images

The continuous evolution of cyber capabilities has proportionally raised the risk of cyber warfare, cybercrimes, cyber surveillance, etc. Advancement in cyber capabilities and their dual nature is perceived by many as a national security threat. ‘Dual nature’ means that cyber technology can be employed for the achievement of legitimate and illegitimate objectives. The role of private cyber industry has especially complicated the cyber security landscape.

A case in point is the Pegasus scandal. In 2019, the Niv, Shalev, and Omri (NSO) Group, a private entity working in the domain of cyber intelligence, was exposed for selling an intrusive software called ‘Pegasus’ to a number of foreign entities. The list of phone numbers exposed in the Pegasus spyware scandal mostly consisted of key political leaders, journalists, human rights activists, etc. The data leak exposed the extent to which any spyware could be misused. The Pegasus spyware manufacturer – the NSO Group – claimed that its software is designed to ensure state security and aid law enforcement agencies in tracking criminals and terrorists. However, the reality is rather ominous and obscure as governments, non-state actors, and militaries across the globe were involved in the purchase of this software to accomplish a range of political and ideological objectives. 54% of its customers were authoritarian or hybrid regimes, while hardly 8% comprised of democratic states/organisations. Various countries have raised their concern about the Pegasus project and its applications. The US Bureau of Industry and Security (BIS) declared the NSO Group as one of four foreign companies that poses a threat to America’s national security. The European Union, on the other hand, has called for a total moratorium on the sale of Pegasus spyware in Europe as a short-term measure. After detecting the presence of this software on an old cellphone used by Pakistan’s Prime Minister, the government requested the United Nations (UN) to investigate whether India used Israeli-made spyware to spy on the country’s leadership.

NSO is not the only wrongdoer as there are 528 other private firms generating huge profits by selling surveillance technologies to governments and other bodies. The open availability of such spyware has provided exponential opportunities to a multitude of threat actors to conduct cyber-related espionage and surveillance activities. Literature on cyber technologies is replete with examples where both authoritarian regimes and democratic states have been involved in the use of surveillance technologies. The use of such technologies depends on the purpose of end users. For instance, in the hands of authoritarian regimes, it can enable human rights violations; while in the hands of state actors and intelligence agencies, it can facilitate them in spying on dissidents and critics. States can also deploy such technologies to keep track of the activities of their rivals. This was ascertained in a recent investigation by 17 media news organisations which highlighted the prospective risks of unregulated sale of surveillance technologies and put forth the need for regulating the private surveillance industry. As way back as 2013, studies such as one published in the Harvard Law Review also summed up the dangers associated with use of privately developed and available cyber-surveillance technologies classified into three categories – ‘blackmail, discrimination, and persuasion.’

As per current estimates, over 80 countries now apply some form of digital surveillance against opposing states/entities. 40 of the world’s top 50 military spending countries use AI surveillance technology. The absence of effective checks and balances on the private cyber industry has given a free hand to known and unknown threat actors to purchase such surveillance tools openly available in the market for their interests.

According to the United Nations Special Rapporteur, the root of the problem lies in a private surveillance industry which is not transparent and operates under lax (or absent) legislation. The profit generation model adopted by private industry and lack of effective accountability/monitoring mechanisms have encouraged the cyber industry in particular to generate profits by conducting illegal and unlawful export of such technologies. Hence, there is a need for instituting a global authority for regulating the mechanisms being followed by the private surveillance industry.

Regulating the use of the latest surveillance technologies would be a challenging task due to the involvement of multiple stakeholders and their profoundly diverse interests. Some of the many recommendations within this domain that can be useful in this regard include:

  • Framing a legal code of conduct for the private surveillance industry dealing in the transfer of these technologies.
  • A separate body consisting of experts dealing with technology, cyber security and human rights should be formed under the UN auspices to monitor the sales/purchase, registration, and use of intrusive technologies.
  • To stop unlicensed/illegal use, these technologies should be encrypted and only be available after a formal publically available sales/purchase agreement is made by the using party.
  • Moreover, private cyber-tech conglomerates should be under the scrutiny of the law and audit of countries in which they are operational.

The contemporary era will be dominated by emerging technologies and their dual potential. Since there are no binding agreements or rules that regulate their functioning, the threats emanating from them is real and present. Therefore, states should also focus on strengthening their own digital and cyber security framework and invest in more effective and advanced spyware countering technologies. The regulation of tech spyware has become a real test for democracies to either halt their sale or get caught in a global spyware arms race.

Amna Tauhidi is a researcher at the Centre for Aerospace & Security Studies (CASS), Islamabad, Pakistan. She can be reached at [email protected]

Image Source: Rogal, Andreas.2021, “Poland comes under fire over renewed media law push and new Pegasus spyware revelations.”  Parliament Magazine, 22 Dec.https://www.theparliamentmagazine.eu/news/article/poland-comes-under-fire-over-renewed-media-law-push-and-new-pegasus-spyware-revelations


Share this article

Facebook
Twitter
LinkedIn

Recent Publications

Browse through the list of recent publications.

How the Nature of Warfare Affects the AI Optimism

Since the advent of Artificial Intelligence (AI), a pressing question is being asked: Is Clausewitz still relevant? The game-changing potential of AI and the idea of human-machine teaming (centaur systems) have led many to doubt the seemingly unchanged nature of war. Apparently, it has given rise to the belief that AI-powered systems will replace humans (generals) in the command loop. However, this view is detached from the complex nature of warfare, which remains fundamentally a human endeavour guided by violence, chance and friction.

Just like other social institutions, war is generally an interpretivist paradigm rooted in complex human nature. It is a non-linear phenomenon whose conduct and outcomes cannot be determined by analytical predictions or algorithmic patterns. In other words, war usually does not proceed on pre-determined rules of engagement, prescriptive manuals, established patterns and predictive modelling. Instead, it is fought on judgment, adaptation to changing realities, commander’s intuition and paying attention to the unfolding of the unknown. 

Read More »

Two Faces of the Atom: India’s Nuclear Exceptionalism

ew examples capture the inconsistencies of the nuclear world order more starkly than the events of 2 March 2026: as Prime Ministers’ Mark Carney and Narendra Modi signed a landmark 1.9 billion USD uranium supply deal for India’s civil nuclear sector, Iran was subjected to the third day of indiscriminate airstrikes by the US and Israel under the banner of nuclear non-proliferation, despite Iran agreeing to zero stockpiling of enriched uranium just days prior. This event, unfortunately, was not an isolated one, rather it reflects a pattern of nuclear exceptionalism where certain states such as India, continue to be rewarded for non-compliance with international regulations, while others such as Iran, are censured and even subjected to military action based on hypothetical realities.

The latest deal would see Canada sell close to 22 million pounds of uranium concentrate to India over 8 years, starting in 2027, a sale more than ten times the last Canada-India uranium agreement of 2015, which supplied 7 million pounds of concentrate over 5 years.

Read More »

Data Centres as the New Military Targets in Modern Conflicts

The character of warfare has evolved in tandem with the changing nature of military targets. In early March 2026, Iran bypassed traditional military targets and struck the physical part of the digital infrastructure at Amazon Web Services (AWS) data centres in the UAE and Bahrain. Until now data centres had been considered an unassuming target, as they did not house any military equipment or hardware. However, the US-Israel war on Iran, has transformed these billion dollar sites into high-value targets because of their ability to act as server farms on which adversaries’ websites, apps, AI systems and the entire digital infrastructure run.

Data centres are digital ecosystems where the delivery of cloud services depends on the integrity of physical infrastructure. Disruption in any one part of the shared infrastructure does not remain isolated and risks triggering widespread systemic failure. In the case at hand, Amazon operated multiple availability zones within each region in the United Arab Emirates and Bahrain. Iran struck two of the three availability zones in the UAE, while in Bahrain, a zone was damaged by drone debris causing an extended power outage and connectivity problems that further disrupted service across the Gulf.

Read More »