The Dual-Use Dilemma: Insights from the Arms Fair
It’s not typically seen as an act of defiance. But when Loujain Alhathloul got behind the wheel in 2014, that’s exactly what it was. She pledged to drive from the United Arab Emirates (UAE) into the Kingdom of Saudi Arabia in protest of the kingdom’s ban on women driving.
Alhathloul had moved back to Saudi Arabia in 2013 after studying at the University of British Columbia. During her time in Canada, Alhathloul expressed her opinion that the Saudi driving ban should be lifted, her sister told NPR. So, she moved back to the kingdom to put some horsepower behind her words.
Find out your top seven security news stories, delivered to your inbox weekly, and powered by ASIS International.
Alhathloul made it to the border before being detained and imprisoned for 73 days. The incident, however, did not dissuade her. Alhathloul continued her activism before being arrested by kingdom authorities again in 2018, just days before the country lifted the prohibition on women driving. But this time she would be accused of passing information to journalists and foreign diplomats, as well as attempting to change the Saudi legal system, and she was sentenced to five years and eight months in prison for violations of the kingdom’s counterterrorism law.
In May 2021, under pressure from the United States to review relations in response to its human rights record, Saudi Arabia released Alhathloul from prison. In December 2021, the Electronic Frontier Foundation (EFF) filed a lawsuit in the U.S. District Court of Oregon, Portland Division, on her behalf against software maker DarkMatter Group and three of its former executives for hacking Alhathloul’s iPhone to track her communications and whereabouts, information that was passed on to the UAE security services. (Loujain Hathloul Alhathloul v. DarkMatter Group, et al., U.S. Dist. Ct. of Oregon, No. 3:21-cv-01787-IM, 2021)
Providing this information to the UAE allegedly led to Alhathloul’s detainment, imprisonment, and torture in Saudi Arabia. The lawsuit also claimed that Alhathloul continues to have severe restrictions on her freedom of movement, in violation of her fundamental rights.
“No government or individual should tolerate the misuse of spy malware to deter human rights or endanger the voice of the human conscious,” Alhathloul said in a statement. “This is why I have chosen to stand up for our collective right to remain safe online and limit government-backed cyber abuses of power.”
The lawsuit is just one of a variety of actions and efforts that came to fruition in 2021 to provide more insight and accountability for how cyber capabilities—including interception and intrusion capability technologies—are being sold by private companies and used by public sector actors.
The market for these technologies has grown considerably, with an increasing number of vendors selling to law enforcement, governments, and intelligence services. While some of these vendors act responsibly, others are selling their products to actors that could use them to harm the vendor’s home country or private citizens.
Recent research published by the Atlantic Council’s Scowcroft Center for Strategy and Security highlighted this dichotomy. It found that multiple firms in Europe and the Middle East are marketing cyber interception and intrusion capabilities to U.S. and North Atlantic Treaty Organization (NATO) adversaries.
“The authors found that 75 percent of companies likely selling interception/intrusion technologies have marketed these capabilities to governments outside their home continent,” according to Surveillance Technology at the Fair: Proliferation of Cyber Capabilities in International Arms Markets. “Five irresponsible proliferators—BTT, Cellebrite, Micro Systemation AB, Verint, and VASTech—have marketed their capabilities to U.S./NATO adversaries in the last 10 years.”
Cost per target device
in 2016 to use Pegasus spyware
from NSO Group
To make those conclusions, the researchers analyzed exhibitor lists for ISS World Training, a trade show for lawful interception and intrusion products, cross referenced with research by the Omega Research Foundation’s Arms Fair database, says Johann Ole Willers, a PhD fellow at the Copenhagen Business School and a co-author of the Atlantic Council research.
The researchers looked at vendors’ attendance at ISS World and various arms fairs, along with their product offerings and the location of the arms fairs where vendors advertised relative to their headquarters. The researchers used this process to identify marketing practices, not actual sales, Willers adds.
They then confirmed with “high confidence” that at least 59 companies are “highly likely to market interception/intrusion technologies at any arms fair they attend,” according to the paper. “Some of the companies (like Croatia’s Pro4Sec and India’s ClearTrail) advertise lawful interception services on their websites for military, law enforcement, and intelligence agency clients. Others (like Italy’s Area s.p.a and Germany’s Wolf Intelligence) have vague websites or no websites at all, but have been called out by news media for selling interception/intrusion tools.”
Micro Systemation AB (MSAB) CEO Joel Bollö says he has not read the Atlantic Council report fully, but he denies that the company is an irresponsible proliferator and that it has marketed its products to U.S./NATO adversaries.
“We sell to law enforcement, not to military regimes,” he adds, explaining that as a Swedish company, MSAB follows Swedish export control laws for selling its products, including mobile forensics software for timely access.
Bollö says that MSAB sells its products only to government entities and countries permitted by the European Union, including those in Australia, Japan, North America, and Singapore, that have a legal right to access devices—such as if law enforcement seizes a suspect’s phone during an investigation.
MSAB has also voluntarily withdrawn its business from certain regions and can take measures to blacklist its technology should the company become aware that it is in the hands of an unauthorized user.
For instance, Bollö says that MSAB withdrew its business from Hong Kong after the British ceded control of the region to China and the People’s Republic of China began to overhaul Hong Kong’s democratic practices.
“In Hong Kong, a regime shifted fast, and we can’t go in and bring back our tools—that’s not something we can do,” Bollö says. “But what we can do is we can make sure that the product cannot be updated. It won’t work anymore. And we can blacklist it, so if software comes from somewhere else it will make it impossible to work with that device as well.”
Security Management's range of dynamic webinars, powered by ASIS International, can help you jumpstart your professional development.
Three of the other named actors in the report, BTT, Cellebrite, and VASTech, did not return requests for comment. A spokesperson for Verint said that in 2021, the company split to form a sister company—Cognyte—which is the focus of the report and that Verint is not involved. Cognyte did not return requests for comment.
The reasons why the market for these tools has grown vary, but Willers says it is partially in response to rising costs associated with them and a shift away from law enforcement customers to government agencies and intelligence firms.
“Law enforcement has a problem of finding the money to buy these products, so naturally, as a company capable of delivering them, they would turn elsewhere,” Willers adds. “The military and intelligence agencies have deeper pockets than the police.”
For example, NSO Group’s Pegasus spyware was reportedly sold for $500,000 per target device in 2016. That’s too expensive for many law enforcement agencies with tighter purse strings, Willers explains, so companies seek out other clients.
Many companies would consider these alternative customers legitimate, but the researchers highlighted that when “these firms begin to sell their wares to both NATO members and adversaries, it should provoke national security concerns for all customers.”
The military and intelligence agencies have deeper pockets than the police.
For instance, in September 2021, the U.S. Department of Justice (DOJ) entered a deferred prosecution agreement with three former U.S. intelligence community and military personnel—the same executives named in Alhathloul’s suit—who worked as senior managers for a UAE-based company to carry out hacking operations for the UAE government between 2016 and 2019, a violation of the International Traffic in Arms Regulations.
“These services included the provision of support, direction, and supervision in the creation of sophisticated ‘zero-click’ computer hacking and intelligence gathering systems—i.e., one that could compromise a device without any action by the target,” the DOJ said. The company “employees whose activities were supervised by and known to the defendants thereafter leveraged these zero-click exploits to illegally obtain and use access credentials for online accounts issued by U.S. companies, and to obtain unauthorized access to computers, like mobile phones, around the world, including in the United States.”
Instances like this point to a problem of an unregulated and unclear marketplace for intrusions, the authors of the Atlantic Council report explained.
“While offensive cyber capabilities are helpful for law enforcement and border protection, the dual-use nature of many of these capabilities provides opportunity for malicious employment as well, especially when the capabilities are sold to authoritarian actors,” they wrote.
To help curb this activity, Willers and his co-authors—Winnona DeSombre and Lars Gjesvik—said more research needs to be done on the marketplace, especially on Chinese vendors’ activities. They also recommended companies implement know-your-customer policies, that arms fairs limit irresponsible proliferators’ attendance at events, tightening of export-control loopholes, and naming and shaming irresponsible vendors and customers.
Action on some of these fronts is already happening and is encouraging, Willers says. For instance, in May 2021 the European Union approved its long-awaited Dual-Use Regulation that created new rules for cyber surveillance technology and export restrictions based on public security and human rights considerations. The regulation went into effect on 9 September 2021 and shows that the EU is formally detailing that “if you sell these products, then certain rules apply,” Willers says.
The United States is using a slightly different approach—what Willers describes as more akin to a “large hammer”—to send a “strong signal immediately” that certain activity will not be tolerated.
Designed to give you the foundational knowledge and skills you need to become a more dynamic security professional, including EP specific threat and risk assessment, protective intelligence, advance planning and more.
On 3 November 2021, the U.S. Commerce Department’s Bureau of Industry and Security added Israel’s NSO Group to its Entity List for developing and supplying spyware to foreign governments that used the technology to target academics, activists, businesspeople, embassy workers, government workers, and journalists. Organizations on the Entity List are prohibited from exporting, re-exporting, or conducting in-country transfers of items—including technology—that pose a significant risk to the national security or foreign policy interests of the United States.
The bureau said in a press release that these tools allowed foreign governments to conduct transnational repression to silence dissenters beyond their borders, threatening rules-based international order.
“The United States is committed to aggressively using export controls to hold companies accountable that develop, traffic, or use technologies to conduct malicious activities that threaten the cybersecurity of members of civil society, dissidents, government officials, and organizations here and abroad,” said U.S. Secretary of Commerce Gina M. Raimondo.
The U.S. Office of the Director of National Intelligence, along with the U.S. State Department, also issued a consumer guide on how to protect themselves from commercial surveillance tools.
And that’s not the only action against NSO Group. In November 2021, Apple filed a lawsuit against NSO Group and its parent company to hold it accountable for surveilling and targeting Apple users with its Pegasus spyware.
“State-sponsored actors like the NSO Group spend millions of dollars on sophisticated surveillance technologies without effective accountability. That needs to change,” said Craig Federighi, Apple’s senior vice president of software engineering, in a statement. “Apple devices are the most secure consumer hardware on the market—but private companies developing state-sponsored spyware have become even more dangerous.”
Apple’s suit seeks a permanent injunction to ban NSO Group from using any of the company’s software, services, or devices.
Ultimately, Willers says there is no perfect solution to this problem because the industry will continue to exist. The important thing, he says, is “to define what is acceptable and what is not.”
The naming and shaming that has been targeted towards NSO Group has worked to some extent, Willers says. The U.S. government placed the company on its Entity List, and Israel also moved to limit the number of countries its companies can export products to.
“The big surprise will be if it is enough to draw a red line for other market actors,” Willers says. “There are other companies out there that might not be as big…but they’re not doing fundamentally different stuff.”
NSO Group did not return a request for comment on this story. DarkMatter could not be reached for this story.