Since Apple and Google announced last year that they would encrypt mobile user data by default, senior Western officials have denounced the decision as a win for terrorists and violent criminals who will now be better able to shield their communications from government scrutiny. So-called always-on encryption, a feature introduced to mitigate post-Edward Snowden criticisms of how the companies handle government information requests, has left many law enforcement officials fearing that their surveillance capabilities will “go dark.” Some have called for a legislative fix to help keep the lights on.
But such a remedy is unlikely anytime soon. In the meantime, foreign government agencies scared of going blind and unable to develop their own workarounds are likely to lean more heavily on hacking companies that market sophisticated intrusion software (“spyware”) that enables surveillance of encrypted communications. The global trade in commercial spyware is already booming, but as more communications are encrypted, the firms marketing these tools are likely to see even brisker business and a slew of new competitors. With this growth will come new risks. One major challenge will be the proliferation of cyber capabilities to countries that would otherwise struggle to develop them indigenously. As more states acquire the tools, some will repurpose them for nefarious ends or use them to obscure their role in an operation. (At least one may doing so already.) Another challenge will be the proliferation of the tools to non-state actors. If governments fail to effectively regulate the spyware industry, advanced malware could end up in the hands of repressive regimes, transnational criminal organizations, businesses seeking to steal proprietary information, and terrorist groups.
THE BUG TRADE
Commercial hacking has grown from a cottage industry into thriving international trade. Pioneer hackers who once sold software vulnerabilities on eBay now head lucrative information security firms that market zero-day exploits (so named because the software developers have had zero days to patch the vulnerability) or spyware tools that bundle those exploits into easy-to-use software suites that allow
Loading, please wait...