New industry principles to curb cyber mercenaries

Standing up for democratic values online

Today, the Cybersecurity Tech Accord, with support from other industry players, is proud to release a new set of principles to guide the technology industry to help curb the dangerous and rapidly growing market of “cyber mercenaries”. This term refers to a wide range of companies which now develop and sell offensive cyber capabilities and services, generally to government customers. Their operations involve the cultivation and proliferation of “zero-day” exploits and malicious software that undermines the security of peaceful technology, and which have been widely used to violate human rights and democratic principles online. This activity should no longer be tolerated.

The market for cyber mercenaries has exploded in recent years and been estimated to be worth more than $12 billion worldwide.[1] This growth is driven in large part by governments seeking to gain easy access to sophisticated tools and services for a wide range of malicious purposes in a new domain of conflict. The Carnegie Endowment for International Peace has identified at least 74 governments that have contracted with such firms to specifically gain spyware and digital forensics technology.[2] Meanwhile, Meta has identified tens of thousands of individuals from more than 100 countries around the world that have been targeted by cyber mercenaries.[3] Cyber mercenaries have also been employed disproportionately by autocratic regimes[4] and frequently used to target journalists, human rights activists, political dissidents and others engaged in democratic free expression online.[5]

“It’s more than a little concerning to see the unabating rise of companies providing digital weapons for hire. There is no reason that this kind of business model should be tolerated, given all the risks it poses.”

– Tom Burt, CVP for Customer Security and Trust, Microsoft

While leveraging cyber mercenaries may appeal even to some responsible governments, the unmitigated expansion of this marketplace threatens to severely destabilize the broader online environment by inevitably proliferating sophisticated capabilities[6] and has proven incompatible with democratic values online. To mark the second Summit for Democracy, the companies endorsing these cyber mercenary principles today are committing to take action to protect their users and customers from these actors, and to actively push back on the cyber mercenary market as a whole.

These principles build on the Cybersecurity Tech Accord’s founding commitments to strong defense, no offense, capacity building, and collective action. At a high level, the five principles charge companies to:

Take steps to counter cyber mercenaries’ use of products and services to harm people;
Identify ways to actively counter the cyber mercenary market;
Invest in cybersecurity awareness of customers, users and the general public;
Protect customers and users by maintaining the integrity and security of products and services;
Develop processes for handling valid legal requests for information.

“Trend Micro is proud to have supported the creation of these principles for the world dealing with cyber mercenaries, which pose a significant threat to businesses and governments alike.”

– Ed Cabrera, Chief Cybersecurity Officer, Trend Micro

It is the technology industry that builds and maintains the majority of what we consider “cyberspace” and so, as with other threats, we as an industry have a responsibility to limit the harm caused by cyber mercenaries. With unique capacities and resources, living up to these principles will look different for different companies, but includes things like taking action to identify and disrupt the use of cyber mercenary tools on our respective platforms[7], documenting and reporting on the activity of cyber mercenary groups we observe[8], and supporting legal action against cyber mercenaries[9].

We hope these principles will help set a standard for responsible industry practice, as well as support a broader discussion and call to action across stakeholder groups. While there is much industry can and should do to address this challenge, ultimately it is governments that will have to play the lead role in severely limiting – or outright banning – the use of cyber mercenaries.

“The surveillance-for-hire industry targets people across the internet, which is why no single company can tackle this issue alone. We need a concerted response by democratic governments, as well as continued action by industry and focus from civil society. This is why Meta released policy recommendations for a whole-of-society response late last year.[10]”

– David Agranovich, Director, Threat Disruption, Meta

We encourage democratic governments in particular to do more to limit the use of these groups. It is essential that human rights be incorporated into any decision about using these tools and techniques, especially given the broader implications for the stability of the online environment. Existing instruments, like designations on the United States Entity List[11] and similar Organisation for Economic Co-operation and Development (OECD) member country designations, are an important step in restricting cyber mercenary operations and can be built upon.

Looking ahead, we hope that other countries or regional blocks, such as the European Union, follow a similar approach to restricting this market. Furthermore, governments must implement oversight and address the current lack of accountability for both providers and their clients. The Export Controls and Human Rights Initiative launched by Australia, Denmark, Norway and the United States at the first Summit for Democracy, underscored just how core this growing issue is to the cause of protecting democratic freedoms online, and we hope foreshadows more action to come.[12] The Cybersecurity Tech Accord welcomes any opportunity to provide further support to these efforts.

The full list of companies endorsing the industry principles on cyber mercenaries is available on the complete principles page. If you would like to add your company’s name to the list or learn more about the work of the Cybersecurity Tech Accord please reach out to info@cybertechaccord.org.

[1] A New Age of Warfare: How Internet Mercenaries Do Battle for Authoritarian Governments – The New York Times (nytimes.com)

[2] https://carnegieendowment.org/2023/03/14/why-does-global-spyware-industry-continue-to-thrive-trends-explanations-and-responses-pub-89229

[3] Facebook says 50,000 users were targeted by cyber mercenary firms in 2021 | MIT Technology Review

[4] https://carnegieendowment.org/2023/03/14/why-does-global-spyware-industry-continue-to-thrive-trends-explanations-and-responses-pub-89229

[5] https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/

[6] Maurer, Tim. Cyber Mercenaries: The State, Hackers, and Power.Cambridge University Press. 2018. Pg. 80 (Kindle edition)

[7] https://blogs.microsoft.com/on-the-issues/2022/07/27/private-sector-cyberweapons-psoas-knotweed/

[8] https://newsroom.trendmicro.com/2021-11-10-Trend-Micro-Uncovers-Prolific-Cyber-Mercenary-Group-Void-Balaur

[9] WhatsApp sues Israel’s NSO for allegedly helping spies hack phones around the world | Reuters

[10] Meta-Policy-Recommendations-for-Tackling-the-Surveillance-for-Hire-Industry.pdf (fb.com)

[11] https://www.commerce.gov/news/press-releases/2021/11/commerce-adds-nso-group-and-other-foreign-companies-entity-list

[12] https://www.whitehouse.gov/briefing-room/statements-releases/2021/12/10/joint-statement-on-the-export-controls-and-human-rights-initiative/