The hacker-to-rent industry is now too big to fail

NSO Group has been besieged by criticism and accusations of abuse for years. In 2016, the United Arab Emirates targeted human rights activist Ahmed Mansoor using NSO Group’s Pegasus, a tool that exploits software bugs to hack iPhones and hand over control to NSO Group’s customers. In that case, the UAE government was seen as the culprit, and the NSO walked away unscathed (Mansoor is still in jail accused of criticizing the country’s regime).

The pattern was repeated for years – over and over again, governments would be accused of using NSO hacking tools against dissidents, but the company denied having made mistakes and avoided punishment. Then, in mid-2021, new reports emerged of alleged abuses against Western governments. The company was sanctioned by the United States in November, and in December, Reuters reported that U.S. State Department officials had been hacked using Pegasus.

Now the NSO Group is facing costly public lawsuits from Facebook and Apple. It has to deal with debt, low morale and fundamental threats to its future. Suddenly, the poster child for spyware is facing an existential crisis.

All this is well-known territory. The secretive hacker-for-rental industry first spray-painted across international newspaper headlines in 2014, when the Italian company Hacking Team was accused of selling its “untraceable” spyware to dozens of countries without regard to human rights or privacy violations.

The Hacking Team opened the world’s eyes to a global industry that bought and sold powerful tools to break into computers anywhere. The resulting storm of scandals eventually seemed to kill it. The company lost business and the opportunity to legally sell its tools internationally. The Hacking Team was sold and left to the dead in the public consciousness. Eventually, however, it changed a new name and began selling the same products. Only this time it was a smaller fish in a much larger pond.

“The demise of the hacking team did not lead to fundamental changes in the industry at all,” said James Shires, assistant professor at the Institute of Security and Global Affairs at Leiden University. “The same dynamics and demand still exist.”

The industry’s earliest customers were a small set of countries eager to project power around the world via the Internet. The situation is far more complex today. Many more countries are now paying for the immediate ability to hack opponents both internationally and within their own borders. Billions of dollars are at stake, but there is very little transparency and even less accountability.

While public scrutiny of companies offering hackers for hire has grown, global demand for offensive cyber capabilities has also escalated. In the 21st century, a government’s most valuable target is online more than ever – and hacking is usually the most effective way to reach them.

The result is a growing crowd of countries willing to spend large sums on developing sophisticated hacking operations.

For governments, investing in cyber is a relatively cheap and potent way to compete with rival nations – and develop powerful tools for domestic control.

“Especially in the last five years, you have more countries developing cyber capabilities,” says Saher Naumaan, a senior threat intelligence analyst at BAE Systems.

And several of these countries are seeking outside help. “If you do not have a way to leverage the skills or talent of the people of your country, but you have the resources to outsource, then why would you not go commercial?” she says. “It’s an opportunity in many different industries. That way, cyber is not so different. You pay for something you do not want to build yourself.”

For example, oil-rich countries on the Persian Gulf have historically lacked the significant technical capacity needed to develop domestic hacking power. So they use on a shortcut. “They do not want to be left behind,” Naumaan says.

Military contracting giants around the world are now developing and selling these capabilities. These tools have been used to commit gross abuses of power. They are also increasingly used in legal criminal investigations and counter-terrorism and are the key to espionage and military operations.

The demand for what private hacker companies sell does not disappear. “The industry is both bigger and more visible today than it was ten years ago,” said Winnona DeSombre, a security researcher and fellow at the Atlantic Council. “Demand is rising because the world is becoming more technologically connected.”

DeSombre recently mapped the famous opaque industry by mapping hundreds of companies selling digital surveillance tools around the world. She argues that much of the industry’s growth is hidden from the public, including Western companies’ sales of cyber weapons and surveillance technology to geopolitical opponents.

“The biggest problem comes when this space is primarily self-regulated,” she explained. Self-regulation “can result in widespread human rights violations” or even friendly fire when hacking tools are sold to foreign governments that turn around and use the same opportunities against the country of origin.

Alarmed by the growing influence of industry, authorities around the world are now aiming to shape its future with sanctions, accusations and new rules on exports. Still, the demand for the tools is growing.

Ultimately, the most meaningful change can come when there is an impact on corporate revenue. Recent reports show that the NSO Group is in debt and struggling to woo Wall Street investments.

“This is a commercial industry, after all,” says Shires. “If venture capital firms and large business investors see this as a risky bet, they will choose to withdraw. More than anything else, it could change the industry radically.”

Give a Comment