The explosive growth of private “cyber mercenary” companies poses a threat to democracy and human rights around the world. Cyber mercenaries – private companies dedicated to developing, selling, and supporting offensive cyber capabilities that enable their clients to spy on the networks, computers, phones, or internet-connected devices of their targets – are a real cause for concern. These tools have been used to target elections, journalists, and human rights defenders and are increasingly accessible on the open market, enabling malicious actors to undermine our key democratic institutions.
At Microsoft, we believe that digital technology has incredible potential to improve lives across the world, support democracy, and protect and promote human rights. That is why, at the second Summit for Democracy, we were proud to join the international coalition of over 150 companies that make up the Cybersecurity Tech Accord individually and collectively pushing back on the cyber mercenary market by committing to a set of industry principles.
We are also acutely aware that to have real impact, we must pair our commitment with action. Microsoft has disrupted the operations of Knotweed and Sourgum, two cyber mercenary groups targeting victims around the world. Today, we are taking further action. In partnership with security researchers from The Citizen Lab of the University of Toronto’s Munk School, we have tracked the malware used by an Israeli cyber mercenary we refer to as DEV-0196. The malware has been used to target communities including journalists, NGO workers, and politicians. Microsoft is sharing information about DEV-0196 with our customers, industry partners, and the public to improve collective knowledge of how cyber mercenaries operate and raise awareness about how cyber mercenaries facilitate the targeting and exploitation of civil society. Technical information for customers and the security community is available here.
Our collective commitment to limiting the threats posed by cyber mercenaries
Combating the threat of cyber mercenaries is a collective effort and we are grateful for our ongoing partnership with Citizen Lab. It shows the impact we can have when we work together. The Cybersecurity Tech Accord principles that members of the technology community have signed onto is also an important step. As the technology industry builds and maintains the majority of what we consider “cyberspace”, we as an industry have a responsibility to limit the harm caused by cyber mercenaries. A more detailed breakdown of the principles is available on the Cybersecurity Tech Accord website, but at a high level, signatories commit to:
- Take steps to counter cyber mercenaries’ use of products and services to harm people;
- Identify ways to actively counter the cyber mercenary market;
- Invest in cybersecurity awareness of customers, users, and the general public;
- Protect customers and users by maintaining the integrity and security of products and services;
- Develop processes for handling valid legal requests for information.
These principles answer President Biden’s call for the technology industry to come together and push against the challenges our societies face. They also come at a critical time. There is growing awareness of the existence of cyber mercenaries and an increased and welcome focus by policymakers on both sides of the Atlantic on the issues related to spyware. At the same time, those debates have only touched the tip of the proverbial iceberg. Recently, the Carnegie Endowment for International Peace identified at least 74 governments that have contracted with such firms to specifically gain spyware and digital forensics technology. This is likely an underestimate.
Moreover, it is only a matter of time before the use of the tools and technologies they sell spread even further. This poses real risk to human rights online, but also to the security and stability of the broader online environment. The services they offer require cyber mercenaries to stockpile vulnerabilities and search for new ways to access networks without authorization. Their actions do not only impact the individual they target, but leave whole networks and products exposed and vulnerable to further attacks. We need to act against this threat before the situation escalates beyond what the technology industry can handle.
Multistakeholder collaboration will be essential in combatting this threat. Much of what we know about cyber mercenary tactics has come from the tireless work of those in the civil society that have drawn attention to individual cases of abuse and supported the victims of cyber mercenaries – innocent citizens around the world. We hope that industry action will help reverse a worrying trend and encourage governments, in particular democracies, to do more as well. We were therefore pleased to see the Biden Administration take the first steps in this arena with its Executive Order to Prohibit US Government Use of Commercial Spyware that Poses Risks to National Security and the follow-on Guiding Principles on Government Use of Surveillance Technologies supported by 44 Summit for Democracy participating states. We hope other countries follow suit in identifying ways to curb this dangerous market.