Countering Irresponsible Cyber Proliferation

Offensive cyber capabilities are both instruments of a state's cyber power and a threat to national security. While some can have legitimate use cases in law enforcement and intelligence contexts, the commercialisation of these capabilities over recent years has resulted in their proliferation to many actors that have abused them for varying purposes.

The proliferation of these capabilities has come into sharp view with their role in enabling network intrusions, cyber-attacks, influence operations, surveillance, and repression of political dissent. Traditionally, many of these activities fall under the jurisdiction of select states, but tool commercialisation has lowered the barrier to entry for states lacking organic capability and non-state actors such as criminals, both of which can procure these tools for a range of prices.

Not only has a 'pay-to-play' option become normalised, but the lack of global regulation and transparency allows the uncontrolled proliferation of offensive cyber capabilities across borders, reaching irresponsible actors who use them in criminal and oppressive ways.

Product proliferation

At their core, commercial offensive cyber capabilities are tools that enable remote, unauthorised access to a network or device. These range from bespoke to commoditised -commercially available for sale or with a license — through to open source / cracked versions of tools. This corresponds to a range in cost, and enables a wide distribution of actors to access these capabilities.

The product that has gained the most notoriety in research and media reporting is Pegasus - a mobile spyware suite for iOS and Android that provides highly intrusive access to a target's phone. Pegasus and its developer — NSO Group — have been the subject of several major political scandals, but despite the negative coverage and high-profile lawsuits, NSO Group continues to operate successfully and largely with impunity. Pegasus may be the most infamous and one of the more advanced tools in the market, but it is far from the only one.

At the other end of the spectrum, Cobalt Strike is the most prolific and widely abused commercial and legitimate pen-testing tool in the threat landscape, and provides operators with a highly configurable and powerful post-exploitation framework. This tool is available under a license, and is used by many penetration testing teams in their work. However, nearly all illegitimate uses are carried out through cracked versions of the tool; Cobalt Strike's ease-of-use and functionality has seen it become a very popular choice for threat actors. Despite the release of many new versions of Cobalt Strike over the years, threat actors are quick to adopt them, with cracked versions also appearing in a matter of weeks.

Since 2020, BAE Systems' Threat Intelligence team has been tracking deployments of Cobalt Strike and its abuse by malicious actors, including criminal ransomware operators and state-sponsored actors. Over a period of several years, our team has cumulatively identified tens of thousands of Cobalt Strike servers being used maliciously in the wild. This tracking has supported multiple international law enforcement investigations, and earlier this year there was a coordinated public-private disruption of cracked, legacy copies of Cobalt Strike.

This type of commoditised tool is not only a cost-effective way for malicious actors to avoid spending money and time creating bespoke tools; it also complicates attribution for defenders and researchers. Despite this complication, the goal of threat intelligence teams such as ours is to continuously make the work of adversaries more difficult, whether this involves forcing them to resource differently or 'burn' capabilities, which costs development cycles to replace.

Responsible government, responsible companies

As the market for offensive cyber capabilities expands, the need for policies to govern it and companies to participate responsibility in it grows. The UK government has acknowledged the risks of proliferation in various public policy initiatives.

The UK's Integrated Review Refresh in 2023 considers commercial hacking tools a strategic threat that has proliferated across state and non-state actors. This necessitates shaping responsible norms of behaviour, which includes the UK behaving as a responsible cyber power in its use of offensive cyber capabilities. Part of the UK's National Cyber Strategy involves making sure the government acts within the law and uses a consistent ethical framework when it deploys offensive cyber capabilities.

The National Cyber Force's  acknowledgement of its own activities within the offensive cyber spectrum was part of the UK government's drive towards its establishment as a responsible cyber power. Other elements include strong cyber defences to complement offensive capabilities based on an ethical framework, as well as industry and academia engagement on government strategy. BAE Systems Digital Intelligence has discussed how cyber power can be demonstrated in practice as well as how industry can contribute to responsible cyber power.

Mirroring the UK government's own position regarding its use of offensive cyber capabilities is the role of the country's private sector in developing and selling these tools. Establishing national policy regarding the proliferation of offensive cyber capabilities necessitates a thorough understanding of the UK's domestic market and the players operating within it. It requires capturing the specific problems that need to be addressed and identifying the policy gaps that currently exist that prevent those problems from being solved. Industry engagement is especially important to protect and nurture the work of responsible companies within the cybersecurity industry.

However, creating national policy is a partial approach that must be complemented by engagement at the international level in order to establish global regulation.

International action

Particularly in the last year, the UK has publicly approached the issue of commercial offensive cyber capabilities at an international level. In March 2023, the UK and France conducted a Cyber Dialogue with a Joint Leaders' Declaration that agreed to take international action against the threat from commercial cyber proliferation through cyber capacity building and law enforcement action against cybercrime. Later that month, the UK along with 10 other countries issued a statement  on the abuse of commercial spyware as a national security and foreign policy interest, especially due to its use in enabling human rights violations.

This parallels other countries' efforts to highlight the same risks. In March 2022, the EU created a committee to study the use of commercial offensive tools by EU member countries — the PEGA Committee. In May 2023, the committee adopted its final report, which acknowledged that four EU countries had all used these tools in a manner not compliant with EU law. The European Parliament subsequently adopted the report and a key recommendation contained within it, which called for a de facto halt on the use and export of spyware by certain EU member countries until a number of steps are taken to curb the possibility of abuse.

In March 2023, the White House released an Executive Order that limited the US government's use of commercial spyware because of its counterintelligence and security risks to the US government and the risk of abuse by foreign actors. International approaches must consider both the human rights perspective and protection of democracy, but also the criminal abuse of commercial tools for ransomware operations and other cybercrime, all while preserving the legitimate activities of the cybersecurity industry.

Policy considerations

The growing offensive cyber industry is one of misaligned incentives, where existing ambiguities in the law or lack of clear guidelines allow - if not encourage - companies to behave in ways that enable or benefit malicious actors. Companies and governments must not only be motivated to change how the ecosystem currently works, but also make this change a strategic priority - something to which the UK is committed.

Existing solutions - such as banning the sale of commercial offensive tools through export controls — are insufficient and unable to address the nuances of dual-use technologies in regulated and semi-regulated commercial markets. However, there are several options for governments to help shape the market and flow of these capabilities. These can be normative, punitive, or incentivising policy levers and directed at different parts of the ecosystem including the tools themselves, the activity they enable, the buyers, and the sellers.

• Tools

Definitions around the tools are ambiguous and require clearer language to address and govern - many versions exist including surveillance spyware, intrusion software, commercial hacking tools, surveillance technologies, etc.

This terminology also affects the creation and adoption of exports controls, often due to the unintended and negative consequences for the cybersecurity industry, which relies on research into vulnerabilities, malware, and pen-testing tools. While export controls in their current form are imperfect, they should still be revisited and improved to complement other policy initiatives.

• Activity

The focus of regulation could also be shifted away from tools towards the activity of establishing unauthorised access - or hacking. Any policy of this kind must also distinguish between the use of spyware in human rights violations and criminal misuse of pen-testing tools and frameworks as they will require different responses.

These could include punitive measures for spyware, for example, extending domestic laws governing unauthorised access to apply extraterritoriality for nationals who live or work overseas. For pen-testing tools, there could be incentivising policy that encourages responsible use through industry support for training and accreditation.

• People

Further emphasis on governing irresponsible behaviour requires thinking about people and employees and how they operate in the market. Some countries, such as the US, require more oversight of the 'revolving door' between government and the private sector in the area of offensive tool development.

• Buyers and sellers

As the demand for these tools increases, it is important to discourage sales to malicious actors and link penalties to the buyers. A policy that clearly delineates the boundaries of acceptable and unacceptable buyers — for example through Know Your Customer regulations and due diligence frameworks— could help isolate malicious actors looking to purchase these tools. A further policy lever could exert pressure on countries acting as enablers to sellers, such as hosting countries with less regulation that facilitate transactions or act as tax havens.

Domestically supporting and creating incentives for responsible companies operating in the market could help provide a preferable alternative for buyers. This includes safeguarding governmental and private sector development and responsible export of these tools, as well as having accessible export processes and guidance for responsible companies.

Conclusions

These are merely starting points for further engagement, and the implementation and effectiveness of these controls will vary. Some of these necessitate the involvement of multiple international entities with sufficient political will and investment, and others the UK can undertake independently in a national context.

The trajectory for offensive cyber capabilities is proliferation, with more states developing in house capabilities and others buying in capabilities where they can't be organically developed. While many of these commercial tools are currently being used against individuals, it is possible that states may start using them against each other. The growing demand will encourage more suppliers to enter the market.

As this issue escalates, governments and private companies need to understand what it means to act responsibly as buyers, sellers, and regulators – as well as incentivise this behaviour in the marketplace. This involves collaborating internationally with partners facing the same challenges and considering similar approaches to collectively curb the proliferation of commercial cyber capabilities for malicious purposes, while maintaining the ability of the cybersecurity industry to research and develop these tools for responsible use.