The Cybersecurity Tech Accord (CTA) – a coalition of more than 150 private sector cybersecurity companies – has released a set of principles to guide the technology industry forward in curbing “cyber mercenaries.”
The market for cyber mercenaries – companies that develop and sell offensive cyber capabilities and services – has exploded in recent years and is estimated to be worth more than $12 billion worldwide, CTA said.
“We hope these principles will help set a standard for responsible industry practice, as well as support a broader discussion and call to action across stakeholder groups. While there is much industry can and should do to address this challenge, ultimately it is governments that will have to play the lead role in severely limiting – or outright banning – the use of cyber mercenaries,” according to the statement released by CTA.
The group’s five principles – which build on CTA’s founding commitments – are:
- Take steps to counter cyber mercenaries’ use of products and services to harm people;
- Identify ways to actively counter the cyber mercenary market;
- Invest in cybersecurity awareness of customers, users, and the general public;
- Protect customers and users by maintaining the integrity and security of products and services; and
- Develop processes for handling valid legal requests for information.
“The surveillance-for-hire industry targets people across the internet, which is why no single company can tackle this issue alone. We need a concerted response by democratic governments, as well as continued action by industry and focus from civil society,” said David Agranovich, director for threat disruption at Meta.
CTA attributed the growth of cyber mercenaries in large part to governments seeking to gain easy access to sophisticated tools and services for a wide range of malicious purposes in a new domain of conflict. The group said those include operations that involve the “cultivation and proliferation of ‘zero-day’ exploits and malicious software” which ultimately undermines technology security and have been widely used “to violate human rights and democratic principles online.”
The Carnegie Endowment for International Peace, in an earlier report, identified at least 74 governments that have contracted cyber mercenaries to gain spyware and digital forensics technology. And in an internal review, Meta – a member organization of CTA – identified thousands of individuals from across 100 countries have been targeted by cyber mercenaries.
“It’s more than a little concerning to see the unabating rise of companies providing digital weapons for hire. There is no reason that this kind of business model should be tolerated, given all the risks it poses,” said Tom Burt, CVP for customer security and trust at Microsoft.
The CTA report also explains that cyber mercenaries have been employed disproportionately by autocratic regimes and frequently used to target journalists, human rights activists, political dissidents, and other entities engaged in free expression online.
Yet, leveraging cyber mercenaries may also appeal to some responsible governments. But CTA warns that the unmitigated expansion “threatens to severely destabilize the broader online environment,” inevitably proliferating sophisticated capabilities, and proving “incompatible with democratic values online.”
The technology industry builds and maintains the majority of “cyberspace” and so, industry has a “responsibility to limit the harm caused by cyber mercenaries,” CTA said.