People pose in front of a display showing the word 'cyber' in binary code, December 27, 2014.
Dado Ruvic / Reuters

Since Apple and Google announced last year that they would encrypt mobile user data by default, senior Western officials have denounced the decision as a win for terrorists and violent criminals who will now be better able to shield their communications from government scrutiny. So-called always-on encryption, a feature introduced to mitigate post-Edward Snowden criticisms of how the companies handle government information requests, has left many law enforcement officials fearing that their surveillance capabilities will “go dark.” Some have called for a legislative fix to help keep the lights on. 

But such a remedy is unlikely anytime soon. In the meantime, foreign government agencies scared of going blind and unable to develop their own workarounds are likely to lean more heavily on hacking companies that market sophisticated intrusion software (“spyware”) that enables surveillance of encrypted communications. The global trade in commercial spyware is already booming, but as more communications are encrypted, the firms marketing these tools are likely to see even brisker business and a slew of new competitors. With this growth will come new risks. One major challenge will be the proliferation of cyber capabilities to countries that would otherwise struggle to develop them indigenously. As more states acquire the tools, some will repurpose them for nefarious ends or use them to obscure their role in an operation. (At least one may doing so already.) Another challenge will be the proliferation of the tools to non-state actors. If governments fail to effectively regulate the spyware industry, advanced malware could end up in the hands of repressive regimes, transnational criminal organizations, businesses seeking to steal proprietary information, and terrorist groups.

THE BUG TRADE

Commercial hacking has grown from a cottage industry into thriving international trade. Pioneer hackers who once sold software vulnerabilities on eBay now head lucrative information security firms that market zero-day exploits (so named because the software developers have had zero days to patch the vulnerability) or spyware tools that bundle those exploits into easy-to-use software suites that allow users to monitor a target’s email, texts, call logs, and keystrokes. Users can even record audio from idle iPhones, take photos from its camera, and track its location. One coding duo—Alberto Ornaghi and Marco Valleri—created a free, open source spyware program in 2001 and now run the Milan-based multinational company HackingTeam. The company has opened offices in three countries and has operations in over 40 countries across six continents.

Firms like HackingTeam, which was once able to work quietly behind the scenes, have come under attack by Western privacy advocates. Analysis of leaked company documents, as well as spyware embedded in emails sent by regimes to dissident journalists and other targets, has exposed the use of HackingTeam’s tools against political dissidents in Morocco, Saudi Arabia, Sudan, Turkey, and the United Arab Emirates, according to researchers at Citizen Lab, an Internet research group based at the University of Toronto. In March, Ethiopian authorities were caught using the firm’s software to target U.S.-based journalists working for Ethiopian Satellite Television, an independent media outlet that runs broadcasts critical of the Ethiopian government. In August 2014, Munich-based hacking firm FinFisher was itself hacked and saw sensitive materials posted on Reddit. Referring to the leaked documents, a British government agency recently found the firm’s policies inconsistent with OECD guidelines for respecting human rights and urged the firm to take steps to prevent the use of its products for repressive means.

Apple and Google announced last year that they would encrypt mobile user data by default, January 23, 2014.
Dado Ruvic / Reuters

The United Kingdom isn’t the only country concerned about the rising abuse of spyware. As early as 2012, Dutch EU parliament member Marietje Schaake spearheaded a push for a ban on exports of surveillance software. 

Several dozen nations, including the United States, Canada, and all EU member states, have since pledged to introduce export controls on surveillance software and new export control procedures are beginning to evolve in countries where many of these firms are headquartered, including Germany, Italy, and France. But the multilateral framework used to contain and control the trade—a legacy regime originally developed to curb arms proliferation in a bipolar world—cannot address the challenge of this new digital industry alone. Countries will still be left with the question of how to regulate this market without pushing it underground, driving spyware developers into more permissive jurisdictions, or imposing unnecessary restrictions that stymie commercial and scientific development. 

SOFT LAW FOR SOFTWARE

In late 2013, 41 countries pledged under the Wassenaar Arrangement to adopt export controls for the types of surveillance tools HackingTeam and other firms were selling around the world. Wassenaar is the successor to a Cold War effort aimed at preventing the sale of conventional military and dual-use capabilities to the Soviet bloc. As the political scientists Kenneth Abbott and Duncan Snidal pointed out soon after its adoption, Wassenaar was already hard enough to enforce with physical goods. Wassenaar had too many members and too little consensus. It was not directed at a common enemy, and the costs of export bans fell unevenly across countries. Finally, some states were more technically prepared than others to oversee an effective control system. Digital goods like spyware will be all the more challenging to control.

In the case of hacking products, the size and expertise of the leading firms make them difficult to control through a treaty. Unlike the middle aged, Ph.D. wielding engineers at Lockheed Martin that develop advanced fighter jets, software developers that create malware are often young, some may be detached from the community, and many are willing to move around frequently—much like the hacking firms that recruit them. There is also little equipment that can be physically monitored or controlled. Traditional defense industries use assembly lines, machine tools, and other types of manufacturing infrastructure that are difficult and costly to duplicate abroad; hackers' most valuable products are often computer code, which can go wherever they go. With only a few dozen employees, firms like HackingTeam will have a relatively easy time recruiting or luring their best and brightest to countries with less oversight over the development and distribution of spyware. European officials have already warned that Vupen, a French vendor of exclusive zero-day exploits, may be moving its offices out of the EU due to tightening export control policies.

Wassenaar works best when its member states are also the world’s primary producers of the regulated good. Only then can its members work to collectively block all sales to unsavory actors outside of the pact. For now, much of the multibillion-dollar, off-the-shelf surveillance industry is based in Western Europe. But the industry is expanding to non-Wassenaar countries and, due to a surging demand for hacking services, may begin to offer a broader range of services, some of them illicit.

An analyst looks at code in the malware lab of a cyber security defense lab at the Idaho National Laboratory in Idaho Falls, Idaho, September 29, 2011.
Jim Urquhart / Reuters

MANAGING THE BUG ECONOMY

Although governments will likely never be able to fully control the market for spyware, it can push some unfavorable actors out, affect pricing, mitigate risks, and curb unwanted trades. To do that, there are a few things to understand about the bug economy that spyware developers rely on to build their software. Hackers have several choices when they find a bug. They can announce the vulnerability on the Internet to gain notoriety, use the bug for criminal purposes, or sell it on the black market. Alternatively, they can choose to sell it to a government spy agency, a commercial hacking firm, or to the developer of the software through a bug bounty program. Several of these choices offer speculative returns, such as getting cheated by criminal buyers or going to prison. Others offer a more secure payoff, but it may not be much (according to a 2013 NSS Labs study, most vulnerabilities reported to software vendors by security researchers are offered for free because the companies rarely offer bug bounties). 

To ensure their efforts to control this industry succeed, cyber officials should pay close attention to the shifting economics of the software vulnerabilities market. As cyber security specialist Dan Geer proposed last year, the purchasing power of the United States can do much to restructure the market for software vulnerabilities. By becoming its largest customer, the United States can make the licit market more attractive and lower the quality of tools available to cybercriminals. According to NSS Labs, a vulnerability purchasing program would reduce economic losses resulting from cybercrime by at least ten percent. It would also increase the talent pool of skilled information security researchers and degrade the ability of foreign intelligence agencies to acquire sophisticated exploits or attract talented researchers. In addition, the likelihood of a catastrophic attack on critical U.S. infrastructure would be diminished if individuals had an incentive to look for and sell flaws to reputable vendors or the U.S. government (provided that U.S. agencies maintain an effective process to responsibly disclose a vast majority of the bugs to the public). Without such a program, the market for vulnerabilities could become a bazaar for a wide array of private purchasers with no interest in public disclosure of the bugs.

The United States cannot, though, expect to buy its way out of the problem entirely. A newly announced study from researchers from MIT, Harvard, and the information security firm HackerOne maintains that while bug bounties are an effective tool, the market is not driven by price alone.  For a more enduring solution that avoids the danger of drawing too much attention to finding bugs and not enough to fixing them, officials and software developers must also work to encourage the development of automated solutions for vulnerability discovery.

Thomas Schelling observed in his work on economics and criminal enterprise that unsavory markets always offer policymakers several options to restructure the market: increasing the legal competition, relaxing prohibitions, or selective enforcement. There are no easy choices when it comes to dealing with the problem of commercial hacking, but at least there are choices. Private hacking firms will inevitably thrive as encryption becomes more ubiquitous, but the United States can affect the market in which these firms operate. A bug-bounty program led by the United States can drive up their costs of doing business, as well as the costs to U.S. adversaries in cyberspace. It may, as Dan Geer noted, be “the cheapest win we will ever get.”

You are reading a free article.

Subscribe to Foreign Affairs to get unlimited access.

  • Paywall-free reading of new articles and a century of archives
  • Unlock access to iOS/Android apps to save editions for offline reading
  • Six issues a year in print, online, and audio editions
Subscribe Now
  • BENJAMIN BRAKE is an International Affairs Fellow at the Council on Foreign Relations. He has served as an analyst covering cyber issues in the Bureau of Intelligence and Research at the U.S. Department of State. The views expressed in this paper are his own and do not necessarily reflect those of the Department of State or the United States Government.

  • More By Benjamin Brake