Dual Use of Cyber Surveillance Tools & the Case of Pegasus

Author Name: Amna Tauhidi       05 Apr 2022     Cyber

The continuous evolution of cyber capabilities has proportionally raised the risk of cyber warfare, cybercrimes, cyber surveillance, etc. Advancement in cyber capabilities and their dual nature is perceived by many as a national security threat. ‘Dual nature’ means that cyber technology can be employed for the achievement of legitimate and illegitimate objectives. The role of private cyber industry has especially complicated the cyber security landscape.

A case in point is the Pegasus scandal. In 2019, the Niv, Shalev, and Omri (NSO) Group, a private entity working in the domain of cyber intelligence, was exposed for selling an intrusive software called ‘Pegasus’ to a number of foreign entities. The list of phone numbers exposed in the Pegasus spyware scandal mostly consisted of key political leaders, journalists, human rights activists, etc. The data leak exposed the extent to which any spyware could be misused. The Pegasus spyware manufacturer – the NSO Group – claimed that its software is designed to ensure state security and aid law enforcement agencies in tracking criminals and terrorists. However, the reality is rather ominous and obscure as governments, non-state actors, and militaries across the globe were involved in the purchase of this software to accomplish a range of political and ideological objectives. 54% of its customers were authoritarian or hybrid regimes, while hardly 8% comprised of democratic states/organisations. Various countries have raised their concern about the Pegasus project and its applications. The US Bureau of Industry and Security (BIS) declared the NSO Group as one of four foreign companies that poses a threat to America’s national security. The European Union, on the other hand, has called for a total moratorium on the sale of Pegasus spyware in Europe as a short-term measure. After detecting the presence of this software on an old cellphone used by Pakistan’s Prime Minister, the government requested the United Nations (UN) to investigate whether India used Israeli-made spyware to spy on the country’s leadership.

NSO is not the only wrongdoer as there are 528 other private firms generating huge profits by selling surveillance technologies to governments and other bodies. The open availability of such spyware has provided exponential opportunities to a multitude of threat actors to conduct cyber-related espionage and surveillance activities. Literature on cyber technologies is replete with examples where both authoritarian regimes and democratic states have been involved in the use of surveillance technologies. The use of such technologies depends on the purpose of end users. For instance, in the hands of authoritarian regimes, it can enable human rights violations; while in the hands of state actors and intelligence agencies, it can facilitate them in spying on dissidents and critics. States can also deploy such technologies to keep track of the activities of their rivals. This was ascertained in a recent investigation by 17 media news organisations which highlighted the prospective risks of unregulated sale of surveillance technologies and put forth the need for regulating the private surveillance industry. As way back as 2013, studies such as one published in the Harvard Law Review also summed up the dangers associated with use of privately developed and available cyber-surveillance technologies classified into three categories – ‘blackmail, discrimination, and persuasion.’

As per current estimates, over 80 countries now apply some form of digital surveillance against opposing states/entities. 40 of the world’s top 50 military spending countries use AI surveillance technology. The absence of effective checks and balances on the private cyber industry has given a free hand to known and unknown threat actors to purchase such surveillance tools openly available in the market for their interests.

According to the United Nations Special Rapporteur, the root of the problem lies in a private surveillance industry which is not transparent and operates under lax (or absent) legislation. The profit generation model adopted by private industry and lack of effective accountability/monitoring mechanisms have encouraged the cyber industry in particular to generate profits by conducting illegal and unlawful export of such technologies. Hence, there is a need for instituting a global authority for regulating the mechanisms being followed by the private surveillance industry.

Regulating the use of the latest surveillance technologies would be a challenging task due to the involvement of multiple stakeholders and their profoundly diverse interests. Some of the many recommendations within this domain that can be useful in this regard include:

  • Framing a legal code of conduct for the private surveillance industry dealing in the transfer of these technologies.
  • A separate body consisting of experts dealing with technology, cyber security and human rights should be formed under the UN auspices to monitor the sales/purchase, registration, and use of intrusive technologies.
  • To stop unlicensed/illegal use, these technologies should be encrypted and only be available after a formal publically available sales/purchase agreement is made by the using party.
  • Moreover, private cyber-tech conglomerates should be under the scrutiny of the law and audit of countries in which they are operational.

The contemporary era will be dominated by emerging technologies and their dual potential. Since there are no binding agreements or rules that regulate their functioning, the threats emanating from them is real and present. Therefore, states should also focus on strengthening their own digital and cyber security framework and invest in more effective and advanced spyware countering technologies. The regulation of tech spyware has become a real test for democracies to either halt their sale or get caught in a global spyware arms race.

Amna Tauhidi is a researcher at the Centre for Aerospace & Security Studies (CASS), Islamabad, Pakistan. She can be reached at cass.thinkers@gmail.com

Image Source: Rogal, Andreas.2021, "Poland comes under fire over renewed media law push and new Pegasus spyware revelations."  Parliament Magazine, 22 Dec.https://www.theparliamentmagazine.eu/news/article/poland-comes-under-fire-over-renewed-media-law-push-and-new-pegasus-spyware-revelations