On November 8, 2021, the Atlantic Council of the United States released a research report entitled Surveillance Technology Expo: The Proliferation of Cyber Capabilities in the International Arms Market. The report studied 224 companies that participated in the arms exhibition, and among them, 59 were highly determined to sell network monitoring products, 143 of them were moderately determined to be network monitoring product manufacturers, and 22 were lowly determined to be engaged in network monitoring product sales. The report seeks to answer three questions: Which companies market intercept and intrusion capabilities outside their headquarters regions; which arms trade fairs and countries attract most of these companies; and which companies sell intercept and intrusion capabilities to U.S. and NATO adversaries? The report highlights that spyware and surveillance technology companies in Europe and the Middle East are selling intrusion software to the United States, its intelligence allies and NATO adversaries.
Which exhibitions do network monitoring manufacturers appear in?
Since much of the buying and selling of surveillance technology operates in the shadows, little research has been done on the industry as a whole. The report is based on arms exhibition exhibitors, targeting vendors that have been active in providing interception and intrusion capabilities in the international surveillance market over the past 20 years. Many of these companies gather at Milipol in France, Security & Policing in the UK, and other arms fairs in the UK, Germany, Singapore, Israel and Qatar. The French International Military and Police Security Equipment Exhibition (Milipol) and the British Ministry of Security and Police Home Office are the two arms exhibitions with the largest number of network monitoring manufacturers. This may be due to scale and specialization. The French International Arms Exhibition is one of the largest arms exhibitions in the world, with more than a thousand exhibitors, while Security and Security has a dedicated cybersecurity section.
National cyber capabilities are increasingly following a “pay-to-play” model—both the U.S. and NATO allies and their adversaries can purchase interception and intrusion technology from private companies for intelligence and surveillance purposes, the study said. This points to an expanding trend of global proliferation of cyber capabilities. Second, in the surveillance and offensive cyber capabilities market, many of these companies have long justified their business models by pointing to the perceived legitimacy of their customers. However, their marketing strategy contradicts this claim.
Vendors of cyber surveillance products are increasingly looking to foreign governments to buy their wares, and policymakers have yet to fully recognize this emerging problem and have no effective response. Any cyber capabilities sold to foreign governments carry significant risks: these capabilities could be used against individuals and organizations in allied countries, or even individuals and organizations in their own countries.
The authors assessed with high confidence a number of companies headquartered in Europe and the Middle East that are marketing cyber interception and intrusion capabilities to adversaries in the United States and NATO. The authors also argue that these companies, which support tyrannical regimes and enhance the strategic capabilities of these countries, pose the greatest risk.
The report is full of prejudice against China and Russia
While the report provides a comprehensive overview of the intrusion and surveillance industry, the researchers point out that many more companies may exist. Because they searched in English, “the dataset significantly underestimates the presence of Chinese companies in this space.” The study found that 75 percent of companies likely to sell interception and intrusion technology have marketed those capabilities to governments outside their home countries. Five irresponsible proliferators—BTT, Cellebrite, Micro Systemation AB, Verint, and vastech—have exported their capabilities to U.S. and NATO adversaries over the past decade.
The report classifies these companies as potentially irresponsible nuclear proliferators because of their willingness to sell outside their home soil to the governments of the United States and NATO’s non-allied nations — particularly Russia and China. These companies have shown that they are willing to accept or ignore the risk that their products will enhance the capabilities of client governments, potentially threatening U.S. and NATO national security or harming marginalized populations.
The report makes four recommendations
The report concludes by recommending that the U.S. and NATO take four steps to alleviate this current unfavorable situation. One is to establish know-your-customer (KYC) policies with companies in the field; the other is to work with arms exhibitions to limit the participation of irresponsible proliferators in these activities; the third is to strengthen the loopholes in export control; the fourth is to shame irresponsible suppliers and customers.
On November 3, the U.S. government announced sanctions on four major companies that develop and sell spyware and other hacking tools, including Israeli security firms NSO Group and Candiru, Russia’s Positive Technologies and Singapore’s Computer Security Initiative Consultancy (CSIC). On October 20, the U.S. Department of Commerce issued new export control regulations, requiring companies to prohibit the sale of hacking tools to China, Russia and other countries unless they obtain permission from the Commerce Department.
The Links: NL6448BC20-35D 2MBI300VH-120-55