The Perils of Privatized Cyberwarfare

On March 6, the Trump administration published its long-awaited cyberstrategy. Among its themes is a conspicuously enthusiastic endorsement of the role of the private sector, declaring that the U.S. “will unleash the private sector by creating incentives to identify and disrupt adversary networks and scale our national capabilities.” While the strategy stopped short of formally authorizing U.S. companies to engage in cyber operations on behalf of the U.S. government—a point that was later clarified in comments made by National Cyber Director Sean Cairncross—it is not entirely clear the administration has ruled it out, either. In December 2025, Bloomberg News reported growing support within the Trump administration for such an authorization, and an executive order may be forthcoming. Such a development may seem inconsequential in comparison to the tsunami of norm-breaking actions carried out by the Trump administration. Should President Trump carry out this order, however, it would constitute an unprecedented departure from previous U.S. military convention with major consequences for U.S. national security, the rule of law, and international stability.

Offensive cyber operations (OCOs) are actions undertaken in and through cyberspace (meaning the globally connected digital communications network) to disrupt, deny, degrade, destroy, or manipulate adversary systems. OCOs are not to be confused with computer network exploitation, which involves stealthily breaking into computerized systems and stealing data—for example, espionage. Although they can involve similar techniques, the ultimate objective of OCOs is to cause damage. OCOs are acts of warfare and thus traditionally have been undertaken exclusively by U.S. cyber agencies, not companies.

At the outset, it is important to be clear about what an authorization for private companies to conduct OCOs would entail. It is not a matter of simply enlisting the private sector to support the Pentagon’s operations that is at issue. The private sector has for decades been extensively involved in just about every aspect of U.S. intelligence and military operations. From the design and production of weapon systems, digital sensors, and analysis platforms, to logistics, among other contributions, private firms are integral to the full spectrum of today’s military operations. The Pentagon outsourcing contracts to private companies is nothing new.

What would be new is authorizing the Pentagon to deputize companies to use force—something that violates both U.S. and international laws and norms around warfare. Though extreme, the idea did not arise in a vacuum. Cybersecurity industry representatives and thought leaders have advocated for firms to have the freedom to “hack back” for years. Earlier this year, Google created a “disruption unit” to impose “ethical and legal costs” on attackers. While the language may seem provocative, what “hack back” proponents advocate for in practice falls short of actual OCOs as conventionally understood. However, one recent event at Dartmouth University, which convened “thirty experts from government, industry, academia, and venture capital under Chatham House rules,” concluded that there is an “opportunity” for the U.S. government to “leverage the private sector to scale up” OCOs, albeit initially limited to a subset of acts in response to cybercrime. Should the Trump administration enact new measures to deputize private firms to engage in OCOs, these desires would not only be granted, but they would also be exceeded. 

This piece argues that an authorization permitting the private sector to conduct OCOs would have dire consequences. Enlisting the private sector to undertake OCOs will complicate oversight, empower a dubious and corrupt industry, create counterintelligence risks, fuel a cyber arms race that could lead to system-wide instability, make critical infrastructure insecure, provoke countermeasures against perpetrators, and put civilians at risk. Whereas previous U.S. administrations have sought to contain these dynamics through law and policies, the Trump administration would instead facilitate them. Several U.S. adversaries, including Russia, China, and Iran, and at least one ally, the United Arab Emirates, already outsource offensive cyber operations to private firms. With the United States following in their path, it would normalize private-sector OCOs internationally, emboldening authoritarian and illiberal governments to undertake even more OCOs, and multiplying their negative implications on U.S. security.

Complicating Oversight 

OCOs are among the most highly classified activities a government undertakes. Most missions are executed by specialized units, such as the U.S. Air Force’s 67th Cyberspace Wing or the Marine Corps Cyberspace Warfare Group. Given the stakes involved in their missions, these state entities operate with little transparency. Oversight is restricted to compartmented channels, such as classified briefings to congressional committees, where members are bound by strict nondisclosure protocols. 

Privatizing OCOs introduces complexities and gaps into the existing oversight landscape. Although private firms contracted to undertake OCOs will require the same operational secrecy as the defense and intelligence communities, the companies will face none of the scrutiny mandated statutorily for government bodies. Because defense contractors are corporate entities rather than state agencies, they operate outside the oversight architectures that govern the intelligence and defense communities. Unlike military commanders, who are compelled by federal law to maintain strict notification protocols with Congress for all offensive operations, CEOs of defense contractors have no such obligation. This creates an accountability gap: Without new legislation—which the Trump administration seems unlikely to encourage—congressional oversight will require subpoenas to compel company executives to testify. In such a litigious context, firms will likely invoke commercial privilege or nondisclosure agreements to shield proprietary tradecraft or to protect their U.S. or other foreign government customers.

Beyond strict legal requirements, a fundamental difference exists in the organizational cultures that distinguish the private sector from government agencies. Defense personnel undergo years of training, becoming acculturated to routines that include compliance with oversight protocols or cooperation with inspectors general, judge advocate generals, and auditors. While lapses in judgment, failures to cooperate with oversight bodies, and ethical and even legal violations have occurred, these are exceptions to the rule. By contrast, profits rather than public service drive private firms; the firms are likely to view compliance mechanisms as inefficiencies to be minimized rather than ethical mandates. This problem is compounded because the firms that make up the industry for cyber operations are notorious for poor ethical practices and opaque corporate structures, which appear designed to evade accountability. For example, NSO Group, which manufactures the notorious Pegasus spyware, built a series of front companies and brokers with checkered histories to facilitate its sales to Mexican government clients, including some who had been indicted for corruption and other crimes.

Outsourcing such a large volume of expensive and sensitive operations to the private sector will also exacerbate the so-called revolving door problem, where government employees leave public service to work for the very companies they previously contracted with. Although federal law mandates a “cooling off” period before former officials can lobby agencies that previously employed them, the law is easily circumvented when these officials provide behind-the-scenes advice to firms bidding on government contracts. The combination of government layoffs and huge increases in defense and intelligence budgets will likely exacerbate these dynamics. Poorly staffed agencies with inexperienced personnel will be required to spend vast sums of money in short cycles, furthering the risks of corrupt or unethical practices, which are more challenging to subject to formal oversight procedures.

Making matters worse is that the new policy would take place in the context of an administration that has systematically weakened oversight and compliance offices across the government, including for intelligence and defence agencies. It has also enriched its members and their families through highly questionable business ventures, such as the president’s family launching the “World Liberty Financial” cryptocurrency platform, which raked in millions from foreign investors just weeks before federal regulators dropped active investigations into some of those very same donors. A recent New York Times investigation of 346 people who donated at least $250,000 to the Trump campaign found that more than half received pardons, government contracts, or other types of special treatment. 

In sum, outsourcing OCOs to the private sector will take an already secretive and risky set of government missions and entrust them to commercial firms several steps removed from formal oversight mechanisms at a time when the Trump administration has dismantled those very mechanisms. Corruption at such a scale and with impunity, as the Trump administration has shown, makes oversight even more challenging to implement, as those involved in outsourcing will already be evading laws and norms for other reasons. The likelihood of increased corruption, abuse of power, and unprofessional conduct is thus extremely high.

Empowering the Mercenary Spyware Industry

The OCOs that the Trump administration may outsource are highly specialized. Companies that possess deep expertise in penetrating mobile and network defenses—known as the “mercenary spyware industry”—will hold a distinct advantage. These firms have already mastered the full operational life cycle required to execute these missions, from weaponizing zero-day vulnerabilities to maintaining the complex command-and-control infrastructure needed to manage the hacking of computer systems at scale. Furthermore, the mercenary spyware industry possesses over a decade of experience cultivating procurement networks within defense and intelligence sectors, albeit primarily for surveillance and espionage rather than destructive OCOs. The firms are likely aware of the opportunities that an OCO authorization would present; NSO Group has courted investors and lobbied Congress for years, seeking removal from U.S. sanctions precisely to unlock the vast U.S. government market. 

The prospect of these vendors capitalizing on U.S. government outsourcing opportunities is ominous. Over the past 15 years, research by the Citizen Lab and other watchdogs has revealed a pattern of extensive abuses associated with NSO Group, Intellexa, and their peers. Although marketed to governments ostensibly to assist in law enforcement and national security investigations, evidence shows that governments have widely abused these systems to target journalists, human rights advocates, lawyers, dissidents, and political opposition, both domestically and abroad. Despite public assurances to the contrary, firms in this space have disregarded the actions of their end clients, and in some cases have continued to support serial violators, such as Mexico and Saudi Arabia. One mercenary spyware firm, Intellexa, even went so far as to market to genocidal actors in Sudan.

Under the Biden administration, the U.S. government acknowledged the poorly regulated and highly abused mercenary spyware industry as a threat to human rights and to U.S. national security, particularly after revelations that numerous U.S. government officials stationed abroad had their phones targeted with Pegasus spyware. In 2023, President Biden signed an executive order prohibiting U.S. federal agencies from procuring spyware from firms whose technology has been implicated in human rights abuses or presented national security risks. The administration also levied sanctions against both firms and individuals whose technology facilitated these abuses, and began the process of building an international regime of more than two dozen like-minded countries devoted to the same measures.

Under a new posture authorizing private firms to conduct OCOs, those measures would either erode significantly or go away altogether. The government cannot, by definition, contract with firms that are under U.S. sanctions. Making sanctions relief for NSO Group even more likely is its recent sale to a consortium of U.S. owners led by David Friedman, a former U.S. ambassador to Israel and Trump’s former bankruptcy lawyer. Should the policy shift proceed with those regulations rolled back, firms such as NSO Group will profit handsomely. Moreover, a U.S. government contract serves as a powerful endorsement to other potential government clients. The market will be energized, and proliferation will accelerate unchecked, stripped of whatever safeguards were in progress to mitigate abuse around the computer network exploitation services provided by these firms. 

Creating Counterintelligence Risks

Entrusting OCOs to private firms introduces a slew of new counterintelligence risks, while amplifying preexisting ones. First, the government becomes reliant on private firms to secure operations that are among the most sensitive in the state’s portfolio. Although U.S. government agencies are not infallible when it comes to digital security, they at least operate under standardized frameworks and auditing requirements. Outsourcing to a fragmented network of private firms renders such standardization far more complicated, as the many data breaches involving the private sector’s handling of government data have already demonstrated. When outsourcing, the government relies on for-profit entities to secure their operations, which those entities sometimes view as a costly line-item expense to be minimized in favor of revenue.

Second, although data breaches are commonplace across the digital ecosystem, the stakes are exponentially higher in the offensive cyberwarfare sector because of the grave counterintelligence and national security risks inherent in any inadvertent exposure of an OCO. For example, in 2015, the Italian spyware vendor Hacking Team was hacked, exposing all of its internal corporate data. Among that data was confidential information about Hacking Team’s global government client base, including IP addresses of servers used for surveillance, email correspondences, and contract details with intelligence units. Similarly, in 2024, a China-based subcontractor to China’s Ministry of State Security, iSoon, suffered a major breach that exposed its tradecraft and proprietary data, including detailed logs of its targeting and operations on behalf of the Chinese government. In a context where private companies like these undertake OCOs and experience data breaches, governments could become privy to and possibly even preempt sensitive military plans of adversaries using their services.

Third, the Citizen Lab (which this author founded and currently directs) and other watchdog groups have conducted extensive research on the mercenary spyware industry, using technical forensics to expose secretive cyber espionage operations undertaken by dozens of government agencies. We have also mapped parts of the ostensibly “untraceable” command-and-control infrastructure of many firms in this sector, including Hacking Team, Gamma Group, NSO Group, Cyberbit, Candiru, Paragon, and Intellexa, thus exposing their government clients. On several occasions, we have captured the software exploits used by these firms to hack into endpoint devices and initiated responsible disclosures to the relevant parties to patch those flaws, effectively disarming the mercenary spyware firms temporarily. If an academic group such as the Citizen Lab can expose these highly classified operations, one can only imagine what a well-resourced state actor can do. Although mercenary spyware firms often advertise their technology as being “stealthy” and “untraceable,” the reality is their operations leave digital traces that have routinely exposed their government clients’ operations.

Fourth, outsourcing creates a prospect of counterintelligence risks from rogue insiders and other government clients that may contract with the same firms. While spyware companies are often evasive about whether they can “observe” what their clients do, all indications suggest that they possess that capability. NSO Group has reportedly described its access, and a recent investigation into Intellexa revealed that the firm maintained direct access to government client systems through Microsoft TeamViewer, implicating two outside entities through a counterintelligence risk. Furthermore, an NSO Group employee once reportedly stole the company’s source code and attempted to sell it on the dark web. Mercenary spyware exploits have also been repurposed or ended up in the hands of Russian and Chinese threat actors, despite neither Russia nor China being a client of the firms. For example, an Australian employee of a U.S.-contracted exploit broker was indicted in October 2025 for allegedly selling exploits to Russia. Any new outsourcing policy will take this already fraught problem of poorly secured mercenary spyware vendors’ systems and multiply it across dozens of vendors.

There is also a counterintelligence risk that stems from private firms having multiple government clients, or holding allegiance to a “home” country to which their senior personnel are attached. Although it is technically possible to impose exclusive conditions on contracted firms, the reality is that most companies will seek to expand their businesses to other government clients. With those contractual relationships in place, governments will have more visibility into the operating infrastructure of those firms. The governments can then use that information to acquire intelligence or map the operations of the other governments using the same systems. Another counterintelligence risk originates from links between company personnel and a country’s intelligence apparatus. For example, there are widespread and well-grounded suspicions of close links between NSO Group and the Israeli government.

Hoarding Zero-Days 

Just as in cyber espionage, at the heart of offensive OCOs lies the exploitation of software vulnerabilities. Hackers capitalize on flaws in code or operating systems—unknown to the manufacturers—to insert malicious instructions into targeted machines to degrade or destroy them. In industry jargon, these secret vulnerabilities are known as zero-days. The trade in these exploits already fuels a poorly regulated and opaque marketplace of researchers, vendors, and clients, including the mercenary spyware firms mentioned above. NSO Group, for instance, weaponizes vulnerabilities in ubiquitous American platforms, including Apple, Google, Microsoft, and WhatsApp, to implant its Pegasus spyware on target devices. 

Outsourcing these operations to the private sector will incentivize a race to discover, acquire, and, crucially, hoard software vulnerabilities not just in modern phones but also in critical infrastructure, given OCOs will most likely target them. This arms race will inevitably lead firms to dig deeper into the increasingly invasive internet of things and operational technology infrastructure upon which modern society relies, such as consumer security cameras or Siemens industrial controllers, found throughout sensitive systems, including electrical grids and water treatment plants. The service of one actor’s narrow national security interests will spawn an ever-growing collective insecurity for the rest of the globe, at the deepest level of infrastructure on which all of society critically depends.

The issue of zero-days illustrates a complex trade-off between national security and public safety. For every zero-day left undisclosed, a potential entry point remains unpatched on systems used by billions of people. The fact that a government or mercenary firm holds a secret exploit does not preclude other actors, be they criminals or rival states, from discovering and weaponizing the same flaw. Hoarding zero-days thus places countless citizens at risk as long as the knowledge of that flaw is circulating in a gray zone, a danger acknowledged by the U.S. government itself through its Vulnerabilities Equities Process (VEP), a protocol designed to weigh the value of keeping an exploit secret against the public interest in patching it. However, it is difficult to see how any internal government VEP can remain effective when the responsibility to discover and stockpile these weapons shifts to private contractors, effectively placing the inventory and decision-making outside the scope of formal oversight procedures.

Should the Trump administration decide to outsource, contracting firms may have a shield from civil liability for exploiting third-party software, which is currently illegal under U.S. law. Recently, WhatsApp sued NSO Group in federal court for violating the Computer Fraud and Abuse Act. A district judge ruled ultimately in WhatsApp’s favor, but NSO Group argued that it should be granted the same sovereign immunity enjoyed by governments. If authorization to use force is granted to private firms under a new federal statute, such immunity defenses may gain legal traction, effectively legalizing corporate cyberattacks on U.S.-based tech infrastructure.

While the race to hoard vulnerabilities is troublesome on its own, the Trump administration’s dismantling of the very institutions designed to defend against them significantly worsens the situation. The Cybersecurity and Infrastructure Security Agency, for example, which was created in 2018 to coordinate the defense of the nation’s critical infrastructure, was gutted as part of the Trump administration’s Department of Government Efficiency efforts. Its career leadership was purged and its authority curtailed, effectively blinding one of the few agencies capable of shielding U.S. infrastructure from the very weapons the government may now help proliferate. The irony is rich: The government proposes to pay private firms to acquire and hoard vulnerabilities, while it systematically handicaps the entities charged with patching them. 

Fueling a Cyber Arms Race and System Instability

Russia, China, Iran, and the United Arab Emirates all outsource hacking to private companies, but mostly for espionage purposes to date. In one notable case involving Dark Matter—a firm based in the United Arab Emirates and staffed by former National Security Agency and CIA contractors—the company reportedly targeted U.S. citizens and government officials. Three personnel involved in Dark Matter operations were later indicted and entered into deferred prosecution agreements with the Department of Justice for conspiring to violate export control and computer fraud statutes. Specifically, the operatives admitted to providing unlicensed “defense services” to a foreign government, a scheme that involved the targeting of U.S. citizens, journalists, and political dissidents. Companies hacking on behalf of Russia, China, and Iran adopt similar models, albeit without the same professional veneer as Dark Matter, effectively blurring the lines between statecraft and organized cybercrime.

Should the U.S. commence outsourcing OCOs to the private sector, it will legitimize these government-hacking firm arrangements. The countries currently using private firms for hacking may feel pressure to compete or conform; it is a small pivot for these governments to authorize the same firms hired to spy to undertake acts of sabotage instead. Other governments will have incentives to contract with mercenary firms to avoid a capability gap. Private entities, for their part, will aggressively market their services by leveraging this “arms race” dynamic, showing off their wares at major defense trade shows. The proliferation of OCO capabilities will increase substantially worldwide, but at what cost?

A world where a multitude of actors engage in OCOs on behalf of various government entities will exacerbate collective action problems and heighten uncertainty regarding the intentions of adversaries, creating a fertile environment for misunderstandings and escalation. Attributing cyberattacks to their actors—already a challenge in other domains—will be compounded by the multiplication of actors, all of whom have incentives to conceal their operations and evade scrutiny. Furthermore, whatever limited progress has been made in international fora, such as the United Nations Group of Governmental Experts regarding “rules of the road” for cyberspace, will be severely undermined. Additionally, injecting private entities into the decision-making loop for OCOs increases the likelihood of unauthorized or mistaken targeting, carrying grave consequences for inadvertent escalation. This risk is acute in the present context: In 2024, Russia adopted a national security doctrine that lowered the threshold for the type of attacks warranting a nuclear response, which, hypothetically, could include cyberattacks.

Complicating matters further is the potential integration of artificial intelligence (AI) systems into the OCO workflow. Firms in this sector, like their counterparts elsewhere, will try to capitalize on the AI boom to cut costs, optimize efficiency, and advertise the technological sophistication of their services. Reports already indicate that cyber espionage actors are deploying AI platforms to enhance their activities, from generating convincing phishing emails and automating target reconnaissance to developing malware and analyzing exfiltrated data. These dynamics will permeate the entire OCO life cycle, too. The risks of miscalculation, misunderstanding, and inadvertent escalation are magnified when private firms introduce autonomous AI systems into OCOs. Attacks and counterattacks could take on a life of their own, increasing the possibilities of reprisals from those on the receiving end.

Provoking Unpredictable (and Potentially Lethal) Countermeasures

While the U.S. can “authorize” private entities to undertake cyberattacks abroad, foreign governments will not likely extend the same legality to them. Firms and employees will face countermeasures, which can range from criminal charges to sanctions to even physical retaliation, including targeted assassination. Private contractors will become, in effect, enemy combatants. Indeed, this threshold has already been crossed: In 2019, the Israel Defense Forces (IDF) responded to a Hamas cyberattack by bombing a building in Gaza that reportedly housed those responsible. Situated at a desk and in front of a screen, private contractors may feel removed from whatever operations they are tasked with. Yet the 2019 IDF attack shows just how immediate and fatal the consequences can be. 

For a window into this new landscape, look no further than how the U.S. treats individuals and corporations caught hacking U.S. entities on behalf of foreign governments. Numerous people have been placed on sanctions lists or wanted posters, indicted for violating U.S. federal laws on unauthorized use of computer systems. Targeted foreign governments will likely follow course, banning U.S.-based firms from doing business because of the perceived national security risks, foreclosing billions of dollars in market opportunities. A wide range of civil liabilities could also be imposed on companies involved in OCOs sought after by the targeted entities. Private firms and their representatives could find themselves unable to travel to certain foreign countries or risk Interpol “red notice” arrests. They could be placed on sanctions lists, and their assets could be seized by foreign governments. 

Foreign governments do not always retaliate in predictable or analogous ways, either. Decades of nontraditional warfare and government support of non-state proxies suggest asymmetric violence will inevitably surface in response to OCOs conducted by the private sector. Executives, employees, and potentially even investors could find themselves in the crosshairs of dangerous paramilitary or organized criminal groups operating on behalf of targeted governments. Iran and India, for example, have contracted with organized criminal groups, including the Hells Angels and the Jalisco New Generation Cartel, to undertake assassinations of dissidents or activists abroad. Similar measures may be used against representatives of private firms implicated in what states perceive as hostile acts.

Putting Civil Society in Harm’s Way

One of humanity’s greatest achievements in the latter half of the 20th century has been the progress around human rights and the development of international humanitarian law. The post-World War II establishment of the Universal Declaration of Human Rights and the Geneva Conventions helped shift discourse and practices to recognize individual rights and place rules-based limits on warfare. Those norms, rules, and laws rest on a common understanding that it is only sovereign states that can wage war and that those states are ultimately responsible for their conduct. 

However, the privatization of OCOs threatens to undermine this normative framework. By outsourcing the “use of force” to opaque commercial entities, the United States would effectively delegate its liability responsibility and thus circumvent the very laws of war that it helped construct in the first place. This move would duplicate the problems observed in the privatization of kinetic warfare, as embodied by groups such as the U.S.-based private mercenary contractor Blackwater or, more recently, the Russia-affiliated Wagner Group. Among other things, such outsourcing undermined formal rules of engagement, broke down rules for professional accountability, and, in the case of the Wagner Group, allowed governments such as Russia to put forward claims of plausible deniability for the heinous conduct of non-state proxy actors. With each step toward the normalization of privatized cyberwarfare, international humanitarian norms, laws, and rules will be further unraveled.

Compounding the issue is that conducting OCOs today involves targeting civilian infrastructure, as cyberspace itself is, by definition, the globally connected digital communications network that society depends on. This increase in targeting civilian infrastructure will come at a time when civilians, medics, and journalists are already targeted by armed forces in zones of conflict, including Ukraine, Gaza, and Iran. Without an overarching norm in place, firms conducting OCOs may be tempted to disregard the possibility of civilian casualties when considering acts of sabotage in cyberspace because they do not fear the consequences of violating the rules of war. Outsourcing to private companies to undertake OCOs that target civilian infrastructure and cause potentially life-threatening collateral damage for noncombatants is thus a double blow for international humanitarian laws and norms.

Conclusion 

If the Trump administration authorizes private companies to undertake OCOs on behalf of the U.S. government, the decision will usher in a series of dangerous consequences that would destabilize the international system, undermine the rule of law, and proliferate insecurity. Because the policy is in an ambiguous state—neither fully rejected nor endorsed—a narrow window of opportunity remains to prevent its implementation. That will depend on the relevant congressional bodies, policymakers, thought leaders, and armed services representatives recognizing the risks and intervening to convince Trump and his advisers to withdraw the proposal. However, for such a countermovement to materialize would require considerable pushback from within the administration’s own support networks, a prospect that appears remote in today’s political climate. There is also a relatively small but influential group of cybersecurity industry insiders who stand to benefit materially from this shift and have been advocating for fewer restraints on the private sector for years.

Should the policy shift proceed, containing the worst outcomes will require creative strategies. First, societies that consider themselves constitutional republics should form an alliance to counter these and other related dynamics. Many governments that once depended on cooperation with the United States now recognize that times have changed. Confronted with the upheaval that outsourcing OCOs to the private sector will bring, these governments could find common cause around shared values, including independent oversight of military practices, resilient cybersecurity defenses, and commitments to international humanitarianism and the rule of law. An alliance could push for joint legislation to outlaw private mercenary activity in cyberspace, thereby distinguishing the alliance of constitutional republics from the rising tide of authoritarianism.

There is also an opportunity for the private sector, although the incentives are mixed and the policy landscape is complicated. One of the starkest developments of the Trump administration’s consolidation of power is the speed with which the U.S. tech sector jumped on board. Tech CEOs have lavished praise on Trump, with Apple’s Tim Cook going so far as to bestow a gift of gold in the Oval Office. This obsequiousness is premised on the short-term gains to be had by an administration committed to aggressive deregulation and massive outsourcing to the private sector.

However, the long-term implications of authorizing private cyber mercenaries will be dire for the platforms themselves, as it is their very infrastructure where these acts of war will be waged. Recognizing and countering this risk will put these firms at odds with U.S. policy (and, presumably, with other U.S.-based firms contracted to degrade their systems). However, it will align the companies with their global customer base, which will suffer the collateral damage of unpredictable privatized cyberwarfare. A potential alternative is for the tech industries to consolidate around the support of the use of primarily legal means of “disruption,” such as account takedowns, lawsuits, and denial of services, while drawing a red line around authorizing computer network attacks as fundamentally at odds with the sector’s overall health and their customers’ well-being and safety.

Finally, countering this shift requires devoting considerably more resources to independent civil society watchdogs to track and expose abuses in the mercenary marketplace. Independent investigative journalism and robust academic research will be pillars in the preservation of liberal democracy in an era of privatized cyber conflict. Fortunately, there is a large and growing community of experienced organizations devoted to tracking the mercenary spyware industry that will be poised to pivot alongside them as those companies race to acquire contracts to hack on behalf of the Pentagon.