Hard Code | Cyber mercenaries and nations playing with fire - Hindustan Times

Hard Code | Cyber mercenaries and nations playing with fire

Feb 10, 2024 04:47 PM IST

Companies that make hacking tools are a booming industry and have triggered sanctions from several liberal democracies. But they are here to stay

For several years now, the murky world of cyber mercenaries has enabled staggering attacks on political leaders, civil liberties, private enterprise and institutions. Exploiting weaknesses in code — the building blocks of the technology era — they build digital weapons to turn everyday devices like mobile phones, computers and even television sets into snooping tools.

A logo adorns a wall on a branch of the Israeli NSO Group company, near the southern Israeli town of Sapir, (AP Photo/Sebastian Scheiner) PREMIUM
A logo adorns a wall on a branch of the Israeli NSO Group company, near the southern Israeli town of Sapir, (AP Photo/Sebastian Scheiner)

The potential first became clear in 2019, when WhatsApp sued what was then a little-known Israeli company called NSO Group, for building a spyware called Pegasus, which at the time enabled the snooping on 1,400 people which included human rights defenders, politicians, judges and heads of states.

That lawsuit brought the dark industry into the spotlight (and NSO Group's global infamy).

What they do is not new: Nation-states, like the US, have had the ability to snoop on citizens, as Edward Snowden’s revelations in 2013 showed us. But it is one thing for a government, especially one that rests on institutional and legal checks and balances to wield such power. It is another thing completely for a private company, which answers ultimately to a profit motive, to do so.

The result is human rights abuses and the weakening of democracies. To take just one example, the University of Toronto’s Citizen Lab identified “a network of computers and more than a thousand Web addresses used to deliver Pegasus spyware to the phones of targets in 45 countries,” a Washington Post report found. This included at least 65 persons connected with the Catalan independence, as well as Spanish politicians including the prime minister.

There is now a clamour against such companies, especially in the western world. On March 30, 2023, Australia, Canada, Costa Rica, Denmark, France, New Zealand, Norway, Sweden, Switzerland, the United Kingdom, and the United States issued a joint statement, recognising “the threat posed by the misuse of commercial spyware” and calling for “strict domestic and international controls on the proliferation and use of such technology”.

On February 6, the US government announced it would put a visa ban on those involved in the commercial spyware industry, including its users, operators and investors, sounding what is perhaps the loudest deterrent yet.

A day later, Google released a report, one of the most comprehensive assessments of the industry yet, showing how there is now a threat to societies at large.

To quote the report: “Compared to other cyber threats, spyware is used against a small number of targets. However, the use of high-risk targets has a profound impact on society. Spyware is often abused by governments for purposes antithetical to a free society including targeting dissidents, journalists, human rights defenders, and opposition party politicians,” the company said.

The report also covers insights that describe the scale and sophistication of the industry and how far-reaching its implications have been.

For instance, a company called Intellexa made a surveillance system that was used in Indonesia and Madagascar for political targeting in April 2023. The same company’s services were used in September of that year targeting an Egyptian opposition politician who had announced his intent to run in the Egypt presidential election, the report added.

Then, there is the scale of the industry. In an interview in March 2023, the head of a cyber threat intelligence unit, Dmitry Volkov, the CEO of cyber threat intelligence firm Group-IB spoke to me of how there exists a cybercrime underworld dealing in information, credentials and code that can be used to hack systems.

The Google report adds how such a supply chain also feeds the spyware industry: “While CSVs [commercial spyware vendors] may have their own in-house employees working on vulnerability research and exploit development, they also supplement them by purchasing bugs and exploits from third parties.”

The industry is also significantly lucrative. An Intellexa spyware solution to hack up to 10 devices at a time (including the training of local staff) was pegged to cost 8 million euros for a year in 2021, according to leaked documents and NYT reporting.

For a democracy like India, where credible allegations have been made of spyware such as Pegasus being used on politicians, activists, journalists and lawyers, such abuse can do lasting damage to a rules-based order.

Until the internet, remote surveillance was a matter of phone tapping. In India, the Supreme Court in the 1996 PUCL vs Union of India case laid down safeguards that, in essence, assigned an oversight mechanism: tapping orders could only be made by an officer of a certain designation, records would need to be maintained, a review committee must examine all interceptions ordered, and any material not necessary to the purpose of interception will need to be discarded.

In December, India passed the Telecommunications Act 2023, bringing in a mechanism that has been criticised for undoing some of these safeguards. At the least, the bill will allow the Union government to lay down the rules of the road later (instead of by an act of parliament).

The law, therefore, leaves ample scope for a tool like Pegasus to be used against Indians without the State having any obligation on disclosure and responsible use.

Aligning with such a black-box surveillance paradigm is dangerous. At the very least, it flies in the face of the Right to Privacy ruling (Puttaswamy judgment) of the Supreme Court. That ruling laid down that Indians have a fundamental right to privacy, and any time this right is bypassed it needs to fulfil three tests: it needs to be enabled via an act of parliament, it needs to be necessary for a purpose, and it needs to be proportional to the objective.

There is also a technological precedence being laid down. True, black hat hackers (who break into systems for subversive or profit purposes) have existed for decades. But never before had that taken the shape of an organised industry, complete with recruitment of coders and hefty pay packages.

No digital device or network is impenetrable; making an ecosystem that profits off of such vulnerability has implications not just for technology and technology companies, but, as the Google report highlighted, society at large.

Once such a paradigm is normalised as legitimate business activity, everyone — including private enterprise and the senior-most of government functionaries — will be vulnerable.

Binayak Dasgupta, the Page 1 editor of Hindustan Times, looks at the emerging challenges from technology and what society, laws and technology itself can do about them

Unlock the power of data-driven insights with IIT Delhi's Data Science & Machine Learning Certificate Program! Click here to know more.

See more

Continue reading with HT Premium Subscription

Daily E Paper I Premium Articles I Brunch E Magazine I Daily Infographics
Share this article
Story Saved
Live Score
Saved Articles
My Reads
Sign out
New Delhi 0C
Thursday, June 13, 2024
Start 14 Days Free Trial Subscribe Now
Follow Us On