, but upon revisiting the data and thinking about it a little bit more, an Italian vendor is the, is the first vendor that we observe in the Mythical Beast dataset, which goes back to 1992.

So really they're the, the first comers into this market. And while they might not be as sort of globally recognized as some of other jurisdictions that we, we map and, and Justin that you listed. They’re a notable jurisdiction that's based in the EU, and perhaps that is why they have stuck around for so long. You don't have to worry about export control laws if you're sort of selling within the EU like these other states do.

And also, there might be diversification in terms of specialization. So, Italian vendor spyware doesn't look the same as Israeli vendor spyware. So there's sort of this healthy competition that I think is happening across the ecosystem, that if you want products that perhaps cost a little bit less, you might go to an Italian vendor versus an Israeli vendor.

So, that might be why there's been such a preservation of activity coming out of Italy for so long.

Justin Sherman: Interesting. Yeah. And, and as I said, I certainly don't study this as much, but it's sort of an interesting phenomenon to me.

So, to move along, you know, you also note in addition to the, the geographic concentration point, an interesting finding around what you call strategic jurisdiction-hopping.

What, what does this mean, both literally, and then in terms of its broader implications?

Jen Roberts: So, strategic jurisdiction-hopping is where we observed in the dataset that several vendors have appeared to have constructed a subsidiary, a branch, a partnership relationship or the like that crosses sort of strategic jurisdictional bounds.

These locations may offer a variety of location-specific benefits. I just talked about benefits of having access to the EU market. So, opening or having a relationship with an EU-domiciled firm to, to have access to that marketplace.

And we do have an example of this happening in quite a few across the data set, but want to highlight one in particular where in 2017, the Israeli vendor QuaDream Inc. set up a supplier in Reach Technologies Limited in Cyprus, which QuaDream Inc. claimed later in a court filing was quote, for the sole purpose of promoting QuaDream Inc.'s products within the European Union.

This happens sort of across the ecosystem, but it's where vendors have a physical presence––sometimes in Europe, sometimes in the U.S––in markets where they really want to sell to.

Justin Sherman: Just to hear about another one of your observations. You also found many efforts by spyware entities to change their names and shift their corporate structures.

Can you tell us more about this? Is there any way to measure if this was always happening but just wasn't well detected? If this is happening more frequently now for some reason? Et cetera. What is your, what does your research show us?

Jen Roberts: So when it comes to shifting vendor identities, this is the trend where spyware vendors will change their legal names and even shift entire corporate structures to obscure the, their identity and potentially even manage the impact of negative press reporting.

My favorite example of this is, and I've brought it up before when I was talking about Candiro and Saito Tech, and I was kind of flipping flopping between the two, between the years of 2016 and 2020 Candiru changed its name annually.

It's now called Saito Tech, Ltd., but a lot of people, including myself, sometimes still call it Candiru. This makes it really difficult for researchers and policymakers who are trying to track an entity or a specific spyware vendor that they don't necessarily want to do business of or think they may have disappeared, but in reality, they're just operating under another name.

For example, Sarah also talked about this earlier, there's another vendor coming out of Italy called Hacking Team, who is now called Memento Labs. They had, around 2015, a wide breadth of information leaked online about their sort of internal operatings, and shortly thereafter, they went through some name changes.

So this is a trend that just shows that these vendors are rebranding, they're changing their names, which makes it harder for researchers and policymakers to keep track of these entities. So that's really interesting for, for us to sort of observe.

I don't think it's siloed in particular to just the spyware industry.We see sort of this obscure-cation happening across a variety of different sectors. Money laundering is a good example of one as well.

Justin Sherman: Zooming back out, what are the implications of the spyware industry for U.S. national security, as well as U.S. foreign policy broadly?

Jen Roberts: So spyware is a national security threat to the U.S. It's a threat in a few ways.

First, it's a counterintelligence risk. The more countries that have capabilities like this open up our doors to being targeted, but it's also a national security risk because a lot of the industry also doesn't necessarily operate within the U.S. And the last part of why it's quite a risk is because, for years, spyware has been utilized to target American officials and citizens, both at home and abroad.

In early 2023, several U.S. Congress members' phones were infected with Predator, a spyware developed by members of the Intellexa Consortium. And in 2021, Apple notified around a dozen U.S. officials working in Uganda at the time, they were targeted by NSO groups, Pegasus spyware.

So these capabilities are being utilized against Americans. They are a counterintelligence risk for American security, and a large part of the industry doesn't necessarily operate within the U.S. parameters, so we have less oversight and ability to sort of shape this market.

That being said, there have been a lot of efforts, and I did mention a few earlier in the podcast that the U.S. has worked on to curb the proliferation and misuse of some of these capabilities. I mentioned earlier your visa restrictions and sanctions, but there's also a joint statement on efforts to counter the proliferation and misuse of commercial spyware, where a variety of different countries have signed up and said, we want to do something about this issue set. There are also the entity listings, which I mentioned earlier, and an executive order. And right now going through Congress, there's also an amendment to the NDAA to make some of these executive actions codified into law.

So, it seems that U.S. policymakers are aware that this is a national security risk and also a human rights risk. But I think that attention has really sort of picked up within the past five years or so.

Justin Sherman: Certainly, as you said, some of the, you know, Saudi and other use cases definitely have made way more press beyond, beyond––rightfully so––beyond just sort of cyber and technology land.

So you mentioned several times throughout, and we talked about this specifically, that there are a number of spyware investors that seemingly come from the United States. Do you see this as a good thing, a bad thing, something else? Both? And what, if anything, should the U.S. government do about it?

Jen Roberts: This is a really interesting question because I think it could be seen as both good and bad. And that's sort of the classic answer. There's two sides to, to every coin.

It's bad because there's a disconnection between U.S. policy and U.S. investment. At least that's the way it seems. The U.S. has been doing so many things to counter the proliferation and misuse of these capabilities. And a spike in U.S. investment over the past year is quite concerning, because that doesn't fit the picture of what U.S. policy is sort of going in the direction of.

But it's also a good thing because this means sort of like I just pointed out, that the U.S. doesn't necessarily have the most control over a market that doesn't operate within its own jurisdictional bounds.

Well, U.S. investment does, so engaging with the investment community and really thinking about ways to increase due diligence efforts and beneficial ownership programs and a whole host of things, there's still a lot that can be done to counter this, this issue. So it is good that the opportunity is there.

Justin Sherman: In terms of other countries and what's going on there––nd I say that broadly, that could include other countries knowingly seeing companies there selling to bad actor, you know, human rights abusers. That could include lots of investment in other countries, permissive export environments, you know, is there anything the U.S. government should be doing vis-a-vis those countries to shape or curtail their activities around, or tolerance for spyware entities?

Jen Roberts: I think the U.S. has made some steps in the right direction when it comes to this by engaging allies and partners to make this truly a global issue I just mentioned. The joint statement on efforts to counter the proliferation and misuse of commercial spyware. There are a wide host of a variety of different countries from Australia to Canada, Costa Rica, Finland, France, Germany, Japan, Lithuania, New Zealand, Norway, Poland, The Republic of Korea, Slovenia, Sweden, just to name a few that are signatories to this joint statement.

And it is my understanding that this joint statement is sort of an evolving list over time. So I haven't seen an addition quite recently, but it seems that we are actively engaging allies and partners on this topic set already, including a UK-French led process called Pall Mall, of which the U.S. is a signatory, which has a different sort of set of signatories and, and sort of doesn't necessarily just focus on spyware, but the commercial cyber intrusion industry writ large.

So the U.S. is showing up to conversations and it's engaging with countries on this issue set. If they should be putting any pressure on specific countries outside of the ones that are cooperating, I would focus on the, the three “I” countries, the, the countries that have the greatest concentration of activity in this marketplace, which are Israel, Italy, and India.

Justin Sherman: Lastly, you note for all the change that has occurred in the market in the last couple of years and since the last iteration of your spyware market study, there are also a number of consistencies. You flagged this already in the market in terms of how firms are operating, where they're operating, who's funding and so forth.

So how should policymakers, on the, you know, whole think about both the developments, you know, changes and the consistencies in the market? And then what, if any, action do you think U.S. policymakers should be taking as this market evolves into the future?

Sarah Graham: I would approach this consistency that we've been talking about somewhat positively, that the shape and the scope of the market are relatively stable in terms of looking ahead and how this might look in the future.

We would love to come back to you in a few years with, you know, some built year-on-year data that might inform this, this directionality a bit more. But in the absence of this, what our sample of the marketplace tells us from, like, you know, transition of 2023 to 2024, is that there hasn't been a huge amount of movement.

These six trends that we outlined in the report are observable, even with the addition of over a hundred new entities––which, as an aside is a bit ironic actually, that we're saying we're seeing trends of consistency, of entities doing something somewhat inconsistent. They're, they're changing names or jurisdictions and all of these different things, but overall, we're seeing consistency in that behavior, which is at least a positive thing for researchers and policymakers and other partners to be able to understand a somewhat sort of stable snapshot of what's going on.

So I would really just hone in on quite a bit of the current policy action that Jen is talking about in terms of the joint statement and other international efforts to counter the proliferation and misuse of spyware, the Pall Mall process. To say that these sorts of efforts and really showing up to engage and cer––move the needle should certainly continue.

Justin Sherman: That's all the time we have. Jen, Sarah, thanks again for joining us.

Sarah Graham: Thanks so much.

Justin Sherman: The Lawfare Podcast is produced in cooperation with the Brookings Institution. You can get ad-free versions of this and other Lawfare podcasts by becoming a Lawfare material supporter through our website, lawfaremedia.org/support. You'll also get access to special events and other content available only to our supporters.

Please rate and review us wherever you get your podcasts. Look out for our other podcasts, including Rational Security, Allies, The Aftermath, and Escalation, our latest Lawfare Presents podcast series about the war in Ukraine. Check out our written work at lawfaremedia.org.

The podcast is edited by Jen Patja and our audio engineer this episode was Cara Shillenn of Goat Rodeo. Our theme song is from ALIBI music. As always, thank you for listening.