The EU and its member states face a human rights and security crisis due to the use of cyber mercenaries, private entities that sell offensive cyber capabilities to governments. The Paris Peace Forum, the Paris Call for Trust and Security in Cyberspace, and a Franco-British initiative are some of the platforms that have proposed concrete actions and guidance for industry, governments and civil society to regulate the cyber mercenary market and prevent the abuse of commercial spyware. Their guidance suggests that governments should develop clear acceptable use guidelines, prevent exports to malicious end-users, require oversight and transparency in procurement practices, mandate vendor verification, blacklist violators, and create guardrails for former government employees who work at cyber mercenary firms. The Cybersecurity Tech Accord, a group of technology companies that includes Microsoft and LinkedIn, announced that it will track the progress of governments in implementing the guidance and LinkedIn revealed how a cyber mercenary, Blue Tsunami, operated on LinkedIn to target victims with access to organizations of interest to their clients.
The European Union (EU) and its Member States are rightly known for their commitment to human rights and are also increasingly seen as a leader in cybersecurity. However, the Union deserves a black mark in one area which requires a careful balance of online privacy and security: cyber mercenaries. These private entities operate in a grey market, often developing and selling offensive cyber capabilities to government customers. The malicious tools and services sold by these firms pose some of the most sophisticated risks threatening the digital ecosystem. They also undermine individual human rights.
Unfortunately, a recent report by the PEGA Committee in the European Parliament revealed that at least 14 EU states have used one such tool: NSO Group’s Pegasus spyware. Some continue, to this date, to use this and other tools and services with similar impacts, without clear oversight. The European Parliament’s report is a welcome step, but it has no power to enforce its recommendations. It is time for the EU and its Member States to stop hiding behind national security excuses and adopt clear rules on the use of cyber mercenaries.
Last week, the Paris Peace Forum brought this issue to the forefront. A working group, which Microsoft is a member of, was established under the Paris Call for Trust and Security in Cyberspace, and issued multistakeholder guidance that proposes concrete actions for industry, governments and civil society. The EU and its Member States, as endorsers of the Paris Call, will hopefully take heed and report on their progress on the guidance at next year’s Paris Peace Forum. In another position development, the French and British governments – with support from the Carnegie Endowment for International Peace – sought to advance their initiative to tackle the threat from commercial cyber proliferation, which includes addressing the threat from cyber mercenaries. We hope that this initiative will gain momentum and lead to global regulation of this harmful market.
In line with the guidance adopted, we hope that countries will consider adopting measures such as:
- Develop clear acceptable use guidelines: Governments’ use of cyber mercenaries and commercial spyware should be limited to essential use, in accordance with clear guidelines on acceptable use. This use will be carried out in accordance with states’ domestic laws and international obligations and commitments, consistent with democratic values, respect for universal human rights, civil rights and civil liberties and the rule of law, and may incorporate principles such as lawfulness, necessity, proportionality or reasonableness.
- Prevent exports: Governments should prevent the export of software, technology and equipment to end users who are likely to use them for malicious cyber activity – including unauthorised intrusion into information systems – in accordance with the respective legal, regulatory and policy approaches and appropriate existing export control regimes.
- Require oversight: Governments should adopt appropriate domestic oversight mechanisms that help ensure compliance with domestic laws, procedures and policies along with applicable international human rights obligations.
- Adopt transparent procurement practices: Governments should be transparent in their procurement practices, requiring vendor consistency with the UN Guiding Principles on Business and Human Rights; define the safeguards in place to prevent abuse or discriminatory uses; and regularly disclose all contractual relationships with cyber mercenaries, including with respect to the procurement of commercial spyware.
- Mandate vendor verification: Governments should establish and publicise monitoring and verification procedures for ensuring that cyber mercenaries – particularly those who are its nationals, residents or contractors – accord with all applicable domestic and international laws.
- Blacklist violators: Governments should consider eliminating market access for and blacklisting cyber mercenaries who violate international norms and human rights, blocking access to particular markets. This will also aid in efforts to mitigate the proliferation of malicious software, such as commercial spyware.
- Create guardrails for former government employees: Governments should develop necessary guardrails for former government employees – including those who served in the military, the intelligence community, law enforcement or other national security or cybersecurity agencies – who wish to work at cyber mercenary firms, including those selling commercial spyware, following their term in public service. Governments will identify proper mechanisms to reduce risk and increase security, including reporting requirements for such post-service employment, potential restrictions and relevant trainings.
The industry has also advanced our efforts to tackle this threat. The Cybersecurity Tech Accord announced that it will, at the forthcoming Summit for Democracy, begin tracking which governments will adopt policies and regulations that seek to limit the unconscionable use of these tools and services, starting with the states which have endorsed the Paris Call. Moreover, LinkedIn and Microsoft were able to reveal insights into how a cyber mercenary referred to as Blue Tsunami has, over a number of years, operated on LinkedIn and leveraged honeypot profiles, fake jobs and fake companies to engage in sting or HUMINT (human intelligence) operations against victims with access to organisations of interest to their clients.
Without proper guardrails, the continued growth of the cyber mercenary market and irresponsible use of these capabilities will, over time, lead to significant harm and systemic instability in cyberspace. By weaponising peaceful technology, these firms also expose countless others to security threats, destabilising and undermining trust in the broader online environment. We believe that these measures are necessary and feasible to protect the security and human rights of the EU and its citizens, as well as the global digital community. We urge the EU and its Member States to act swiftly and decisively to address the threat from cyber mercenaries.
About the Author
Nikolas Ott is a Senior Manager at Microsoft’s European Government Affairs Team. Previously, he worked in the cybersecurity teams of the OSCE and NATO. He holds a M.A. in Law and Diplomacy from The Fletcher School (Tufts University) and B.A. in Political Science from the FU Berlin.