Trending Now
We have updated our Privacy Policy and Terms of Use for Eurasia Group and its affiliates, including GZERO Media, to clarify the types of data we collect, how we collect it, how we use data and with whom we share data. By using our website you consent to our Terms and Conditions and Privacy Policy, including the transfer of your personal data to the United States from your country of residence, and our use of cookies described in our Cookie Policy.
{{ subpage.title }}
Your face is all over the internet
On the subway, you see someone out of the corner of your eye. Do you recognize them? A former classmate? A coworker from three jobs ago? Maybe a short-lived fling? That question nags in your head: Who are they?
AI has an answer: You covertly snap a photo when they’re not looking and upload it to a facial recognition software that searches millions of webpages for that same unique face. Ping! That face pops up in the background of a photo at Walt Disney World, and there they are at a protest, and there they are on someone’s old Flickr page. Oh, but actually one links to a wedding album. They were in the bridal party. The website is still active. A face. A name. Identity unlocked. You finally figured out who they were – the mystery is solved.
That’s perhaps the most harmless, best-case scenario — and even that’s more than a little bit creepy. But that reality is already here.
Facial recognition services like PimEyes and Clearview AI do just this, using machine learning to sift through enormous troves of faces with startling accuracy. They’re essentially reverse search engines that make your face all that a stranger — or the government — needs to gather your personal information.
I uploaded my face to PimEyes to test it out. The company brags about its creepiness: “For $29.99 a month, PimEyes offers a potentially dangerous superpower from the world of science fiction,” reads a New York Times quote featured prominently on its homepage.
For $300 you get “deep searches” and unlimited access to the software. GZERO ain’t buying it, but a highly motivated individual could pay the full price to find someone, to stalk them, to uncover their identity and whereabouts, and to connect them to a time and place.
Most of the results were pictures I had uploaded: profile pictures for various websites, mainly, as well as photos from my own wedding on our photographer’s website. But there were also a slew of pictures with me in the background of a press conference. In late 2018, I covered CNN reporter Jim Acosta’s court battle to get his White House press pass back. PimEyes surfaced multiple photos of me in the background of Acosta’s interview. The $30 version of PimEyes didn’t shock me, but it was jarring to see my previously unlabeled face from a press conference pop up in less than a minute.
Meanwhile, Clearview AI doesn’t sell directly to the public, instead opting for the lucrative business of selling to law enforcement, government, and public defender offices, according to its website. It’s being used in war right now: Time Magazine wrote that Clearview AI is Ukraine’s “secret weapon” in its conflict with Russia, using the technology to identify Russian soldiers and search for hostages taken across the border.
New York Times reporter Kashmir Hill has written about both companies and told The Verge last year that she’s viewed Clearview AI searches of herself — conducted by the company’s co-founder — and said it was much more extensive than PimEyes and surfaced 160 photos of her “from professional headshots that I knew about to photos I didn’t realize were online.”
In 2011, Google co-founder Eric Schmidt said that facial recognition is the only technology his company had built and decided to stop for ethical reasons. “I’m very concerned personally about the union of mobile tracking and face recognition,” he said, noting that dictators could weaponize it against their own people.
There are positive uses: Prosecutors could use facial recognition to destroy an alibi, or police could use it to find a missing person and their kidnapper. Journalists can find out who was on the scene of key events and track down leads, or quickly put names to faces in the field. But it’s easy to see Schmidt’s fears come to life with an expansive surveillance state that’s always watching.
While there aren’t currently facial recognition laws on the books federally in the US, there are biometric privacy laws in Illinois, Texas, and Washington, which may limit the ways people’s faces can be used online.
Democratic Senators asked the Justice Department earlier this year to look at whether police departments are using facial recognition in a way that curtails civil rights. And the Federal Trade Commission even banned Rite Aid from using facial recognition for five years after it repeatedly and falsely identified women and people of color as shoplifters.
Xiaomeng Lu, director of Eurasia Group’s geo-technology practice, said there are clear benefits for facial recognition technology, such as face-scanning at airports to verify the identities of passengers. She said that “misuse of such tools can violate [individual] privacy,” and regulations such as the European Union’s data privacy law, which deemed facial recognition sensitive data. Ground rules in the US would help address the risks of the technology, Lu added.
The rise of facial recognition technology is quite possibly a step too far in the artificial intelligence boom, something that will make citizens, advocates, and some regulators shudder at its possibilities for abuse. But it also augurs the end of anonymity — where stepping out into the physical world could create another entry in a large database that seemingly anyone can access for a small sum.
Startup Cerebras System's new AI supercomputer Andromeda is seen at a data center in Santa Clara, California, U.S. October 2022.
Hard Numbers: Electricity drain, Coal in demand, Ignoring AI, Deal for Palantir, China’s chip fund
9.1: The nonprofit Electric Power Research Institute estimates that data centers will drain up to 9.1% of US electricity by 2030. Last year it was just 4%, but the rise of artificial intelligence has placed newfound demands for easily accessible computing power.
54: The increased energy demands from AI have even slowed US plans to close coal plants. 54 gigawatts of coal-based power generators are expected to be retired by 2030, a number that has fallen 40% from last year’s estimate from S&P Global Commodity Insights.
2: Only 2% of Brits say they use ChatGPT or another AI technology every single day, according to a new survey from Reuters Institute and Oxford University. “Large parts of the public are not particularly interested in generative AI, and 30% of people in the UK say they have not heard of any of the most prominent products, including ChatGPT,” the report’s lead author said.
480 million: Palantir won a $480 million deal with the US Army for a computer vision project. The Peter Thiel-founded company already works extensively with the military and has worked with allied militaries, including Ukraine’s in the war against Russia.
47.5 billion: In the face of stringent US export controls that limit China’s ability to gain access to important semiconductors, the Chinese government announced its third chip fund after similar investments in 2014 and 2019. This fund is a $47.5 billion investment into chip companies, aimed at getting a stronger foothold on the chips necessary for training and running AI models.
Why privacy is priceless
If someone were to get a few pictures off your phone without your permission, what's the big deal, right? Don't be so blasé, says human rights attorney David Haigh, who was prominently targeted with the powerful Pegasus spyware in 2021.
"If someone breaches your private life, that is a gateway to very, very serious breaches of other human rights, like your right to life and right to all sorts of other things," he said. "That's why I think a lot of governments and public sector don't take things as seriously as they should."
Right now, he says, dictators can buy your privacy, "and with it, your life."
Haigh spoke with Eurasia Group Senior Analyst Ali Wyne as part of “Caught in the Digital Crosshairs,” a panel discussion on cybersecurity produced by GZERO in partnership with Microsoft and the CyberPeace Institute.
Watch the full Global Stage conversation: The devastating impact of cyberattacks and how to protect against them
- Fooled by cyber criminals: The humanitarian CEO scammed by hackers - GZERO Media ›
- Attacked by ransomware: The hospital network brought to a standstill by cybercriminals - GZERO Media ›
- Podcast: How cyber diplomacy is protecting the world from online threats - GZERO Media ›
- Podcast: Foreign Influence, Cyberspace, and Geopolitics - GZERO Media ›
- Podcast: Cyber mercenaries and the global surveillance-for-hire market - GZERO Media ›
How cyberattacks hurt people in war zones
They may not be bombs or tanks, but hacks and cyberattacks can still make life miserable for people caught in the crosshairs of conflicts. By targeting key infrastructure and humanitarian organizations, warring governments can deny crucial services to civilians on the other side of no-man's-land.
And just like with conventional weapons, there can be collateral damage, said Stéphane Duguin, CEO of the Cyber Peace Institute. "We have 53 countries in the world targeted by these attacks across 23 sectors of critical infrastructure or essential services," he said. "At the end of the day, you end up having civilians who cannot benefit from essential services because of what has been escalated into another part of the world."
The perpetrators are often not centrally directed either, and may be located all over the world, complicating enforcement efforts. Hear more about what he said about the problem to Eurasia Group Senior Analyst Ali Wyne in a panel discussion which capped “Caught in the Digital Crosshairs,” a video series on cybersecurity produced by GZERO in partnership with Microsoft and the CyberPeace Institute.
Watch the full panel discussion: The devastating impact of cyberattacks and how to protect against them
Why snooping in your private life is big business
Kaja Ciglic, senior director of digital diplomacy at Microsoft, said, "cybersecurity is the defining challenge of our time" amid a spike in misinformation campaigns thanks to wars in Ukraine and Gaza, growing interest from governments in building cyberweapons, and plain old profit-motivated thieves.
"We are seeing private sector enterprises that, effectively, are selling services, products that allow their customers to break into, whether it's a personal account, whether it's into an organization's account," she said. "The cyber mercenary market that is also emerging is also a very strong concern for Microsoft."
Learn more about what they are doing to solve the problem in Kaja's chat with Eurasia Group Senior Analyst Ali Wyne as part of “Caught in the Digital Crosshairs,” a video series on cybersecurity produced by GZERO in partnership with Microsoft and the CyberPeace Institute.
Watch the full conversation: The devastating impact of cyberattacks and how to protect against them
How rogue states use cyberattacks to undermine stability
Cyberattacks are about a lot more than just money these days. Both unscrupulous governments and extremist groups are increasingly using hacking to advance political aims, says Kaja Ciglic, senior director of digital diplomacy at Microsoft.
When the International Committee for the Red Cross or International Court of Justice experiences cyberattacks, she said, "These are all organizations that are trying to defend peace and stability, they're trying to advocate for all of our human rights." The fact that unscrupulous governments are spending taxpayer money to purchase tools that interrupt their work, she noted, is worth taking a stand against.
Ciglic spoke with Eurasia Group Senior Analyst Ali Wyne in a panel discussion for “Caught in the Digital Crosshairs,” a video series on cybersecurity produced by GZERO in partnership with Microsoft and the CyberPeace Institute.
Watch the full Global Stage conversation: The devastating impact of cyberattacks and how to protect against them
The devastating impact of cyberattacks and how to protect against them
Imagine one day you found out someone had hacked your phone. What would that mean for your life? With the right software, the bad guys might be able to get into your bank account, surveil your messages, or even steal your fingerprints and facial scans.
That's what happened to human rights attorney David Haigh, who became the first-known British victim of the powerful Pegasus spyware in 2021 while trying to help women of Emirati and Jordanian royalty escape alleged abuse. He learned that his phone was under surveillance – so his communications and the information stored on the device were compromised.
Two years on, he still lives in fear for the privacy of his loved ones and clients. "The police have done nothing,” he says. “There's no support from the government. There's no real information.”
Emerging technologies threaten to make the already-bleak cybersecurity environment all the more treacherous, opening new avenues of attack that could cost countries, companies, and individuals dearly without proactive measures.
Eurasia Group Senior Analyst Ali Wyne moderated a discussion on cybersecurity as part of “Caught in the Digital Crosshairs,” a video series on cybersecurity produced by GZERO in partnership with Microsoft and the CyberPeace Institute. The discussion focused on the blurring lines between attacks on governments and the private sector.
Wyne spoke with Kaja Ciglic, senior director of digital diplomacy at Microsoft, who referred to cybersecurity as “the defining challenge of our times.” The wars in Ukraine and Gaza have coincided with spikes in both cyberattacks and misinformation campaigns, which Ciglic called “harrowing examples of what can happen and how people can use technology to manipulate others into actions.”
Even in peacetime, states are investing in capabilities that can target critical infrastructure, schools, and hospitals, preparing for a new dimension of conflict. And in the private sector, hackers are exploiting lagging private-sector preparedness to grow and evolve.
Hacking is big business, with companies specializing in helping clients break into accounts. While these are usually about making financial gains, says Stéphane Duguin, CEO of the Cyber Peace Institute, his organization has seen a marked shift over the past two years. Since the Russian invasion of Ukraine, the institute has tracked a marked increase in attacks on humanitarian organizations, even those that have little to do with the conflict.
“At the end of the day, you end up having civilians who cannot benefit from essential services because of what has been escalated into another part of the world,” he said.
The attacks impact organizations more profoundly than one might think. Bonnie Leff, senior vice president of corporate security at MasterCard, said that when one suffers a cyber attack, “the impact to an NGO can really almost shut it down.” It leaves organizations unable to pay staff or run programs and can damage their reputation with donors, leaving them worse off in the long term.
- Hackers, innovation, malice & cybercrime ›
- Attacked by ransomware: The hospital network brought to a standstill by cybercriminals ›
- The threat of CEO fraud and one NGO's resilient response ›
- Hacked by Pegasus spyware: The human rights lawyer trying to free a princess ›
- Podcast: Cyber Mercenaries and the digital “wild west" ›
- How cyberattacks hurt people in war zones - GZERO Media ›
- How rogue states use cyberattacks to undermine stability - GZERO Media ›
- Why snooping in your private life is big business - GZERO Media ›
Podcast: Cyber mercenaries and the global surveillance-for-hire market
Listen: The use of mercenaries is nothing new in kinetic warfare, but they are becoming a growing threat in cyberspace as well. The weapon of choice for cyber mercenaries is malicious spyware that undermines otherwise benign technologies and can be sold for profit. Luckily, awareness about this threat is also growing, and increasing global coordination efforts are being put forth to combat this dangerous trend.
In episode 2, season 2 of Patching the System, we're focusing on the international system of bringing peace and security online. In this episode, we look at what governments and private enterprises are doing to combat the growth of the cyber mercenary industry.
Our participants are:
- Eric Wenger, senior Director for Technology Policy at Cisco
- Stéphane Duguin, CEO of the CyberPeace Institute
- Ali Wyne, Eurasia Group Senior Analyst (moderator)
GZERO’s special podcast series “Patching the System,” produced in partnership with Microsoft as part of the award-winning Global Stage series, highlights the work of the Cybersecurity Tech Accord, a public commitment from over 150 global technology companies dedicated to creating a safer cyber world for all of us.
Subscribe to the GZERO World Podcast on Apple Podcasts, Spotify, Stitcher, or your preferred podcast platform, to receive new episodes as soon as they're published.
TRANSCRIPT: Cyber mercenaries and the global surveillance-for-hire market
Disclosure: The opinions expressed by Eurasia Group analysts in this podcast episode are their own, and may differ from those of Microsoft and its affiliates.
Eric Wenger: There's no phishing or fooling of the user into installing something on their device. This technology is so powerful that it can overcome the defenses on a device. So this is a tool that is on the level of sophistication with a military grade weapon and needs to be treated that way.
Stéphane Duguin: What we're facing is a multifaceted threat with a loose network of individuals, financiers, and companies which are playing a link in between states when it comes to a deployment of these surveillance capabilities. So if you want to curb this kind of threats, you need to act as a network.
Ali Wyne: In the ongoing war in Ukraine, both sides have employed mercenaries to supplement and fortify their own armies. Now, guns for hire are nothing new in kinetic warfare, but in cyberspace, mercenaries exist as well to augment government capabilities and their weapon of choice is malicious spyware that undermines peaceful technology, and which can be sold for profit. Today we'll enter the world of cyber mercenaries and the work that's being done to stop them.
Welcome to Patching The System, a special podcast from the Global Stage series, a partnership between GZERO Media and Microsoft. I'm Ali Wyne, a senior analyst at Eurasia Group. Throughout this series, we're highlighting the work of the Cybersecurity Tech Accord, a public commitment from over 150 global technology companies dedicated to creating a safer cyber world for all of us. In this episode, we're looking at the latest in cyber mercenaries and what's being done to stop them. Last season we spoke to David Agranovich, director of Global Threat Disruption at Meta, about what exactly it is that cyber mercenaries do.
David Agranovich: These are private companies who are offering surveillance capabilities, which once were essentially the exclusive remit of nation state intelligence services, to any paying client. The global surveillance for hire industry, for example, targets people across the internet to collect intelligence, to try and manipulate them into revealing information about themselves and ultimately to try and compromise their devices, their accounts, steal their data.
Ali Wyne: And since then, awareness has grown and efforts to fight these groups have been fast tracked. In March of this year, the Tech Accord announced a set of principles specifically designed to curb the growth of the cyber mercenary market, which some estimate to be more than $12 billion globally. That same month, the White House issued an executive order to prohibit the U.S. government from using commercial spyware that could put national security at risk, an important piece of this cyber mercenary ecosystem.
On the other side of the Atlantic, a European Parliament committee finalized a report on the use of spyware on the continent and made recommendations for regulating it. And most recently, bipartisan legislation was introduced in the United States to prohibit assistance to foreign governments that use commercial spyware to target American citizens.
Are all of these coordinated efforts enough to stop the growth of this industry? Today I'm joined by Eric Wenger, senior Director for Technology Policy at Cisco, and Stéphane Duguin, CEO of the CyberPeace Institute. Welcome to you both.
Eric Wenger: Thank you.
Stéphane Duguin: Thank you.
Ali Wyne: Now, I mentioned this point briefly in the introduction, but I'd love to hear more from both of you about specific examples of what it is that cyber mercenaries are doing. What characterizes their work, especially from the latest threats that you've seen?
Stéphane Duguin: It's important maybe to start with a bit of definition of what are we talking about when we talk about cyber mercenaries. So interestingly, there is the official definition and what we all mean. Official definition - you can find this in the report to the general assembly of the United Nation, where it's really linked to private actors that can be engaged by states and non-state actors. It's really about the states taking action to engage someone, to contract someone in order to look into cyber operations in the context of an armed conflict.
I would argue that for this conversation, we need to look at the concept of cyber mercenaries wider and look at this as a network of individuals, of companies, of financial tools, of specific interest to at the end of the day, ensure global insecurity. Because all of this is about private sector entities providing their expertise, their time, their tool to governments to conduct clearly at scale an illegal, unethical surveillance. And to do this investment - money - needs to pour into a market, because it's a market which finances what? Global insecurity.
Eric Wenger: I would add that there's another layer to this problem that needs to be put into context, and that is, Stéphane correctly noted, that these are private sector entities and that their customers are governments that are engaged in some sort of activity that is couched in terms of protecting safety or national security. But the companies themselves are selling technology that is regulated and therefore is being licensed from a government as well too. I think that's really the fascinating dynamic here is that you have a private sector intermediary that is essentially involved in a transaction that is from one government to another government with that private sector actor in the middle being the creator of the technology, but it is subject to a license by one government for a sale to another government.
Ali Wyne: This market is obviously growing quickly, and I mentioned in my introductory remarks that $12 billion global figure, so obviously there's a lot of demand. From what you've seen, who are the customers and what's driving the growth of this industry?
Eric Wenger: Well, the concerning part of the story is that there have been a number of high profile incidents that have indicated these technologies are being used not just to protect against attacks on a nation, but in order to benefit the stability of a regime. And in that context, what you see are journalists being the subject of the use of these technologies or dissidents, human rights activists. And that's the part that really strikes me as being quite disturbing. And it is frankly the hardest part of this problem to get at because as I noted before, if you have these private sector actors that are essentially acting as intermediaries between governments, then it's hard to have a lot of visibility from the outside of this market into what are the justifications that are enabling sales. Who is this technology going to? How is it being used and how is it potentially being checked in order to address the human rights concerns that I've flagged here?
Ali Wyne: Stéphane, let me come back to you. So you used to work in law enforcement and given your law enforcement background, one question that one might ask is why shouldn't governments be taking advantage of cyber mercenaries if they are making tools that help to, for example, track down terrorists or otherwise fight crime and improve national defense? Why shouldn't governments be taking advantage of them?
Stéphane Duguin: Something that is quite magical about law enforcement, it's about enforcing the law. And in this case, there's clear infringement all over the place. Let's look into the use cases that we know about. So when it comes to law, what kind of judicial activities have been undertaken after the use, sale or export of these kinds of tools? So there's this company, Amesys, which is now sued for complicity in acts of torture, over sales of surveillance technologies to Libya. You have these cases of dissident that has been arrested in Egypt in the context of the acquisition of the Predator tool. More recently we've seen what happened in Greece with this investigation around the surveillance of critics and opponents. And you can add an add on example. This has nothing to do with law enforcement.
So my experience in law enforcement is that you have a case, when you have a case, you have an oversight, a judicial oversight. I was lucky to work in law enforcement in Europe, so a democratic construct that goes under the oversight of parliament. Where is this construct where a private sector entity has free rein to research and develop, increase, export, exactly as was said before, in between state, a technology, which by the way is creating expertise within that same company for people that are going to sell this expertise left and right. Where is the oversight? And where are the rules that would put this into a normal law enforcement system?
And just to finish on this, I worked on investigating terrorist group and cyber gangs most of my career, and we can do cases, we can do very, very, very good cases. I would not admittedly say that the problem is about putting everyone under surveillance. The problem is more about investing resources in law enforcement and in the judicial system to make sure that when there's a case, there's accountability and redress and repair for victims. And these, do not need surveillance at scale.
Ali Wyne: Eric, Let me come back to you. So, I want to give folks who are listening, I want to give them a little bit of a sense of the size of the problem and to help put the size of the problem in perspective. So when we talk about cyber mercenaries, just how big is the threat from them and the organizations for which they work? And is that threat, is it just an annoyance or is it a real cause for concern? And who's most affected by the actions that they take?
Eric Wenger: We could talk about the size of the market and who is impacted by it. That's certainly part of the equation in trying to size the threat. But we also have to have a baseline understanding of what the technology is that we're talking about in order for people to appreciate why there's so much concern. And we're talking about exploits that can be sent from the deployer or the technology to a mobile device that's used by an individual or an organization without any action being taken by the user. There's nothing you have to click, there's nothing you have to accept. There's no phishing or fooling of the user into installing something on their device. This technology is so powerful that it can overcome the defenses on a device. And then that device is then completely compromised so that cameras can be turned on, files stored on the device can be accessed, microphones can be activated.
So this is a tool that is on the level of sophistication with a military grade weapon and needs to be treated that way. So the concern is the cutout of a private sector entity in between the government, and these are typically democratic governments that are licensing these technologies to other governments that wouldn't have the capabilities to develop these technologies on their own. And then once in their hands, it's difficult if not impossible, to make sure that they are used only within the bounds of whatever the original justification for it was.
So in theory you would say, let's say there was some concern about a terrorist operation that justified the access to this technology, which in that government's hands can be repurposed for other things that might be a temptation, which would include protecting of the stability of the regime by going after those who are critics or dissidents or journalists that are writing things that they view as being unhelpful to their ability to govern. And so those lines are very difficult to maintain with a technology that is so powerful that is in the hands of a government without the type of oversight that Stéphane was referencing before.
Ali Wyne: So Stéphane, let me come back to you. And just building off of the answer, Eric just gave, what groups and individuals are most at risk from this growing cyber mercenary market?
Stéphane Duguin: History showed that who has been targeted by the deployment of these tools and the activities of the cyber mercenaries are political opponents and journalists, human rights defenders, lawyer, government official, pro-democracy activists, opposition members, human right defenders and so on. So we are quite far from terrorists or organized crime, art criminals and the like.
And interestingly, it's not only that this profile of who is targeted gives a lot of information about the whole ethics and values that are underlying in this market ecosystem. But also what is concerning is that we know about this not from law enforcement or not from public sector entities which would investigate the misuse of these technologies and blow the whistle. We know about this thanks to the amazing work of a few organizations over the past a decade, like the Citizen Lab, Amnesty Tech who could track and demonstrate the usage, for example of FinFisher against pro-democracy activists in 2012, position members in 13, FinSpy afterwards, then it moved to Pegasus firm NSO.
Now we just have the whole explanation of what happened with the Predator. It's quite concerning that these activities that are at the core of abuse of human rights and of the most essential privacy are not only happening in the shadow as Eric was mentioning before, with a total asymmetry between the almost military grades of tools that is put in place and the little capacity for the target to defend themselves. And this is uncovered not by the people we entrust with our public services and enforcement of our rights, but by investigative groups, civil society, which are almost for a living now doing global investigation against the misuse of offensive cyber capabilities.
Ali Wyne: Your organization, the CyberPeace Institute, what is the CyberPeace Institute doing to combat these actors? And more broadly, what is the role of civil society in working to address this growing challenge of cyber mercenary actors?
Stéphane Duguin: What we're facing is a multifaceted threat with a loose network of individuals, financiers, companies which are playing a link in between states when it comes to a deployment of these surveillance capabilities. So if you want to curb this kind of threats, you need to act as a network. So the role of the CyberPeace Institute among other civil society organizations is to put all together the capable and the willing so that we can look at the whole range of issues we're facing.
One part of it is the research and development and deployment of these tools. The second part is the detection of their usage. Another part is looking into the policy landscape and informed policymaking and demonstrating that some policies has been violated, export control when it comes to the management of these tools. Another part of the work is about measuring the human harm of what these tools are leading to.
So we, for example, at the CyberPeace Institute cooperated with the development of the Digital Violence Platform, which is showing the human impacts, for example, the usage of Pegasus on individual. We also are in the lead in one of the working groups of the Paris Peace Forum. We need to bring a multi-stakeholder community in a maturity level to understand exactly what this threat is costing to society and what kind of action we could take all together.
And we notably last year in the World Economic Forum, joined forces with Access Now, the official high commissioner for human rights, Human Rights Watch, Amnesty International and the International Trade Union Confederation and Consumer International, to call for a moratorium on the usage of these tools until we have the certainty that they are researched, deployed, exported, used with the proper oversight because otherwise the check and balance cannot work.
Ali Wyne: And you just mentioned Pegasus spyware and that kind of software has been getting more and more attention, including from policymakers. So Eric, let me come back to you now. What kinds of actions are governments taking to curb this market?
Eric Wenger: So as I noted before that this is an interesting combination of technology, of private sector entities that are creating the technology, the regulators who are in the governments where those companies are located who control the sale of the technology, and then the technology consumers who are, again, as Stéphane noted, other governments. And so it's this interesting blend of private and public sector actors that's going to require some sort of coordinated approach that runs across both. And I think you're seeing action in both of those spheres. In terms of private sector companies, Cisco, my employer, joined together with a number of other companies filing a friend of the court or amicus brief in litigation that had been brought by what was then Facebook, now Meta, against a company that was deploying technology that had hacked into their WhatsApp software. And in that case we joined together with a number of other companies, I believe it was Microsoft and Dell and Apple and others who joined together in filing a brief in that case.
We of course come together under the umbrella of the Tech Accord and we can talk about the principles that we developed among the companies. I think there's 150 companies that joined ultimately in signing that document in agreement that we have concerns that there are things we want to do in a concerted way to try to get at this market so that it doesn't cause the kinds of impacts that Stéphane talked about before.
Again, there's clearly a strong government to government piece of this that needs to be taken on. And then Stéphane also noted the Paris Peace Forum, and that this topic of how to deal with spyware and cyber mercenaries is going to be on the agenda there, which again is important because this is a government led forum, but it's one where you also see private sector and civil society entities actively engaged. Stéphane also mentioned the important work that's being done by Citizen Lab. And then we have threat intelligence researchers at Cisco that operate under the brand of Talos.
These are some of the most effective threat intelligence researchers in the world, and they're really interested in this problem as well too, and starting to work with people who suspect that their devices may have been compromised in this way to take a look at them and to help them.
And then the companies that make the cell phones and operating systems, Google and Apple for instance, have been doing important work about detecting these kinds of changes to the devices and then providing notice to those whose devices may have been impacted in these ways so that they are aware and are able to try to take further defensive measures. It's really quite an active space and as we've discussed here several times, it's one that will only be really effectively taken on through a concerted effort that runs across the government and private sector space. And again, also with civil society as well too.
Ali Wyne: Talk to us a little bit about what technology companies can do to shut down this market?
Eric Wenger: Yeah, it was natural that this would grow out of the Tech Accord, which itself was a commitment by companies to protect their customers against attacks that misuse technology that are coming from the government space. There was a recognition among our companies that yes, some of this is clearly most effectively addressed at that government to government level with awareness that's being created by civil society. But this is also a problem that relates to the creation of technology and the companies that are engaged in these business models are procuring and using technology that could be coming from companies that find this business model to be highly problematic.
And so that's essentially what we did is we sat down as a group and started to talk about what is the part of the problem that technology and the access to technology potentially contributes that we have some ability to make a difference on. And then agreeing amongst ourselves that the steps that we might be able to take to limit the proliferation of this technology and the market and the companies that are engaging in this type of business. And then that coming together with the work that's being done at the government to government level, hopefully will make a significant dent in the size of this market.
Ali Wyne: Stéphane, let me come back to you as promised. Whether it's governments, whether it's technology companies, what kinds of actions can these actors take to shut down this cyber mercenary market?
Stéphane Duguin: Eric listed a lot of what is happening in this space and it's very exhaustive and it tells you how complex the answer is. We try to put this into a framework that what is expected from states is regulation first. So regulation meaning having the regulation but implementing the regulation. And under the word regulation, I would even put the norm discussion where there's non-binding norms that have been agreed between states and some of them could be leveraged and operationalized in order to prevent such a proliferation because that's what we're talking about.
Another type of regulation that could be way better implemented is the expert control. For example, in the European Union, we at CyberPeace Institute were discussing this in the context of the PEGA Committee, so this work from the EU parliament when it comes to looking into the lawfulness and ethic use of these kinds of tools.
But also when we add this multi-stakeholder approach for the EU Cyber Agora to discuss the problematic and clearly the expert control needs to be put at another level of operationalization, so regulation. Then need to mean capacity to litigate. So to give the space and the means to your apparatus that is in the business of litigation.
So today, what do we have? For example, executive from Amesys and Nexa Technologies that were indicted for complicity in torture; NSO group which is facing multiple lawsuits by mostly civil society and corporate plaintiffs in various countries, but that's clearly not enough.
So this should be not only coming from civil society, journalists, plaintiff, but we should see some investigative capacity from states, meaning law enforcement, looking into this kind of misuse. The other part is attribution, like public attribution on what is happening. So who are the actors, what are these companies, how this network are working?
So we can see over time how the regulation, the litigation is having an impact on the ecosystem. Otherwise, it's like emptying the ocean with a spoon. So I guess you know the great work done by the community, so we mentioning it before the Citizen Lab, the Amnesty Tech, Access Now, the work of tons of other organizations, I don't want to forget anyone, is not going to scale to a level if policy makers do not do their job, which is what is policymaking in the criminal context? It is reducing the space that you give to criminals. And today in this context for cyber mercenaries, the space is way too big. So I would say around this regulation, litigation and public attribution, it's kind of a roadmap for government.
Ali Wyne: Eric, let me come back to you. And you already mentioned in one of your earlier answers, you talked about these principles that the Tech Accord came out with recently, just a few months ago, in fact, to oppose a cyber mercenary industry. And talk to us a little bit more about what exactly those principles entail and what their intended impact is.
Eric Wenger: Sure. Stéphane also makes an important point around the context of what governments can do. Things like putting companies that are of concern on the entity list to restrict their ability to license technology that they might need in order to build the tools that they are selling. But coming back to where companies like those who joined the Tech Accord can make a difference. I noted that these principles build on the cybersecurity Tech Accord's, founding commitments which are about building strong defense into our products, not enabling offensive use of our technologies, capacity building, in other words, helping the ability of governments to do the work that they need to protect their citizens and working together across these different domains with the private sector, the civil society and governments. These particular principles are aimed at this specific problem. And the idea is that we will collectively try to work together to take steps countering the use of the products that will harm people, and we can identify ways that we can actively counter the market.
One of the ways that we mentioned before is the participation in litigation where that's the appropriate step. We're also investing in cybersecurity awareness to customers so that they have more understanding of this problem. There are tools that are being built by the companies that are developing the operating systems on mobile devices that can, if you're in a highly vulnerable group like you're a journalist or a human rights dissident or a lawyer working in an oppressive legal environment, there are more defensive modes that some of these phones now enable. And then we're working to, and this is an example of our companies working together and on our own to protect customers and users by building up the security capabilities of our devices and products.
And then finally, we thought, Stéphane mentioned his role in law enforcement before, I also was a computer crime prosecutor at the Department of Justice. And it's really important for those who are conducting legitimate lawful investigations to have clear understandings of the processes that are used by companies to handle valid legal requests for information. And so that we built that into this set of principles as well too, that we're committed to where there are legal and lawful pathways to get information from a company's lawful intercept, compulsory access tools and things like that, that we are transparent about how we operate in those spaces and we clearly communicate what our processes for handling those kinds of demands from governments as well too.
Ali Wyne: Final question for both of you. What is the single most important step that societies can take to stop the work of cyber mercenaries?
Stéphane Duguin: Eric opened it very, very well in the sense of what we see as the ambition and the partnership, the activities are deployed both by civil society, by cooperation, Tech Accord is an excellent example, in order to curb these threats. And interestingly, maybe it also came from the fact that there was not so much push on the government side to do something at scale against that threat. So clearly today, who represents society and the need for society in this context with pushing the ball, is civil society, cooperation, academia. And I would say now government are starting to get the size of the problem. Something that Eric mentioned, I would like to build on it because it's about society, what the values that we believe in society, there's a need for law enforcement and a lot of law enforcement and judiciary, they want to work in a lawful way. That's the vast majority, at least from the law enforcement that I can relate to when it comes to Europe, where I worked.
In this context, it's quite important that the framework is clear, the capacity are there, the resource are there, so that it doesn't give so much of a space for these cyber missionaries to impose themselves as the go-to platform, the place where solution can be engineered because there's nothing else out there. Something else, a society has to make a choice. Do we want to have such a market in proliferation without today, any check and balance, any oversight and it's just like the wild west of the surveillance? Or do we say stop at minimum to make a moratorium, to put in place some clear oversight processes, looking into what makes sense and what we can accept as a society before letting this go. And the last thing is to invest at best with the regulation that we're having, that we're going to have. This regulation, for example, now that under negotiation in the EU, like the AI Act or the Cyber Resilience Act or Cyber Solidarity Act, it would not take much to have this regulation also looking into not only what makes system insecure, but also who is trying to make system insecure.
Ali Wyne: Eric, let me come to you to close us out and put the same question to you. What is the single most important step that societies can take to stop the work of cyber mercenaries?
Eric Wenger: Well, I'd love to say it was one thing, but it really is going to be a combination of things that come together as one maybe. And that's really going to involve this dynamic where the governments that are regulating access to the market of this technology, the governments that are... It may not be reasonable to expect that the governments that want to consume this technology will come to the table, but certainly the governments that have control over the markets where the technology is being developed, working together. And so as Stéphane mentioned, the United States government, the French government, the UK government have really all been out in front on this.
Those governments and others that share the concerns coming together with the experts in the threat intelligence space in academia, in civil society, in companies, and then companies that supply technologies that are critical, foundational elements of the ability of companies who are developing these technologies to engage in the market, also have an important role to play. And I think that's what we're bringing to the equation for the first time.
So it's this combination of actors that are coming together, recognizing that it's a problem and agreeing that there's something that we all need to do together in order to take this on. It's really the only way that we can be effective at addressing the concerns that we've been discussing here today.
Ali Wyne: Eric Wenger, Senior Director for Technology Policy at Cisco. Stéphane Duguin, CEO of the CyberPeace Institute. Thank you both so much for speaking with me today.
Eric Wenger: Thank you for having us.
Ali Wyne: And that's it for this episode of Patching the System. There are more to come. So follow Ian Bremmer's GZERO World feed anywhere you get your podcast to hear the rest of this new season. I'm Ali Wyne. Thank you very much for listening.'
Subscribe to the GZERO World Podcast on Apple Podcasts, Spotify, Stitcher, or your preferred podcast platform, to receive new episodes as soon as they're published.
- Podcast: How cyber diplomacy is protecting the world from online threats ›
- Podcast: Cyber Mercenaries and the digital “wild west" ›
- Attacked by ransomware: The hospital network brought to a standstill by cybercriminals ›
- Hacked by Pegasus spyware: The human rights lawyer trying to free a princess ›
- The threat of CEO fraud and one NGO's resilient response ›
- Podcast: Foreign influence, cyberspace, and geopolitics - GZERO Media ›
- Why privacy is priceless - GZERO Media ›
- Would the proposed UN Cybercrime Treaty hurt more than it helps? - GZERO Media ›
- Podcast: Can governments protect us from dangerous software bugs? - GZERO Media ›