ArchiveOODA Original

The Privatization of Cyber Tools and Operations Further Muddies Attribution Efforts

The recent exposure of NSO, the Israeli company that developed the Pegasus mobile phone spyware, has again brought to the forefront private companies that develop and sell their technology to “only” governments and licensed law enforcement entities for the purposes of spying and surveilling targets of interest.  While ostensibly Pegasus can be used against criminal and terrorist elements, recent revelations show how such technology can be bent to the will of its operators.  In this instance, the spyware was sold to authoritarian regimes to target human rights activists, journalists, religious figures, academics, and attorneys, among others, with approximately 50,000 individuals being targeted by the spyware since 2016, according to a data leak.  Per one report, Pegasus malware targeted as many as 14 heads of state, as well, implying a cyber espionage angle to the malware’s use.  An expose on NSO that manufactured Pegasus revealed that the company cited “cyberwarfare” as its business model.  There seems little doubt as to the intent of Pegasus and how it has been marketed to potential clients.

This is by no means the first time a company has marketed its surveillance technology to governments and law enforcement entities.  In 2015, the now-defunct Italian company Hacking Team suffered a breach that revealed how private companies purposefully manufactured spy technology to whomever could afford their prices. The data leak exposed executive emails, customer invoices, and even source code – as well as a long list of government, law enforcement, and intelligence customers.  Unsurprisingly, some of the more authoritarian government customers used Hacking Team products to circumvent United Nations embargoes. Gamma International, Ltd., is another such company that provided its products – notably FinFisher spyware – exclusively to governments and law enforcement.  Like NSO and Hacking Team, unknown hackers compromised Gama International exposing its clients, prices, and information pertaining to the spyware’s effectiveness against operating systems and applications. Companies such as these have led to discussions regarding potential regulation of the burgeoning industry of “lawful intercept,” but little headway has been made with governments preferring to let the issue die down quietly.

The rise of companies such as NSO, Hacking Team, and Gamma International, Ltd., reveal the appetite for such technology from those governments wishing to have the capability to surreptitiously monitor and track individuals and organizations.  In a cyber world where Internet connectivity drives all facets of society, including but not limited to government, financial, news, and social discourse, there are many hungry patrons for these tools. For those governments that already possess an in-house capability, use of a private company’s products provides a third-party buffer, making them one-step removed from the questionable activity.  For those that are unable to develop these technologies independently, purchase of such products provides an instant capability to get into the cyber spying and cyber espionage business.  What’s certain is that the demand exists, and private companies feel the risk of their exposure – and that of their clients – is worth the profits on the other end.

More telling is how this privatized entrepreneurship extends past incorporated entities to anyone that has a skill or capability of which there is value.  While companies like NSO, Hacking Team, and Gamma International, Ltd., can claim they only cater to “responsible” parties like governments and their agencies, other private individuals and groups recognize a seller’s market where they can offer their skills and capabilities for a price.  Any interested party that lacks the infrastructure, tools, and experience to execute attacks themselves have an immediate capability, or at least a level of obfuscation that removes themselves from culpability of the attack.  Criminal “as-a-service” models flourish in the underground for the very reason that a demand exists for their offerings.

“Hacker-for-hire-services” is a term so overused that its meaning gets lost.  Yes, there are several models that advertise services ranging from denial-of-service, ransomware extortion, phishing campaigns, and spam, among others.  But cyber espionage mercenaries – groups contracted out to gain unauthorized access into networks – risk becoming a threat to any organization in either the private or public sector.  Espionage has always been and will continue to be big business with the more adept non-state actors able to draw large compensation from governments or their agencies. As highlighted in a recent 2021 threat report, actors such as BAHAMUT and CostaRicto reveal that cyber mercenaries have access to tools thought at one time to be solely used by nation-state actors.  This gives pause for concern as private entities can ostensibly become an arm of a state for a price, blurring the lines between private individual, private company, and government/defense contractor.

For those teams and companies involved in cyber security, cyber mercenary activity should make attribution an even more difficult endeavor.  However, this does not seem to be the case as some organizations claim to be able to sift through the noise to find the true culprit.  Even false flag operations do not seem to be as clandestine as one would think as these organizations appear to be adept at peeling away obfuscation to find the “careless” mistakes made by otherwise “sophisticated” actors.  According to one source, the Israeli government approved the sale of an advanced cyber weapon by an Israeli company to an Arab government, with which it had some level of an intelligence relationship.  If the Arab government conducted an operation using that tool, and shared any info collected, that government may have executed the attack but both parties benefited. The “who benefitted” argument of attribution becomes not so easy to determine.

The continued privatization of cyber capabilities extends beyond companies to any individual or group that has the skill and wherewithal to execute offensive operations. As such, they may be viewed as valuable resources to nation states looking to use cut-outs and proxies for plausible deniability.  Case and point: Russian ransomware gangs are believed to be under Moscow’s influence and recently a cyber security company identified Chinese hackers posing as Iranian hackers in a cyber espionage campaign against Israel. Increased reporting of cyber mercenaries suggests that incidents like these are fast becoming a new reality, providing states another means with which to carry out operations in their interests.  This begs the question of what level of responsibility these cyber mercenaries bear when either supporting a state or conducting operations on behalf of a state.  The same can be asked of the state that outsources these capabilities to individuals, groups, and/or companies. Responsible attribution is increasingly necessary when identifying cyber mercenary activities, as well as identifying what governments may be behind them. The global community needs to come to terms with this development and ensure efforts to attribute this activity properly, or at least assign culpability accordingly and with sound reasoning.  Otherwise, the status quo remains, driving suspicions and accusations but no strategies on how to approach cyber capability privatization, and certainly no solutions to it.  And guess who benefits from that?


Become A Member

OODA Loop provides actionable intelligence, analysis, and insight on global security, technology, and business issues. Our members are global leaders, technologists, and intelligence and security professionals looking to inform their decision making process to understand and navigate global risks and opportunities.

You can chose to be an OODA Loop Subscriber or an OODA Network Member. Subscribers get access to all site content, while Members get all site content plus additional Member benefits such as participation in our Monthly meetings, exclusive OODA Unlocked Discounts, discounted training and conference attendance, job opportunities, our Weekly Research Report, and other great benefits. Join Here.

Related Reading:

Black Swans and Gray Rhinos

Now more than ever, organizations need to apply rigorous thought to business risks and opportunities. In doing so it is useful to understand the concepts embodied in the terms Black Swan and Gray Rhino. See: Potential Future Opportunities, Risks and Mitigation Strategies in the Age of Continuous Crisis

Cybersecurity Sensemaking: Strategic intelligence to inform your decisionmaking

The OODA leadership and analysts have decades of experience in understanding and mitigating cybersecurity threats and apply this real world practitioner knowledge in our research and reporting. This page on the site is a repository of the best of our actionable research as well as a news stream of our daily reporting on cybersecurity threats and mitigation measures. See: Cybersecurity Sensemaking

Corporate Sensemaking: Establishing an Intelligent Enterprise

OODA’s leadership and analysts have decades of direct experience helping organizations improve their ability to make sense of their current environment and assess the best courses of action for success going forward. This includes helping establish competitive intelligence and corporate intelligence capabilities. Our special series on the Intelligent Enterprise highlights research and reports that can accelerate any organization along their journey to optimized intelligence. See: Corporate Sensemaking

Artificial Intelligence Sensemaking: Take advantage of this mega trend for competitive advantage

This page serves as a dynamic resource for OODA Network members looking for Artificial Intelligence information to drive their decision-making process. This includes a special guide for executives seeking to make the most of AI in their enterprise. See: Artificial Intelligence Sensemaking

COVID-19 Sensemaking: What is next for business and governments

From the very beginning of the pandemic we have focused on research on what may come next and what to do about it today. This section of the site captures the best of our reporting plus daily daily intelligence as well as pointers to reputable information from other sites. See: OODA COVID-19 Sensemaking Page.

Space Sensemaking: What does your business need to know now

A dynamic resource for OODA Network members looking for insights into the current and future developments in Space, including a special executive’s guide to space. See: Space Sensemaking

Quantum Computing Sensemaking

OODA is one of the few independent research sources with experience in due diligence on quantum computing and quantum security companies and capabilities. Our practitioner’s lens on insights ensures our research is grounded in reality. See: Quantum Computing Sensemaking.

The OODAcast Video and Podcast Series

In 2020, we launched the OODAcast video and podcast series designed to provide you with insightful analysis and intelligence to inform your decision making process. We do this through a series of expert interviews and topical videos highlighting global technologies such as cybersecurity, AI, quantum computing along with discussions on global risk and opportunity issues. See: The OODAcast


Emilio Iasiello

Emilio Iasiello

Emilio Iasiello has nearly 20 years’ experience as a strategic cyber intelligence analyst, supporting US government civilian and military intelligence organizations, as well as the private sector. He has delivered cyber threat presentations to domestic and international audiences and has published extensively in such peer-reviewed journals as Parameters, Journal of Strategic Security, the Georgetown Journal of International Affairs, and the Cyber Defense Review, among others. All comments and opinions expressed are solely his own.