Spyware for sale: what happens next?

Pegasus is a type of spyware developed by Israeli cyberarms firm NSO Group, and sold to governments and other customers around the world. While NSO has stated that it provides ‘authorized governments with technology to combat terror and crime’, its use has proved controversial since its creation.

When reports recently emerged of activists, journalists and lawyers being targeted by this malware, it raised a host of ethical and moral questions around the impact of spyware and how it might affect the world – and individual human rights – in the future.

Here, our global CTO, Ollie Whitehouse, explores what governments and the security industry need to consider next.

“The use of commercial offensive tooling by governments, particularly for non statecraft activities, raises a broad spectrum of questions around human rights, producer responsibility and vulnerability disclosure – none of which are easy to answer.

“One key dilemma concerns corporate governance. Where does producer responsibility end, and consumer responsibility begin? NSO's defence is that they cannot control what customers choose to do with their technology. And in other sectors we'd accept this line of reasoning - like the automotive industry. But when individual human rights could be impacted, should organisations like NSO be expected to have visibility of their full supply chain? And will commercial organisations be prepared to forgo revenue in the face of ethically questionable customer usage? Change would have to come in the form of regulation.

"This incident also raises the issue of vulnerability disclosure. Is it practical to control or influence organisations that identify and exploit vulnerabilities rather than reporting them so they can be remedied? Probably not is the answer in a globally interconnected world. As such we must accept and assume vulnerability and exploitation. Accepting we can’t control means that our approaches to cyber defence will change and focus on workable outcomes as opposed to trying to stem proliferation.

“The trend of selling offensive-cyber-as-a-service will continue. As such, the international community, governments and the cyber security industry need to step back and discuss and consider workable resilience solutions– and these conversations need to happen sooner rather than later.”