Is it possible to regulate cyberweapons?

Activists are calling for increased government regulation after an enormous data breach at an Italian technology firm revealed that it was selling offensive cyberweapons to violently repressive world governments. 

Hacking Team, which saw 400GB of its internal documents dumped online on Sunday, sells cyberweapons to governments, including the United States and Mexico. The controversy surrounding the company, however, stems from its sales to states like Russia, Ethiopia, and Sudan despite international sanctions and an increased likelihood that Hacking Team’s tools are being used for illegal activity and to silence dissenting voices.

The multibillion dollar offensive-hacking industry has received criticism for years as high-tech Western firms continue to sell weapons—software that lets users take over phones and computer, crack encryption, and listen in on conversations—to countries that engage in human-rights abuses.

“These companies are not interested in voluntary restrictions in who they can and cannot sell to, and even then they’ll stretch and break rules.”

“This is an industry that has failed to police itself,” Christopher Soghoian, principal technologist at the American Civil Liberties Union (ACLU), told the Daily Dot. “These companies are not interested in voluntary restrictions in who they can and cannot sell to, and even then they’ll stretch and break rules.”

Soghoian advocated multinational regulations to limit the export of offensive technology, similar to the laws currently on the book governing the sale of physical weapons, as a way to hold governments and companies more accountable for their use of cyberweapons.

Regulation of a cutting-edge arena like computer security brings myriad risks, however, that has even those in favor of regulation warning for caution and narrowness in whatever legislation is passed.

“It’s possible to regulate in this area,” Danny O’Brien, international director at the Electronic Frontier Foundation (EFF), said. “The challenge is drafting regulations that don’t effect legitimate security researchers, in particular the security research that spots and fixes the flaws that companies like Hacking Team exploit.”

Robert Graham, a libertarian security expert, offered pointed criticism earlier this year of the EFF’s proposals on hacking regulation, warning that “regulating ‘evil’ software can have unintended consequences on ‘good’ software, that preventing corrupt governments from buying software also means blocking their dissidents from buying software to protect themselves.”

Last year, Canadian researchers known collectively as Citizen Lab showed that Hacking Team’s products were being used by the Ethiopian government to target journalists in the United States. New regulation might prohibit sales by Hacking Team but, if not properly written, a new law could just as easily prohibit the legitimate research by Citizen Lab and its international research partners.

O’Brien warned against using antiquated regulation ideas in the very different world of the Internet.

Old regulation, for instance, is designed to kick in at borders but the reality of the Internet, a global communications network, means that even a simple email could break the law if it’s poorly written, O’Brien says. “Deemed export” laws could make it illegal to share certain software even without crossing a border if a law forbids sharing knowledge with a foreign national who is within the borders of the U.S.—something that happens every day in legitimate security research.  

“These are weird artifacts of taking a legal system that’s supposed to be about stopping physical objects that can be used in chemical warfare or nuclear weapons,” O’Brien said, “and then applying that to software, these very ethereal products that you can’t just check people’s luggage at the border to discover whether they’re exporting.”

“Are we worried just because these tools are being used by dictatorships, or are we also worried about how they’ll be used by Western democracies?”

Hacking Team’s industry has grown significantly in recent years. Blue Coat, a rival offensive hacking company known for its censorship technology, grew from $1.3 billion in value in 2011 to $2.4 billion in 2015.

“We know from investigations by Citizen Lab that these tools are used to target human-rights activists and pro-democracy supporters at home and abroad,” Eric King, deputy director of Privacy International said in a statement responding to the breach of Hacking Team. “Surveillance companies like Hacking Team have shown they are incapable of responsibly regulating themselves, putting profit over ethics, time after time. Since surveillance companies continue to ignore their role in repression, democratic states must step in to halt their damaging business practices.”

Graham and O’Brien both agree that there’s likely no way to stop this kind of trade completely. Graham’s own security products, built at his company Errata Security, have ended up in the hands of countries that aren’t supposed to have them, he explained, because legal middlemen can buy and resell to skirt whatever rules are in place.

“The technology’s reach is very broad,” the Electronic Frontier Foundation reported. “Governments can listen in on cellphone calls, use voice recognition to scan mobile networks, read emails and text messages, censor webpages, track one’s every movement using GPS, and can even change email contents while en route to a recipient.”

Even the security industry itself—nevermind legislators—aren’t sure how to proceed.

“I know that I’m asking more questions than giving answers,” O’Brien said, laughing.

“You need some sort of global restraint on these kind of sales, you have to make sure it doesn’t affect legitimate security research, and you have to address this open question: Are we worried just because these tools are being used by dictatorships, or are we also worried about how they’ll be used by Western democracies?”

Before any government is likely to act, however, the hacker who blew open the doors on Hacking Team says she’ll strike again. Last year, a similar breach hit U.K.-based Gamma International, another offensive hacking company that sells cutting edge spyware to repressive Middle Eastern regime.

The rest of the industry is on notice.

Photo via Tristan Nitot/Flickr (CC BY 2.0) | Remix by Jason Reed

Patrick Howell O'Neill

Patrick Howell O'Neill

Patrick Howell O'Neill is a notable cybersecurity reporter whose work has focused on the dark net, national security, and law enforcement. A former senior writer at the Daily Dot, O'Neill joined CyberScoop in October 2016. I am a cybersecurity journalist at CyberScoop. I cover the security industry, national security and law enforcement.