Cyber Mercenaries – a growing threat prompting collective action at the 2024 Summit for Democracy

The alarming growth of private cyber mercenary firms has been a destabilizing force in the online ecosystem for some time, introducing sophisticated cyber capabilities to a broad set of actors which have been used to target and harm vulnerable populations like dissidents, journalists and human rights defenders.  Private companies that develop and provide offensive cyber capabilities for a fee readily found a market among governments that all too often use these capabilities to undermine the privacy and security of civilians around the world. As scale of this challenge has become difficult to ignore, it is encouraging to see recognition of this issue by responsible governments and growing momentum for action, including at the 2024 Summit for Democracy this week.

A year ago, the Cybersecurity Tech Accord introduced a set of industry principles highlighting the different ways that tech companies can respond to cyber mercenaries; by taking action on their respective platforms and working together to push back on this growing market. These principles were launched during the 2023 Summit for Democracy, an annual gathering of governments focused on protecting and strengthening democratic institutions and societies amid rapid digitization and in the face of rising authoritarianism. In the year since, there has been an urgently needed cadence of government activity that similarly reflects concern and a drumbeat towards action to curb the cyber mercenary market, culminating at the 2024 Summit for Democracy this week.

The Cybersecurity Tech Accord welcomes the expanded set of countries that on Monday, at the 2024 Summit for Democracy, joined the “Joint Statement on Efforts to Counter the Proliferation and Misuse of Commercial Spyware.” This first-of-its-kind international effort, launched at the 2023 Summit for Democracy, the statement makes critical commitments to setting guardrails, limiting exports, sharing information and working with like-minded governments and industry partners to address the proliferation of commercial spyware. The expanded set of countries endorsing these commitments underscores their value and the persistent challenges posed by cyber mercenaries. The joint statement now has the support of the following 17 nations: Australia, Canada, Costa Rica, Denmark, France, Finland, Germany, Japan, New Zealand, Norway, Poland, Ireland, Republic of Korea, Sweden, Switzerland, the United Kingdom, and the United States.

While this constitutes a valuable step forward, we encourage governments to still do more and take greater action to address the cyber mercenary market, which extends far beyond those companies that produce spyware to include all those who produce malicious intrusion capabilities. This is unfortunately not an issue that industry can tackle on its own. While there is much companies can and should do to improve the security of their products and services, there simply cannot be an open market incentivizing a business model based on corrupting and undermining peaceful technology. This is antithetical to promoting good security and a rights-respecting online world. We need government action, in the form of voluntary commitments, regulation, and international cooperation, that will place severe restrictions on the whole cyber mercenary market.

Government actions against cyber mercenaries

As promised last fall, we are taking this opportunity around the 2024 Summit for Democracy to highlight what governments have done, independently and together, to begin to address this issue. This includes:

  • March 2023: The United States issues an Executive Order by the Biden administration to limit the U.S. government’s use of commercial spyware based on national security considerations.  
  • March 2023: France and the United Kingdom issuesJoint Leaders’ Declaration announcing an initiative to “take forward international action on tackling the threat from commercial cyber proliferation, including commercial spyware.”
  • March 2023: Freedom Online Coalition (FOC), an intergovernmental body, releasesGuiding Principles on Government Use of Surveillance Technologies to ensure they do not undermine fundamental freedoms and rights online.
    • FOC Members: Argentina, Australia, Austria, Cabo Verde, Canada, Chile, Costa Rica, The Czech Republic, Denmark, Estonia, Finland, France, Georgia, Germany, Ghana, Ireland, Iceland, Italy, Japan, Kenya, Republic of Korea, Latvia, Lithuania, Luxembourg, The Maldives, Mexico, Moldova, Mongolia, The Netherlands, New Zealand, Norway, Poland, Slovakia, Spain, Sweden, Switzerland, Tunisia, United Kingdom, United States of America
  • June 2023: The European Union’s PEGA Committee final report recommendations are released, suggesting strict conditions be placed around the government use of spyware.
  • February 2024: France and the UK launch the “Pall Mall Process” Tackling the Proliferation and Irresponsible Use of Commercial Cyber Intrusion Capabilities. The Process will continue in the months ahead, together with multistakeholder partners, in an attempt to limit the market for cyber mercenaries.
  • February 2024: United States announces new restrictions to curb global spyware industry bydenying visas for people seeking to travel to the U.S. who have been implicated in the misuse of commercial spyware.
  • March 2024: The U.S. Treasury announces sanctions on individuals associated with the Europe-based cyber mercenary firm(s) responsible for developing and selling the Predator spyware.
  • March 2024 UN Open Ended Working Group on information security (OEWG): During introductory remarks, the OEWG Chair encouraged states to consider a norm to limit the use of cyber mercenaries. Cyber-intrusion capabilities were also referenced with concern during the OEWG meeting by representatives from the EU, France, Australia, Belgium, Greece, Italy, Japan, UK, and Canada.

The government actions above are complemented by ongoing civil society and industry initiatives. Organizations like Citizen Lab, Amnesty International, and the CyberPeace Institute are highlighting how victims suffer as the result of cyber mercenaries. Meanwhile, the Atlantic Council is mapping the cyber mercenary market to help demystify the, often opaque, groups operating in this space. Leading philanthropies have also recently announced over $4 million in grants, through the Spyware Accountability Initiative, to highlight major harms posed by the global spyware industry. This will support the growing number of community researchers and advocacy groups working to hold cyber mercenaries accountable for how their services are used.

For all that industry and civil society can do to address cyber mercenaries, comprehensive solutions will ultimately require governments – especially democracies – to show even more initiative and leadership. For our part, the Cybersecurity Tech Accord worked together with a coalition within the Paris Call for Trust and Security in Cyberspace to develop and release the Paris Call Blueprint on Cyber Mercenaries last fall at the Paris Peace Forum, laying a foundation for further multistakeholder cooperation. We will hope to see continued resolve from industry in opposing cyber mercenaries and further action by governments to place strict limits on the market itself in the months ahead.

We also, once again, commit to providing an update on government actions taken against cyber mercenary firms alongside the next gathering of the Paris Peace Forum, in November 2024. In the months between now and then we hope to see even more ambitious collective action by governments, building on this current momentum, to place severe limits on a growing and pernicious threat.  At a time when we have become increasingly accustomed to cyber risk and threats that continue to grow, there is real potential here for governments to significantly improve the security of the global digital ecosystem by constraining – or simply prohibiting – the persistence of a sector dedicated to undermining its security.