Cybersecurity is big business, but in the wrong hands, some tools can undermine national security and human rights. Phil Muncaster investigates
In October last year, Facebook announced a bold move. It launched legal proceedings against a notorious Israeli ‘cyber-intelligence’ vendor, alleging it had helped to develop and then deploy malware later used to spy on innocent civilians in the Middle East and elsewhere. The case is an extreme example of what happens when ostensibly legitimate security tools are used and then abused. For countless western cybersecurity vendors, this is a growing area of business risk. So in our globalized economy, how best can these firms balance their commercial interests with ethical and legal considerations?
Even when the will is there to do the right thing, it can be a complex undertaking. However, the growing reputational and financial risks of not doing due diligence on exports makes this particular compliance task non-negotiable.
"For countless western cybersecurity vendors, this is a growing area of business risk"
When Good Security Turns Bad
Cybersecurity is big business. The market for related hardware, software and services was forecast to top $106bn by the end of 2019, an 11% jump from 2018, and reach $151bn by 2023, according to IDC. As digital transformation sweeps the globe and cyber-threats escalate, Western security vendors quite rightly want to take advantage of soaring demand to protect IT systems in order to grow their profits. In fact, their governments encourage them to do so in order to drive economic growth for their respective countries.
Yet there is growing anxiety over the use of legitimate security products by authoritarian regimes and organizations operating in these countries. Surveillance technology is where most attention has focused up until now, but a range of cybersecurity tech can, in fact, be used with malign intent.
Deep Packet Inspection (DPI), for example, legitimately works to identify if content contains malware or not. It is used in intrusion prevention/detection (IPS/IDS) tools for this reason, and by network managers to prioritize mission-critical traffic. It can even help ISPs block DDoS attacks. However, on the other side, the technology can also be used to monitor legitimate internet traffic which poses no cybersecurity threat, but helps authoritarian regimes eavesdrop on journalists, rights activists, opposition politicians and others.
UK trade association techUK lists this, and many other security-related technologies that could also be abused, in its detailed 2019 document Examining Cyber Security Export Risks. Big Data analytics, social media analysis tools and forensics solutions could also be used to harvest data on specifically targeted individuals. Even identity and authentication platforms could be abused to monitor targets’ movements, it warns.
Yet another example is content and URL/IP address filtering tools, used to support safer browsing among users. These could also be abused to restrict the free flow of information online. Canadian company Netsweeper has been called out in the past after its technology was used in just such a context, by ISPs in Afghanistan, Bahrain, India, Kuwait, Pakistan, Qatar, Somalia, Sudan, UAE and Yemen.
"Both firms, and many others, argue that they provide such capabilities to legitimate law enforcers and intelligence agencies and that they don’t sell to repressive regimes"
Pushing the Boundaries
While many cybersecurity vendors will be aiming to keep their tools out of the hands of such regimes, there are some that seem to actively court notoriety by selling products and services which could be easily abused.
These include the UK/German company Gamma International and the aforementioned NSO Group. The former developed infamous spyware known as FinFisher, which the OECD alleged it sold to the Bahrain government, where it was used to monitor human rights activists there. NSO Group develops exploits and spyware, dubbed Pegasus, which it has been claimed was used in a similar manner to target over 100 individuals around the world.
Both firms, and many others, argue that they provide such capabilities to legitimate law enforcers and intelligence agencies and that they don’t sell to repressive regimes. However, the stats tell a slightly different story. According to written evidence to parliament by Privacy International, of the 275 license applications for surveillance tech approved by the UK government between 2015-18, only a fifth (21%) of the destination countries were considered ‘free’ by Freedom House.
The rights group’s state surveillance program lead, Edin Omanovic, believes that gaps in the UK’s export regulations give too many vendors the opportunity to cross an ethical line.
“While the current controls designed to mitigate human rights risks associated with surveillance tech are weak and ineffective, no such controls exist for cybersecurity exports. This is a clear limitation of the current regulations which leaves people across the world vulnerable to surveillance and censorship,” he tells Infosecurity. “While companies have due diligence obligations which indeed many take seriously, the idea that non-binding and unenforced risk assessments will stop every company from profiting from authoritarians around the world is clearly naive.”
Do Governments Care?
In fact, the whole idea that government ‘export controls’ are there to restrict exports is a false assumption, according to Luta Security CEO, Katie Moussouris, who is helping the US government negotiate the global control regime known as the Wassenaar Arrangement. She argues that companies like NSO Group, Hacking Team and Gamma International were all given licenses by their respective governments.
“The reason is that export controls are not really there to restrict the export of items. They’re there so governments can keep track of who is making what and whom they are selling it to,” she tells Infosecurity.
“They’re still trying to work out how to conduct cyber-warfare fairly, and part of this is inspecting the weapons being used in this emerging class of warfare. The law of the sea took 100 years to develop, and we’re only at the very beginning of this.”
If this is true, then it places an even greater responsibility on the security vendors themselves to ensure that any decisions about who to sell to don’t backfire.
Dan Patefield, program manager at techUK, argues that complexity is a key challenge, and that smaller vendors especially need more help to navigate the landscape.
“There is a wide array of cyber-capabilities, ranging from cutting-edge defense capabilities to basic cyber-hygiene for citizens. The hardest challenges to navigate are questions around ‘dual-use’ technologies, which can be sold for one purpose but then used for another, more nefarious task,” he tells Infosecurity. “TechUK believes that the current frameworks for export controls relating to cybersecurity represent a sensible but complex approach which can be lengthy and difficult for companies, particularly SMEs, to navigate.”
Adding to the complexity is the potential risk to corporate security, according to Amanda Finch, CEO of the Chartered Institute of Information Security (CIISec).
“If a vendor – especially a small vendor that relies on its IP to differentiate itself – has an opportunity to sell to a country or company that is notorious for stealing IP, they are likely to think twice,” she says. “Also, there is potential access to source code. When selling its products, a vendor needs to consider all of its customers. A vendor with multiple government contracts working with a potentially opposed nation could be opening up its customers’ most sensitive networks to their competitors.”
"Ultimately, organizations themselves have to make measured, reasonable decisions about the people they deal with"
The Importance of Due Diligence
The bottom line is that cybersecurity vendors must manage the risks associated with exporting their products, just as they do other business risks. This means choosing customers carefully: even if a license application is approved by the government, there could still be consequences in lost IP, customer attrition and reputational damage, if they make the wrong decisions.
“Ultimately, organizations themselves have to make measured, reasonable decisions about the people they deal with and the territories they play in, with the potential result of inaction being a harm to the reputation both of the company and the [country],” says Patefield. “TechUK and the government can only ensure that the right information is out there, in an easily accessible form, but we encourage companies to conduct a comprehensive due diligence process.”
This is important at every stage, from product development, to pre-sales, point-of-sale and post-sales stages, according to the tech body. Vendors should first assess whether there are any relevant trade sanctions or embargoes, or export controls on the destination country, then conduct a full risk assessment if appropriate. In the UK, they should check with the Export Control Joint Unit (ECJU) if in doubt. In the US, it’s the Commerce Department’s Bureau of Industry and Security, although the State Department also has some resources on this.
Ultimately, every vendor must know its limits, understand where the ethical and business barriers lie, and ensure it doesn’t break them, concludes CIISec’s Finch.
“There are a number of complex commercial, legal, financial, technical and organizational decisions and trade-offs for vendors to make. Regardless of the final decision, they need to make sure they are acting consistently, in full understanding of the risks, and in line with their own values,” she says. “If they have done this, then they will know whether to turn down an opportunity, or to pursue it knowing they are prepared for any potential consequences.”
What’s the Wassenaar Arrangement?
The Wassenaar Arrangement is an international export control regime for conventional arms and dual use goods and technologies. Countries including the US and UK are members, and implement the decisions taken at this level into their respective export rules. However, controversy surrounding the voluntary arrangement highlights the challenges of multi-lateral decision making.
Luta Security’s Katie Moussouris fought successfully for changes to the language which would otherwise have impacted legitimate vulnerability research and incident response activity.
A similar fight is now on to exempt pen testing tools and training from these export controls, she tells Infosecurity. If it fails, it could have a chilling effect on efforts to grow the cybersecurity workforce, she argues.