Nation-states’ “permissive” behaviors have contributed to the proliferation and abuse of offensive cyber tools and services, according to two British think tanks.
The Royal United Services Institute for Defence and Security Studies (RUSI) and the Royal Institute of International Affairs (aka Chatham House) have both published research that analyzed the use and misuse of spyware, hack-for-hire services and other cyber intrusion tools.
They identified a range of ‘non-state proliferating factors’ (NPFs) and ‘state permissive behaviors’ (SPBs) as the primary reason behind the proliferation of such commercial hacking tools.
They also published a list of recommendations for nation-states to implement at the national and international levels in order to mitigate the misuse of such tools and services.
State-Permissive Factors Behind Cyber Intrusion Proliferation
RUSI researchers identified five categories of factors explaining the proliferation of commercial hacking tools:
- Regulation of corporate structure and governance
- Legal frameworks for product development, sale and transfer
- Diplomatic support and engagement
- Development of cyber-security ecosystem and workforce
- Integration with defense and security industrial base
Drawing on this categorization work, they compiled a list of 10 SPBs, which included:
- Inadequate regulation or enforcement of corporate ethics and corporate social responsibility procedures
- Lack of transparency on corporate ownership and transnational subsidiaries
- Inadequate export controls, internal and/or insufficient training or guidance
- Lack of effective vulnerabilities equities process, notification or disclosure processes, and/or insufficient legal protection for researchers
- State actors may deploy offensive-cyber firms as a means of establishing or strengthening diplomatic relationships
- State entities may cover up, downplay or inadvertently encourage the use of hackers-for-hire
- Lack of engagement or regulation to promote the adoption of bug bounty programs, hackathons, 'capture the flag' contests or other forms of paid vulnerability research
- Possible gaps in cyber-security and STEM education policy
- Application of unwieldy or inappropriate export and security policies to new technologies
- Uncompetitive remuneration and lack of controls on career trajectories, post-deployment travel or intellectual property restrictions
Additionally, the researchers also outlined a list of nine non-state factors.
Some of these factors came from the nature and operations of cyber intrusion tool providers (e.g. lack of checks and balances, complex corporate structure), while others were the result of the vulnerability disclosure landscape (e.g. lack of training and incentives for vulnerability researchers, who sometimes end up selling to black or grey markets).
Principles for State Approaches to Cyber Intrusion Capabilities
Chatham House researchers drew a list of eight principles to improve the global scrutiny of cyber intrusion tools and services:
- States should align their approaches across markets for commercial cyber intrusion capabilities, including as customers and users, investors, detectors and defenders, and regulators
- States should separate markets for permissioned cyber intrusion from markets for ‘unpermissioned’ (i.e. unlawful) cyber intrusion as far as possible
- States should stimulate markets for permissioned use of commercial cyber intrusion capabilities
- States should not engage commercial actors to independently conduct ‘unpermissioned’ cyber intrusion on their behalf
- States should be transparent in acknowledging ‘unpermissioned’ cyber intrusion for military, national security and law enforcement purposes
- States should integrate their practices of ‘unpermissioned’ intrusion with their efforts to improve anti-corruption, security governance and the rule of law
- States should adopt OECD principles for government access to data, along with UN norms of responsible state behavior, as minimum standards in their practices of ‘unpermissioned’ intrusion
- States should apply, at a minimum, equally high standards to internal development and interstate transfer as they do to commercial activities
The researchers acknowledge that alongside misuse and abusive usage, commercial cyber tools and services have many legitimate applications.
These principles aim to separate what they call permissive and unpermissive use, “therefore enabling the stimulation of one market and not the other.”
“These principles do not fit neatly within any existing policy initiative on commercial cyber intrusion capabilities,” the RUSI and Chatham House researchers concluded.
“Rather, they are of relevance across multiple processes. At the UN, the Open-Ended Working Group on the security of and in the use of information and communications technologies is likely to include discussions on commercial cyber intrusion capabilities in the near future, while the use of such capabilities by law enforcement agencies makes them clearly relevant to the UN Ad Hoc Committee on cybercrime.”