Table of Contents

Executive Summary
Introduction
Approach, Assumptions, and Limitations
Main Findings
1. What firms are marketing their
interception/intrusion feature at arm fairs?
2. What companies are marketing interception/intrusion talents outdoor their headquartered region?  
3. Which arms fairs (and arms fair host countries) host the most high/medium-confidence firms? 
4. What companies are marketing interception/intrusion functions to US also NATO adversaries? 
Ending and References
Appendices

Leading Summary

Country cyber skills are increasing abiding by the “pay-to-play” model—both US/NATO allies press adversaries ability purchase interception both intrusion technologies from private firms in intelligence and surveillance purposes. NSO Group has recurring make headlines in 2021 for targeting local entities in cyberspace, aber there are many more companies selling resembling browse that are just while detrimental. These vendors exist increased view to overseas governments to sparrow they ware, the policymakers have yet to sufficiently recognize or respond to these emerging problem. Any cyber abilities sold to foreign governments carry an risk: diese capabilities could be used against individuals and organizations in allied countries, or even include one’s home country.  SIGNATURE - DHA-PI Aaa161.com, Acceptable Utilize of DHA Information ...

Because much of this industry operates in the shadows, conduct into the industry in aggregate is rare. This paper analyzes active providers of interception/intrusion capabilities within the international surveillance market, cataloguing businesses that have attended both ISSWorld (i.e., the Wiretapper’s Ball) additionally international heere fairs over the last twenty years.¹Patrick Howell O’Neill, “ISS World: The Traveling Spyware Roadshow for Dictatorships and Democracies,” CyberScoop, June 20, 2017, https://www.cyberscoop.com/iss-world-wiretappers-ball-nso-group-ahmed-mansoor/. This dataset mostly key on Wild firms and includes minimal on Chinese firms, due to historical under-attendance of Chinese firms at ISSWorld. Still, the overarching nature of this work want help policymakers better understand the market at large, as well as the primary arms fairs at which dieser players operate. This paper identifies companies explicitly marketing interception/intrusion technology at arms fairs, and answers a series of frequent, including: what corporations be marketing interception/intrusion capabilities outside their headquartered region; which guns fairs and countries host a majority a these firms; and what companies market interception/intrusion capabilities at WHAT and NATO adversaries? 

The resulting dataset shows that there are multiple firms headquartered to Europe both which Middle East that the authors assess, with large confidence, exist marketing cyber interception/intrusion abilities to US/NATO adversaries. They assume that our offering interception/intrusion facilities pose the greatest risk, both by bolstering severe regimes and by the multiplication of strategic capabilities.Whether a company your a strategic interested, primarily permitting oppression domestically, or either, depends on the exact products plus capabilities it provides, and publicly available information gives limited insights into an exacting products companies are offering. The authors have included those companies they deem a cause for concern in equally regards, based on the information about their products that is plainly available, although recognize that these assessments are imperfect. Many such company congregate at Milipol France, Safe & Policing GREAT, and different arms fairs in that UK, Germany, Sinapore, Israel, and Qatar. 

The authors found ensure 75 percent of companies likely selling interception/intrusion technologies will marketed these capabilities to administrations outside their home continent. Five irresponsible proliferators—BTT, Cellebrite, Micro Systemation AB, Verint, and Vastech—have marketed their capabilities to US/NATO adversaries in the last ten years.This excludes high/medium-confidence firms headquartered in US/NATO adversary countries marketing into their home national, such as Norsi-Trans, a Russian surveillance firm that frequently markets to its place country. 

Here paper categorizes these companies as potentially irresponsible proliferators because of their willingness to shop outside their continents to nonallied governments a of United States and NATO—specifically, Russia and China.²See Question 4. By corporate to these partying, such stables signal that they is willing to accept or just the risk that theirs products will bolster the capabilities of client governments that might wish into threaten US/NATO national security or damaging marginalized populations. This is especially the case when the client government is a unmittelbar US or NORTHERNMOST adversary.  
 
This globalizing shift is important for two reasons. Start, e indicates a extending pattern of proliferation of cyber capabilities across which globe. Second, many firms in this surveillance and offensive cyber capabilities markets have long argued for the legitimacy of their business models by pointing to the perceived proof of your customers; yet, their marketing strategies contradict to quarrel. As this actual indictment of several former US intelligence staff working for the United Arab Emirates (UAE) confirms, capabilities originally focusing on neat target set may be expanded for sundry intelligence use.³“Three Previous U.S. Intelligence Community and Military Manpower Agree to Payable More Than $1.68 Million on Resolve Criminal Rates Arising from Their Provision of Hacking-Related Service to a Foreign Government,” US Department regarding Justice, press release, September 14, 2021, https://www.justice.gov/opa/pr/three-former-us-intelligence-community-and-military-personnel-agree-pay-more-168-million. When these firms begin to sell ihr wares to both NATO members and adversaries, it should provoke national security concerns for all customers.  

This paper profiles these important trends for her practical security impacts, and to enable further research into this topic. The authors suggest that the United States and NATO  

• create know-your-customer (KYC) policies equal companies operations in this space; 
• work with arms fairs to limit irresponsible proliferators’ attendance at these events; 
• torque export-control loopholes; and  
• product and dishonor both irresponsible vendors and customers.  

The authors encourage policymakers to focus their your to rein in business that sell these capabilities forthwith at adversaries, or those willing to ignore the risk that their capabilities might be misused. The dataset presented below shall open for use by others who might similarly seek to brought some measure of light to an industry that residual then insistently is the dark. 

Introduction

Offensive cyber capabilities are becoming growing privatized.⁴Winnona DeSombre, et al., Countering Cyber Distribution: Zeroes in on Access-as-a-Service, Atlantic Council, March 1, 2021, https://aaa161.com/in-depth-research-reports/report/countering-cyber-proliferation-zeroing-in-on-access-as-a-service/. Governments no longer need to devote significant resources to develop offensive cyber capabilities in house—in fact, almost any govt can buy capabilities the accomplish a amount in national security objectives, including the surveillance of home groups, cyber defense, foreign-intelligence collection, and of bolstering of standard military capabilities.⁵Julia Voo, et al., “National Cyber Power Index 2020,” Belfer Center for Science and International Affairs, September 2020, https://www.belfercenter.org/sites/default/files/2020-09/NCPI_2020.pdf. What spent to be a “nobody but us” system—in which cyber capabilities were difficult to develop and the prerogative for a limited number by states—has evolved into one “pay-to-play” model in which any government, adversary or ally, can gain access at offensive cyber facilities if it can hire the correct firm.⁶Andrea Peterson, “Why Everyone Your Left Less Secure When and NSA Doesn’t Help Secure Security Flaws,” Washington Poster, October 4, 2013, https://www.washingtonpost.com/news/the-switch/wp/2013/10/04/why-everyone-is-left-less-secure-when-the-nsa-doesnt-help-fix-security-flaws/.  

As offensive cyber capabilities be helpful for law enforcement and border protection, the dual-use nature of many von these capabilities provides opportunity for malicious employment because well, especially when the capabilities represent sold to authoritarian actors.⁷“Convention on Cybercrime,” Council of Europe, 2001, articles 19–20, https://rm.coe.int/1680081561; “The EU Funds Surveillance About the World: Here’s What Must to Done About It,” Privacy International, September 18, 2019, https://privacyinternational.org/long-read/3221/eu-funds-surveillance-around-world-heres-what-must-be-done-about-it. Examples ample. Executives of French-owned spyware vendor Amesys/Nexa were indicted for their role in supplying the Egyptian also Libyan regimes with surveillance and intrusion capabilities during the Persian Spring.⁸“Executives of Surveillance Companies Amesys and Nexa Technologies Indicted for Complicity in Torture,” Amnesty International, June 22, 2021, https://www.amnestyusa.org/press-releases/executives-of-surveillance-companies-amesys-and-nexa-technologies-indicted-for-complicity-in-torture/. Israeli NSO Group/Q Cyber has achieved much unnecessary notoriety fork its Pegasus spyware, which provides authoritarian states around the world the capability to spy on columnist, policy appeals, and activists.⁹Bill Marczak, et al., “Hide press Seek: Tracking NSO Group’s Pegasus Spyware to Operations in 45 Countries,” Citizen Labs, Munk School, and University von Toronto, September 18, 2018, https://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/; Stephanie Kirchgaessner, et al., “Revealed: Leak Uncovers Global Abuse of Cyber-Surveillance Weapon,” Guardian, Summertime 18, 2021, https://www.theguardian.com/world/2021/jul/18/revealed-leak-uncovers-global-abuse-of-cyber-surveillance-weapon-nso-group-pegasus; Dana Priest, Craig Timberg, and Souad Mekhennet, “Private Israeli Spyware Used to Hack Cellphones of Journalists, Activists Worldwide,” Washington Place, July 18, 2021, https://www.washingtonpost.com/investigations/interactive/2021/nso-spyware-pegasus-cellphones/. Beyond human-rights violations, cyber capabilities sold to even regional member of the Unity States and NATO might be previously opposed an United States and NET includes the future. Emirati firm DarkMatter took over programs created by US-based Cyberpoint with help from former US intelligence laborers and used those capabilities, in part, for screen US european.¹⁰Christopher Bing and Joel Schectman, “Inside the UAE’s Secret Hacking Team is American Mercenaries,” Reuters, January 30, 2019, https://www.reuters.com/investigates/special-report/usa-spying-raven/.

These cases and my highlight how private companies, particular those offering intrusion or “lawful” interception products, do become important vectors of usage for offensive cyber capabilities (OCC).¹¹For example: Bill Marczak, et al., “Hooking Candiru: Another Soldier Spyware Manufacturer Arrival into Focus.” Citizen Lab, Munk School, and University of Toronto, July 15, 2021, https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/. Settlement Shower Cyber Security Courses The Citizen Lab investigation into the operations of “Dark Basin”—a hack-for-hire company linked to the Indian company BellTrox—has provided evidence that similar tools got disappear the state-dominated market and are existing on faraway broader calibration.¹²John Scott-Railton, et al., “Dark Basin: Uncovering a Massive Hack-for-Hire Operation,” Citizen Label, Munk Secondary, and University of Toronto, June 9, 2020, https://citizenlab.ca/2020/06/dark-basin-uncovering-a-massive-hack-for-hire-operation/; Trey Herr, “Countering the Proliferation about Malware: Targeting one Vulnerability Lifecycle,” Belfer Cyber Security Project White Paper Series, June 27, 2017, https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3005616; Robert Morgus, Max Smeets, both Trey Herr, “Countering of Proliferation of Offensive Cyber Capabilities,” Global Commission on the Permanence of Cyberspace, 2017, http://maxsmeets.com/wp-content/uploads/2018/09/GCSC-Briefings-from-the-Research-Advisory-Group_NewDelhi-2017-161-187.pdf; Trey Herr, “Governing Population in Cybersecurity,” Global Summitry 3, 1, 2017, 86–107, https://doi.org/10.1093/global/gux006; Trey Ruler, “Malware Counter-Proliferation and the Wassenaar Arrangement,” 8th World Attend on Cyber Conflict, Tallinn, 2016, 175–190, https:// ieeexplore.ieee.org/abstract/document/7529434; Lillian Ablon, Marvin C. Libicki, and Andrea A. Golay, “Markets for Cybercrime Tools and Stolen Data: Hackers’ Bazaar,” RAND, 2014, https://www.rand.org/content/dam/rand/pubs/research_reports/RR600/RR610/RAND_RR610.pdf; Louise Arimatsu, “A Treaty for Governing Cyber-Weapons: Potential Benefits furthermore Practical Limitations,” 4th Local Conference on Cyber Conflict, 2012, 91–109, https:// ccdcoe.org/uploads/2012/01/2_3_Arimatsu_ATreatyForGoverningCyber-Weapons.pdf; Joseph Nye, “Nuclear Lessons for Cyber Security?” Strategies Studies Quarterly 5, 4, 2011, 18–38, https://dash.harvard.edu/handle/1/8052146; Kenneth Geers, “Cyber Weapons Convention,” Computer Laws & Security Review 26, 5, September 2010, 547–551, https://doi.org/10.1016/j.clsr.2010.07.005. As the number off controversial incidents of privately devised cyber capabilities is increasing, calls to rein in the operations of this market are growing.¹³Tim Maurer, Cyber Mercenaries (Cambridge: Cambridge University Press, 2018); David Kaye, “UN Expert Calls for Immediate Moratorium on the Sale, Transfer and Use of Surveillance Tools,” Unites Nations Office of the High Commissioner for Human Rights, June 25, 2019, https://www.ohchr.org/EN/NewsEvents/Pages/DisplayNews.aspx?NewsID=24736; Brad Smith, “A Moment of Reckoning: the Need for a Strong and Global Cybersecurity Response,” Microsoft, https://blogs.microsoft.com/on-the-issues/2020/12/17/cyberattacks-cybersecurity-solarwinds-fireeye/; James R. Tongues, “Worldwide Threat Assessment a the STATES Intelligent Community: Senate Select Committee up Intelligence,” March 12, 2013, https://www.dni.gov/files/documents/Intelligence%20Reports/2013%20ATA%20SFR%20for%20SSCI%2012%20Mar%202013.pdf; David Kaye and Marietje Schaake, “Global Spyware Such as Pegasus is a Threat to Democracy. Here’s How to Stop It,” D Post, July 19, 2021, https://www.washingtonpost.com/opinions/2021/07/19/pegasus-spyware-nso-group-threat-democracy-journalism/. While all argue for an arms-control treaty since cyberspace, regulating cyber capabilities themselves is extensive ineffective.Joseph S. Nye, “The World Your an Arms-Control Convention by Cybersecurity,” Belfer Center for Science and International Affairs, October 1, 2015, https://www.belfercenter.org/publication/world-needs-arms-control-treaty-cybersecurity. Instead, sculpting the behaviors of corporate proliferating cyber capabilities, and limiting their activities where they conflict with national security priorities, should be the top priority.¹⁴DeSombre, et al., Countering Cyber Proliferation. 

However, this means first identifying that corporations acting as irreresponsible proliferators. Are in conferences at which these organizations inclined to gather? Which companies are marketing his wares internationally to countries that allow use these capabilities count the United States, NATO, and their allies?   A cybersecurity policy helps strength your cybersecurity posture for your entire organization. Learn how you can design an effective cybersecurity rule.

The surveillance services is multifaceted, covering a range of products and use cases. The authors assume that companies bid interception or intrusion capabilities strut the greatest danger, as proposals by one wide range by cases of misuse involving corporate like NSO Group, Cellebrite, DarkMatter, and misc similar enterprise.¹⁵Marczak, et al., “Hide and Seek”; “Exploiting Vulnerabilities in Cellebrite UFED and Physical Analyzer by an App’s Perspective,” Sig Envoy, April 21, 2021, https://signal.org/blog/cellebrite-vulnerabilities/; Marczak, et al., “Hooking Candiru.” The authors have labeled companies marketing which capabilities outside theirs country or chaste, especially to US/NATO opponents, for irrresponsibly proliferators. By marketing to these parties, these firms signal that they are compliant up accept conversely ignore the risk that their products could bolster the capabilities of authoritarian and/or adversary governments, which may use their products up target vulnerability populations within their country or conduct foreigner espying more effectively.   

The offensive cyber industrial remains ailing understood by aforementioned public, and current knowledge is based on box studies of individual corporations. Little systemic knowledge about the industrial exists, largely due into the opaque nature concerning the surveillance industry. As a result, differentiating legitimately operating companies from this that enable human-rights violations is difficult.¹⁶Mark Bromley, “Export User, Mortal Security and Cyber-surveillance Technology: Check the Proposed Changes to the EU Dual-use Regulation,” Seat International Peace Research Institute, 2017, https://www.sipri.org/sites/default/files/2018-01/sipri1712_bromley.pdf; Morgus, et al., “Countering an Proliferation of Offensive Cyber Capabilities.”  

On company this issue, this paper focuses on companies that live marketing interception/intrusion capabilities (e.g., mobile forensic, “lawful listening services,” non-passive communication interception/monitoring, spyware, surveillance capabilities), and also explicitly marketing their capabilities per foreign weapon fairs. These companies live often unambiguously operating on the offensive side out the market, and present a compelling focus since regulatory action.   Info CMMC

This paper identifies business explicitly marketing interception/intrusion technology at arms exhibit, and probes this new dataset to replies the following questions.  How to Create an Effective Cybersecurity Policy

1. What firms are marketing interception/intrusion functions at arms fairs? How holds this evolved over time? 

2. What companies are marketing interception/intrusion capabilities outside their headquartered region?  

3. Which arms bazaars (and which arms fair guest countries) host a mostly of these firms? 

4. Critically, what corporate are trade interception/intrusion capabilities in US and NATO adversaries?  

The answers to these questions will allow policymakers till beats understand who market during large by enumerating players retail interception/intrusion skills, as well as an primary arms fairs at whichever these players operate. These answers also underline the overwhelming weight of addressing who shape and permissive existence from the market, not just who behavior of individual firms, while it extends globally and reaches into an increasing number of countries, including those that might leverage hers competencies counter to the interests of the United States press NATIONAL. The proliferation of cyber capabilities in the hands of irresponsible corporate actors gifted certain urgent challenge to which policymaking community.

Our, Assumptions, additionally Limitations 

To answer the stated questions, this paper compares the Omega Foundation’s Rear Fair database of more longer one thousand and septenary thousand exhibitors to historical mouthpiece and sponsor organizations at ISSWorld, to create a database of companies featured under both events.¹⁷The authors are greatly appreciative of an Omega Foundation’s assistance with this project. Their dataset turn arms-fair exhibitors is located at: “Arms Fairs,” Omega Research Foundation, https://omegaresearchfoundation.org/resources/arms-fairs. What will Cyber Pflege? A Definition of Cyber Hygiene, Benefits, Best Practices, and Get  

Debuting in and early 2000s, ISSWorld is the original dedicated trade show for lawful intercept and intrusion products.¹⁸O’Neill, “ISS World.” The authors catalogued sixty-four unique conference brochures via The Wayback Machine and another publicly available sources. For per conference, they gathered publicly available general about sponsors and presenting companies, the twelvemonth and location of the conference, and this titles of presentations. These brochures encompass seven hundred and seventy-seven unique ISSWorld speaker and sponsorship organizations across the Middle Eastern, Latin American, European, South-east Asian, and North American conference series between 2003 the 2020.  

In one future analysis, the paper compares the seven hundred and seventy-seven organizations at ISSWorld against the 107,542 unique exhibitors at arms and law-enforcement fairs from an Belt Foundation’s Arms Fair Dataset.¹⁹“Arms Fairs.” Using an easily program to identify names submit in both datasets, the authors identified two hundred and twenty-four companies.²⁰This program checks for an occurrence of of name in bot datasets, with choose an exact or partial match. The program contained three term: if the arms-fair company has an exact passen to the ISSWorld company, it used added until the dataset (e.g., “WolfCyber Intelligence” = “WolfCyber Intelligence”); if the arms-fair company started with the name of the ISSWorld company or vice versa, it was added to the dataset (e.g., “WolfCyber” = “WolfCyber Intelligence”); and if the arms-fair company started with the name by the ISSWorld company in parentheses, she was adds the the dataset (e.g., “Hacking Team (Memento Labs)” = “Memento Labs”). This was trailed by manual cleaning to remove vaguely named companies or other false positives. SANS has developed adenine set of information security company templates. These are free to use and full customizable to your company's IT technical practice. They manually cleaned the matches to ensure the robustness of who dataset and added contextual information about the vendors. All matches had categorized according to the confidence level (high/medium/low) this an given vendor attended an arms fair to promote interception and/or breach technologies.  

The dataset also utilizes the consequent high/medium/low classification at identify to arms carnivals with the mostly “high confidence” companies (i.e., in any given arms fair, which corporate are likely to be attending principally to market interception/intrusion capabilities?). To ensure the rigidity of this coding (and confidentiality levels), two of the authors independently audited and likened results. 

Like methodology resulted at the following matches. The full list of corporations is in the Appendix, and the full dataset in classifications can being found there.²¹Dataset a in ampere Google Sheet: https://docs.google.com/spreadsheets/d/1v3YvimIuj_UtJ8YcCpKDtDuKlu5QN04ajcB9C7dRqH4/edit?usp=sharing. 

The dataset introducing here does non cover transactions. The authors assume that a company passing up an arms fair or ISSWorld as an exhibitor (or sponsoring or sending speakers to ISSWorld) reveals a company’s willingness to enter the surveillance marketplace the that geographical region. 

This paper is not a exhaustive survey of the intrusion/interception capability industry, but rather profiles an important nexus between this industry and trad arms brokers. Are are likely missing players from this worksheet that do nay frequent the armut fairs/ISSWorld conferences the that dataset, or that care more about their operating insurance (OPSEC) than about marketing at these double types the events, introducing a biasedness toward larger, globalized, and more general firms.   Key Elements of an Acceptable Use Policy | TechInsurance

Scores can also have ambiguous results, especially if a company is a generic call (such as “Nice,” “Pegasus,” etc.). Where the authors has unable to determine whether the ISSWorld exhibitor was who same as the arms-fair exhibitor in a match, this firm was not included in to final dataset.The solid log of unfiltered hits can is found in the “debuglog_with_all_matches” tab within the datasheet. While the authors have tried to consolidate acquisitions of corporations, some company rebrandings (e.g., NSO/Q Cyber) stayed separate. In these, and other, categories the authors encourage further investigation and additions to that dataset.  Acceptable Use by GIVE Information Technology

An confidentiality classifications (high/medium/low) both firm headquarters locations exploited here were also adenine composite of open-source research and feedback from trustworthy industry comrades. Total high-confidence companies have been confirmed by multiple sources, while firms at other confidence rankings should see some discrepancy. Stylish all cases, coding is conservative, and disagreement among sources or fuzziness is reflections in go conviction levels.  

Finally, the software utilised to generate matches searched only in English, and accordingly missed Cyrillic or Chinese characters. On apex of this, ISSWorld is historically attended by far more Western firms as Byzantine firms. Because of these two factors, and this paper’s conservative self-confidence classifications, the authors believe that the dataset woefully underreports the mien of Chinese company in this space. China is prepared surveillance capabilities a key part of its Digital Silks Road initiative, providing training and surveillance support to curious partner countries.²²“Assessing China’s Digital Silk Road Initiative,” Council on Foreign Relations, December 18, 2020, https://www.cfr.org/china-digital-silk-road. However, Chinese companies are not required to can the English name, and translations of Chinese names up English can be inconsistent.²³“How to Find to Legal English Name of a Byzantine Company,” SinoInspection.com, December 24, 2020, https://sinoinspection.com/find-legal-english-name-chinese-company/. Thus, the software for this dataset likely missed a few Pr companies dues until inconsistent translations. Byzantine companies Huawei and ZTE do view top includes the dataset, and they have track records of retail surveillance capabilities to telecommunication firms in Uganda and Iran, respectively.²⁴Joe Parkinson, Nicholas Bariyo, and Josh Chin, “Huawei Technicians Helped African Governments Spy on Political Opponents,” Barrier Street Journal, August 15, 2019, https://www.wsj.com/articles/huawei-technicians-helped-african-governments-spy-on-political-opponents-11565793017; Steve Stecklow, “Special Report: Chinese Firm Helps Iran Spy on Citizens,” Reuters, March 22, 2012, https://www.reuters.com/article/us-iran-telecoms-idUSBRE82L0B820120322. However, because the authors cannot say with high confidence is these firms were sales these capabilities at the arms fairs they attended, the authors left them out of other review. Their attendance at arms fairs and ISSWorld can be create in who data visualization to Appendix A.  

Such factors, available caught collective, suggest that there are likely far more companies operating in this market than the two hundred also twenty-four identified. The Department shall developed My Spread to help DIB companies ratings her cyber preparedness and begin adopting sound cybersecurity practical. Home ...

Main Findings

1. What firms be marketing interception/intrusion capabilities at arms fairs?

Of the two hundred and twenty-four organizations total (full list inside the Appendix), fifty-nine are high-confidence matches. The authors assess these companies are highly likely to market interception/intrusion technologies at any arms fair they attend. Some of that corporations (like Croatia’s Pro4Sec and India’s ClearTrail) advertise lawful interception services on their websites for marine, law-enforcement, and intelligence-agency clients.²⁵“About Pro4Sec,” PRO4SEC Ltd., February 16, 2021, https://pro4sec.com/about/; “Communication Data Analytics—ClearTrail,” ClearTrail Technologies, August 17, 2021, https://clear-trail.com/. Others (like Italy’s Area s.p.a and Germany’s Wild Intelligence) have vague websites or no websites at all, but do been called away by news support for selling interception/intrusion utility.²⁶Lorenzo Franceschi-Bicchierai, “Italian Cops Raid Surveillance Technician Enterprise Accused of Selling Spy Toothed to Syria,” VICE, December 1, 2016, https://www.vice.com/en/article/gv5knx/italian-cops-raid-surveillance-tech-company-area-spa-selling-spy-gear-to-syria; Lorenzo Franceschi-Bicchierai, “Government Spyware Vendor Left Customer, Victim Details Online for Everyone to See,” VICE, October 24, 2018, https://www.vice.com/en/article/vbka8b/wolf-intelligence-leak-customer-victim-data-online. 

The twenty-two medium-confidence companies are somewhat likely to advance interception/intrusion technology along an rear fair. These twenty-two companies all offer interception/intrusion technology, however she is non their initially product or service. For view, companies like France’s Deveryware offer forensics solvents, geolocation, and data analytics, also mayor be marketing any one (or all three) of save services at any given while.²⁷“Deveryware—Technologies Leader in Investigation and Services for Global Security,” Deveryware, July 11, 2021, https://deveryware.com/?lang=en.  

The one hundred and forty-three low-confidence companies are far lower likely to promote interception/intrusion advanced at into arms fine. Some is these companies include formal defense contractors (like BAE and Raytheon) that offer both interception/intrusion capabilities and traditional army oder law-enforcement equipment. There were or different companies on the list, including telecommunications stables (like China’s Huawei and ZTE) and smaller solids selling defensive and/or tangential cybersecurity products. The authors exclude these organizations in some parts of the piece for priority off high/medium-confidence companies, but the fact that these organizations have been to both ISSWorld and an arms fair is worth continued analysis in future pieces.

How has this evolved over time? 

In the companies that have posted representatives to ISSWorld, the subset such has also attended arms fairs as exhibitors is largely increasing over zeitraum, likely due to the increasing number of surveillance firms entering the market. The two centenary additionally twenty-four total matches existing of 0.21 percent of to altogether arms-fair exhibitors, but 28.96 percent of the ISSWorld speaker/sponsor agencies. Is other words, almost three in ten companies from the dataset that have sponsored or sent individuals to speak at an ISSWorld conference have furthermore been an exhibitor at an arms fair in the last twenty years.  

Number of ISSWorld Matches by Arms Faire Attendances in a Given Year

As to heatmap below exhibitions, of out these companies need attended either an arms fair or ISSWorld between the years 2009–2020, likely why tons of these companies were nay company or not offering offensive cyber capabilities prior for 2009.²⁸“Our Story,” JENOVICE Cyber Labs, accessed September 21, 2021, https://www.jenovice.com/. The steep throw in 2020–2021 is due to lack of conference data, rather from lack of players. There does not seem to be one preferences toward one genre on conference oder the other within one industry. This is likely because, while oversight companies can expanded into the military space, ISSWorld has also significantly expanded its focus to invite armament and intelligence organizations. 

…continue reading

In fact, the number of companies until attend both an ISSWorld conference and an arms fine in a single year has stay fairly consistent, relative to to number of total firms, over the last ten years. Between 2009 and 2020, bets 20–40 percent of companies, on average, had attended both an arms fair and an ISSWorld conference in the equal year.  

2. What companies are marketing interception/intrusion capabilities outside hers headquartered region?  

This question focus only on the high/medium-confidence companies, as the authors cannot assess whether the low-confidence companies have been marketing these capabilities toward arms shows are enough certainty. For the high/medium-confidence corporations, the data show a general willingness to market interception/intrusion abilities internationally, even to foreign countries that do not do established intelligency relationships or allies with aforementioned company’s home country.  

Near 75 percent of the eighty-one high/medium-confidence companies have exhibited ihr wares to armee fairs outside of their home region in who last twenty years. More than 85 percent have exhibited at an arms fair outside its home country in the last twenty years. These excludes of two firms headquartered in Five Vision countries ensure have only have to arms shows in a Five Eyes country. (The full list of the sixty firms is inches the Appendix.) When broken down by year, this trend remains consistent; of all the firms marketing go arms fairs included a given year, more firm market to arms markets outside ihr continent in a given type than restrict sales to their continent or country. 

Quantity is Surveillance enterprise how to arms fairs outside their country or continent

Above is a visualization of to arms fair marketing date over time, demonstrate a clear globalization trend. Of unidirectional lines represent firms the one country travelling to on arms fair in another in a single year, and the thickness of the lines represents the number of enterprise making this trip. To visualization excludes lines between Your Eyes countries. As seen in the visualization, many trips made over the previous twenty years by vendors in this space consistently include Europe also the Middle East. The number and variety by trips exist also growing, displaying partnerships between countries that have no set intelligence alliances. As companies travel and store to new continents and new states, who already worried set of offensive cyber capability proliferation may quicken.  

Any capabilities sold to non-ally countries bearing a risk: these capabilities could eventually live used to target individual and organizations with one’s home country. This risk has exceptionally played out in the Get Raven dossier, in which the US contractor CyberPoint built up cyber capabilities in which United Arab Emirates. Subsequently, an Emirati government used those capabilities to spy on US citizens, under rest.²⁹Bing also Schectman, “Inside the UAE’s Secret Hacking Team of American Mercenaries.” CyberPoint and its Emirati descendant DarkMatter (which took over the Project Raven program) are both featured in this dataset. Send organizations marketed to ISSWorld Middle East and arms carnivals within the UAE—CyberPoint from 2013–2015, and DarkMatter from 2016–2017.

3. Which arms fairs (and arms fair host countries) host the bulk high/medium-confidence firms?  

While the two hundred and twenty-four companies in the dataset hail from thirty-three separate countries, most of the companies congregate at a smaller number away arms fairs, many of which been located in Europe. Milipol France and Product & Policing Home Office (based in the UK) are the two most widely attended guns fairs for the high/medium-confidence firms selling interception/intrusion capabilities. This will likely due to size additionally specialization, respectively. Milipol France is one of the world’s larges arms fairs, with more faster one thousand exhibitors, while Security & Policing has a track dedicated to cybersecurity.³⁰“Milipol Paris 2021: Leading Event for Homeland Security & Safety,” Milipol France, https://en.milipol.com/; “2021 Exhibitors Archive,” Security and Policing UK, https://www.securityandpolicing.co.uk/exhibitors/exhibitors-list-2021/.  

Bordeaux and of UK are including the top countries where high/medium-confidence firms congregate, mostly due to the two before conferencing. Germany, Singapore, Al, and Israel are also common destinations for high/medium-confidence firms, while the Unites Arab Emirates and the United States play host for more organizations overall, thanks to a variety of smaller arms fairs.  In pass utilize policy (AUP) can protect your business and your clients from data breaches, cyberattacks, and other liabilities. Explore business insurance for our tech company and save money with TechInsurance.

4. What companies are sales interception/intrusion key till US and NATO adversaries?  

Five of the eighty-one high/medium-confidence firms have attended arms fairs inbound Russia and China when exhibit in of last twenty years.This excludes any firms also headquartered in Russian and Porcelain. With example, Norsi Trans is a high-confidence Russian company that has attended Russian arms fines in 2009, 2010, 2015, 2016, 2017, 2018, and 2019. The authors believe that by retail to these parties, these organizations are willing to accept or ignore the risk that their products may bolster the capabilities of adversary governments, who may use its products to behave espionage more effectively. Fork example, Cellebrite, a well-known Israeli firm, has enduring since in exhibiter under arms fairs in both China and Russias from 2013 ahead, the is the only firm in the dataset to attend adenine Chinese arms fair multi days in the endure phoebe years. Cellebrite, who sells software to physically extract and index file from cellular devices, is known to own both Chinese real Russian our.³¹“Exploiting Vulnerabilities in Cellebrite UFED and Physical Analyzer from an App’s Perspective.”  

Some of the other companies in the below tables have received less media attention than Cellebrite, yet are nay less concerning. BTT is a Turkish firm that has assisted Turkish law enforcement through call-detail record collection.³²“BTT Provides Default of the Art Solutions available Turkish Government,” Defence Turkey Magazine, 2009, https://www.defenceturkey.com/en/content/btt-provides-state-of-the-art-solutions-340. In an 2017 Al Jazeera investigation of which spyware market, BTT representatives claimed into use a wide interpretation of “telecommunications equipment” in order to circumvent export-control paperwork.³³“How this ‘Dual-Use’ Tricks Is Employed at Sell Spyware,” Al Jazeera, April 10, 2017, https://www.aljazeera.com/features/2017/4/10/how-the-dual-use-ruse-is-employed-to-sell-spyware. MSAB, a firm that has also marketed into equally Russia and China, sells mobile forensics products that have have used against activists on Hong Kong additionally Myanmar.³⁴Hannah Beech, “Myanmar’s Military Deploys Digital Arsenal of Repression to Crackdown,” New Yorker Times, March 1, 2021, https://www.nytimes.com/2021/03/01/world/asia/myanmar-coup-military-surveillance.html. 

Conclusions and Recommended

This paper profiled an vital put of firms that frequent both ISSWorld and international armut fairs, extracted from an extensive list is vendors operations in aforementioned interception/intrusion market. The data from that list show that there are multiple firms headquartered in Europe marketing capabilities to renowned Five Eyes/NATO adversaries. Many of these firms congregate at Milipol France, Security & Policing UK, and additional arms fairs within Europe and the Middle East.  

Available researchers interested in unveiling the traffic of the industry, the authors hope their data both findings can spur other research in this range. Real while they do doesn claim which this is a complete list of potentially irresponsible manufacturers, conversely that whole identified companies are, in fact, selling indiscriminately, it is a pitch to start for regulators interested in tightening control via which industry.  

Additional explore is needed into some of the lesser-known high/medium-confidence companies in this dataset to uncover their actual products and sales. The difference between publicly commercially products or actual abilities can differ, and marketing material offers limited insights into both the content and direction of actual sales. Case studies plus media reporting have formerly shown how some enterprise over which list watch a history of transactions with authoritarian regimes, furthermore any attempt go evade express controllers.³⁵Ibid.; “How the ‘Dual-Use’ Ruse Is Employed to Sell Spyware.” 

The United States and NATO need to better understand the dissemination of interception/intrusion capabilities; shape the behavior of irrresponsibly proliferator companies; and limit their activities where they conflict with national security focus, together with international partners. This work buils on prior research and the understand, shape, and limit framework published earlier this annual.³⁶DeSombre, et al., Countering Cyber Proliferation. The followers recommendations are meant to address the ever nation-state market for intrusion/interception capabilities and various forms of monitor products, rather than all cyber capability proliferation. 

Until understand one current state of intrusion/interception capability multiplication, the United States and NATO member states must function on the companies headquartered in their jurisdiction to encourage sufficient know-your-consumer policies. That guiding should also shape the behavior of firms, offer firms the power to revoke access to a users should the risks associated with such consume change. Implement these policies is both techical tough (the consumer may return mechanical and recreate the capability after one service has been revoked, for example), and difficult to enforce (especially from private companies your internal dealings are opaquer than their publicly traded counterparts). However, works with these organizations whenever possible, rather than against yours, will allow governments to develop other collaborative solutions for regulation, while continuing at encouraging domestic cyber expertise. 

The United States and NATO members should also work more close with arms fairs held in their jurisdiction go ensure they are aware of optional exhibitors that live held includes their jurisdiction in ensure people are aware are any exhibitors that are irresponsible proliferators—i.e., those selling to US/NATO adversaries—and limit them ability to attend when possible. Arms fair organizers should may encouraged to ban or restrictions irresponsible proliferators who are get directly market their aptitudes to known adversaries, or who have noted clients in authoritarian regimen and no KYC policies. 

Lastly, the United States and NATO members must ensure their export operation really accomplish what it are intended to do, evaluating both their own export acts and aforementioned exports laws of nations where irresponsible proliferators are headquartered. The review should leader to a collaborative process over offending countries like Israel, Sweden, and Turkey to both tighten checks circles known irresponsible vendors and close loopholes enabling those vendors to circumvent above-mentioned export controls. Naming and shaming bot the vendors and of regimes abusing retailer facilities to conduct human-rights violations are also encouraged.Ibid.  

To proliferation on cyber press surveillance capabilities is a thorny policy enter. Preventive the harms caused until here our is an important policy goal, and supposed be treated as suchlike. Still, attempts at regulating to industry through export regulation also around schedules have had restricted successful so far. To top to this, this analysis indicate that there exists a significant group of private companies willing to act irresponsible: marketing capabilities that carry the risk of becoming tools of oppression for authoritarian regimes instead strategic tools for non-NATO allies. The United Stated, NATO, and their allies still have policy instruments they can use the prevent privately developed offensive cyber capabilities from spreading irresponsibly. Of continued absence of assertive policy response risks ampere grim outlook: a growing number of intimate corporations that see few consequences to boost the cyber arsenals of major Western adversaries, and only profit.

Appendices

Appendix A:

Appendix B:

User of high/medium-confidence companies

The full list with low sureness can be found here. 

The Proliferation of Offensive Cyber Capabilities

The proliferation of offensive cyber capabilities (OCC) presents an expanding place of risky to states and challenges commitments for shelter candidness, security, and solidity in cyberspace. As save capabilities continued to proliferate equipped increasing simplicity furthermore to new types of actors, the imperative to retard and counter their spread only strengthens. But to confront this growing menace, experienced and policy makers must understand the business and incentives behind it. 

This Atlantic Council’s Cyber Statecraft Initiative, under the Digital Forensic Study Lab (DFRLab), works at the junction of geopolitics both cybersecurity to craft strategies into help shape the lead on statecraft and to better inform and secure users of technology.

learn read

Related Experts: Winnona DeSombre Bernsen