Spyware, hackers for hire and access to other cyber capabilities such as hacking-as-a-service kits are expected to be in growing demand globally, the UK’s National Cyber Security Centre (NCSC) warned in a new assessment published on April 19, 2023, during the CYBERUK conference in Belfast.
The report shows that these hacking tools and services have been used in over 80 countries so far, with thousands of people targeted every year.
“Some states almost certainly have irresponsibly used this to target journalists, human rights activists, political dissidents and opponents and foreign government officials,” the report adds.
Another worrying finding is that these tools and services are more sophisticated than ever before and “are now at a stage to rival the equivalent capabilities of some state-linked Advanced Persistent Threat (APT) groups,” the NCSC estimates.
While they are already lowering the barrier to entry for state and non-state actors, the significant financial rewards they allow may incentivize state employees or contractors to become hackers for hire, thus posing a potential corporate espionage threat to organizations or individuals across all sectors.
For this reason, the NCSC predicts that hacking tools and services “will almost certainly expand in the next five years [and] that commercial capability development is likely to diversify to meet demand, leading to more victims of cyber-attacks in a wide range of industries and a more unpredictable threat landscape.”
Reaching Consensus on Responsible Behavior
Jonathon Ellison, NCSC director of resilience and future tech, insisted on, not only the proliferation of these tools but their sophistication and diversification.
“Our new assessment highlights that the threat will not only become greater but also less predictable as more hackers for hire are tasked with going after a wider range of targets and off-the-shelf products and exploits lower the barrier to entry for all. To maintain safety in cyberspace, it is crucial these capabilities are managed with a responsible, proportionate and legally sound approach, and working with international partners, the UK is determined to address this rising challenge,” he said in a public statement.
This report, which was at the center of a CYBERUK panel session titled, ‘How do we want the cyber proliferation race to end?’, also echoed the Chancellor of the Duchy of Lancaster, Oliver Dowden’s words in his CYBERUK introduction speech, where he specifically mentioned the Israeli company NSO Group’s solution Pegasus.
Dowden said Pegasus is “one of these sophisticated cyber tools and spyware, which can cause serious damage to our digital world, a threat that the UK takes very seriously and to which we are responding with our international partners.”
He was referring to a joint statement published in March 2023 by the UK and 10 other nation stars on their efforts to ‘counter the proliferation and misuse of commercial spyware.’
Ellison provided more context on this joint effort during CYBERUK: “Some nation states’ responses to this growing threat might come down to export controls, but this is certainly not a silver bullet. So, we’re working with our partners to build a global consensus on what we define as responsible behavior’ when it comes to the use of spyware,” he said.
However, Ellison and other NCSC representatives admitted that this joint statement was only the beginning and that “there is still quite a lot of work to be done to provide a joint comprehensive response.”