Ahmed Mansoor is an internationally recognized human rights defender based in the Middle East and recipient of the Martin Ennals Award (sometimes referred to as a "Nobel Prize for human rights"), On August 10 and 11, 2016, Mansoor received an SMS text messages on his iPhone promising "new secrets" about detainees tortured if he clicked on an included link. Instead of clicking, Mansoor sent the messages to the Canadian Citizen Lab researchers. The researchers discovered that the links belong to an exploit infrastructure connected to the NSO Group, an Israeli-based "cyberwar" company that sells Pegasus, a government-exclusive "lawful intercept" spyware product.
Rafael Cabrera, a Mexican journalist, reported a conflict of interest involving the Mexican President and First Lady. On August 30, 2015, Cabrera received suspicious messages and was targeted. In 2017 in Mexico, the wife of a murdered Mexican journalist was also sent alarming text messages concerning her husband's murder, designed to trick her into clicking a link and infecting her phone with the Pegasus spyware. In 2018, a close confidant of Jamal Khashoggi was targeted in Canada by a fake package notification, resulting in the infection of his iPhone.
Mansoor and Cabrera are not the only victims. Citizen Lab has tracked and documented more than two dozen cases using similar intrusion and spyware techniques. We don't know the number of victims or their stories, as not all vectors are publicly known. Once spyware is implanted, it provides a command and control (C&C) server with regular, scheduled updates designed to avoid extensive bandwidth consumption. Those tools are created to be stealthy and evade forensic analysis, avoid detection by antivirus software, and can be deactivated and removed by operators.
Once successfully implanted on a victim's phone using an exploit chain like the Trident, spyware can actively record or passively gather a variety of different data about the device. By providing full access to the phone's files, messages, microphone, and video camera, the operator can turn the device into a silent digital spy in the target's pocket.
These attacks and many others that are unreported show that spyware tools and the intrusion business have a significant abuse potential and that bad actors or governments can't resist the temptation to use such tools against political opponents, journalists, and human rights defenders. Due to the lack of operational due-diligence of spyware companies, these companies don't consider the impact of the use of their tools on the civilian population nor comply with human rights policies.
The Commercial Spyware Abuse: A Global Problem
The growing privatization of cybersecurity attacks arises through a new generation of private companies, aka online mercenaries. This phenomenon has reached the point where it has acquired its own acronym, PSOAs, for the private sector offensive actors.
This harmful industry is quickly growing to become a multi-billion dollar global technology market. These newly emerging companies provide nation-states and bad actors the option to buy the tools necessary for launching sophisticated cyberattacks. This adds another significant element to the cybersecurity threat landscape.
These companies claim that they have strict controls over how their spyware is sold and used and have robust company oversight mechanisms to prevent abuse. However, the media and security research groups have consistently presented a different and more troubling picture of abuse.
Spyware tools are being sold to government clients, or in some cases, to private companies without appropriate controls over how it is employed by those clients. These tools are used to hack into the devices of civil society activists, journalists, lawyers, political opposition, and human rights defenders — with potentially lethal consequences.
The growing abuse of surveillance technology by authoritarian regimes with poor human rights records is becoming a disturbing new, globally emerging trend. The use of these harmful tools has drawn attention to how the availability and abuse of highly intrusive surveillance technology shrink already limited cyberspace in which vulnerable people can express their views without facing repercussions such as imprisonment, torture, or killing.
Solving this global problem will not be easy nor simple and will require a strong coalition of multi-stakeholders, including governments, civil society, and the private sector, to reign in what is now a "Wild West" of unmitigated abuse in cyberspace. With powerful surveillance and intrusion technology roaming free without restrictions, there is nowhere to hide, and no one will be safe from those who wish to cause harm online or offline. Not acting urgently by banning or restricting the use of these tools will threaten democracy, rule of law, and human rights worldwide.
Accountability, Attribution, and International Law: Post-SolarWinds
On December 7, 2020, the US National Security Agency issued a cybersecurity advisory warning that "Russian State-sponsored actors" were exploiting a vulnerability in the digital workspace software developed by VMware (VMware®1Access and VMware Identity Manager2 products) using compromised credentials.
The next day, on December 8, the cybersecurity firm FireEye announced the theft of its "Red Team" tools that it uses to identify vulnerabilities in its customers' systems. Several prominent media organizations reported an ongoing software supply-chain attack against SolarWinds, the company whose products are used by over 300,000 corporate and government customers — including most of the Fortune 500 companies, Los Alamos National Laboratory (which has nuclear weapons responsibilities), and Boeing.
A malware called SUNBURST infected SolarWind's customers' systems when they updated the company's Orion software.
On December 30, 2020, Reuters reported that the hacking group behind the SolarWinds compromise was able to break into Microsoft Corp and access some of its source code. This new development sent a worrying signal about the cyberattack's ambition and intentions.
Microsoft president Brad Smith said the cyber assault was effectively an attack on the US, its government, and other critical institutions, and demonstrated how dangerous the cyberspace landscape had become.
Based on telemetry gathered from Microsoft's Defender antivirus software, Smith said the nature of the attack and the breadth of the supply chain vulnerability was very clear to see. He said Microsoft has now identified at least 40 of its customers that the group targeted and compromised, most of which are understood to be based in the US, but Microsoft's work has also uncovered victims in Belgium, Canada, Israel, Mexico, Spain, the UAE, and the UK, including government agencies, NGOs, and cybersecurity and technology firms.
Although the ongoing operation appears to be for intelligence gathering, no reported damage has resulted from the attacks until the publishing date of this article. This is not "espionage as usual." It created a serious technological vulnerability in the supply chain. It has also shaken the trust and reliability of the world's most advanced critical infrastructure to advance one nation's intelligence agency.
As expected, the Kremlin has denied any role in recent cyberattacks on the United States. President Vladimir Putin's spokesman Dmitry Peskov said the American accusations that Russia was behind a major security breach lacked evidence.
The Russian denial raised the question of a gap of accountability in attributing cyberspace attacks to a nation-state or specific actor. Determining who is to blame in a cyberattack is a significant challenge, as cyberspace is intrinsically different from the kinetic one. There is no physical activity to observe, and technological advancements have allowed perpetrators to be harder to track and to remain seemingly anonymous when conducting the attack (Brantly, 2016).
To achieve a legitimate attribution, it is not enough to identify the suspects, i.e., the actual persons involved in the cyberattacks but also be able to determine if the cyberattacks had a motive which can be political or economic and whether the actors were supported by a government or a non-state actor, with enough evidence to support diplomatic, military, or legal options.
A recognized attribution can enhance accountability in cyberspace and deter bad actors from launching cyberattacks, especially on civilian infrastructures like transportation systems, hospitals, power grids, schools, and civil society organizations.
According to the United Nation's responsibility of States for Internationally Wrongful Acts article 2, to constitute an "internationally wrongful act," a cyber operation generally must be 1) attributable to a state and 2) breach an obligation owed another state. It is also unfortunate that state-sponsored cyberattacks violate international law principles of necessity and proportionality.
Governments need to consider a multi-stakeholder approach to help resolve the accountability gap in cyberspace. Some states continue to believe that ensuring international security and stability in cyberspace or cyberpeace is exclusively the responsibility of states. In practice, cyberspace is designed, deployed, and managed primarily by non-state actors, like tech companies, Internet Service Providers (ISPs), standards organizations, and research institutions. It is important to engage them in efforts to ensure the stability of cyberspace.
I will name two examples of multi-stakeholder initiatives to secure cyberspace: the Global Commission on the Stability of Cyberspace (GCSC), which consisted of 28 commissioners from 16 countries, including government officials, has developed principles and norms that can be adopted by states to ensure stable and secure cyberspace. For example, it requested states and non-state actors to not pursue, support, or allow cyber operations intended to disrupt the technical infrastructure essential to elections, referenda, or plebiscites.
Cyberpeace Institute is a newly established global NGO that was one-year-old in December 2020 but has the important goal of protecting the most vulnerable and achieve peace and justice in cyberspace. The institute started its operations by focusing on the healthcare industry, which was under attack daily during the COVID 19 pandemic. As those cyberattacks were a direct threat to human life, the institute called upon governments to stop cyber operations against medical facilities and protect healthcare.
I believe that there is an opportunity for the states to forge agreements to curb cyberattacks on civilian and private sector infrastructure and to define what those boundaries and redlines should be.
SolarWinds and the recent attacks on healthcare facilities are important milestones as they offer a live example of the paramount risks associated with a completely unchecked and unregulated cyberspace environment. But it will only prove to be a moment of true and more fundamental reckoning if many of us, governments, and different multi-stakeholders played a part, each in their respective roles, in capitalizing and focusing on those recent events by forcing legal, technological, and institutional reform and real change in cyberspace.
It's time to take a stand or a knee!
The effects of the Solarwinds attack will not only impact US government agencies but businesses and civilians that are currently less secure online. Bad actors are becoming more aggressive, bold, reckless and continue to cross the red lines we considered as norms in cyberspace.
Vulnerable civilians are the targets of the intrusion tools and spyware in a new cyberspace wild west landscape. Clearly, additional legal and regulatory scrutiny is required of private-sector offensive actors or PSOAs. If PSOA companies are unwilling to recognize the role that their products play in undermining human rights or address these urgent concerns, then, in this case, intervention by governments and other stakeholders is needed.
We no longer have the privilege of ignoring the growing impact of cyberattacks on international law, geopolitics, and civilians. We need a strong and global cybersecurity response. What is required is a multi-stakeholders' courageous agenda that redefines historical assumptions and biases about the possibility of establishing new laws and norms that can govern cyberspace.
Changes and reforms are achievable if there is will. The Snowden revelations and the outcry that followed resulted not only in massive changes to the domestic regulation of US foreign intelligence, but they also shaped changes at the European Court of Human Rights, the Court of Justice of the European Union, and the UN. The Human Rights Committee also helped spur the creation of a new UN Special Rapporteur on the Right to Privacy based in Geneva.
The new cyberspace laws, rules, and norms require a multi-stakeholder dialogue process that involves participants from tech companies, academia, civil society, and international law in global discussions that can be facilitated by governments or supported by a specialized international intergovernmental organization.
Sources and References:
- National CyberSecurity Agency, Security Advisory
- Fireeye, 2020. Unauthorized Access Of Fireeye Red Team Tools. [online] [Accessed 2 January 2021]
- John Scott-Railton, Bill Marczak, Siena Anstis, Bahr Abdul Razzak, Masashi Crete-Nishihata, and Ron Deibert, 2020. Reckless VII Wife Of Journalist Slain In Cartel-Linked Killing Targeted With NSO Group'S Spyware. [online] The Citizen Lab.[Accessed December 25 2020]
- The New York Times, 2020. Russian Hackers Broke Into Federal Agencies, U.S. Officials Suspect. [online] [Accessed 2 January 2021]
- The Moscow Times, 2020. Russia Denies Role in US Cyber Attacks. [online][Accessed 30 December 2020]
- Brantly, A. F. (2016) 'Anonymity and Attribution in Cyberspace' in The Decision to Attack: Military and Intelligence Cyber Decision-Making, University of Georgia Press
Written by Mohamed EL Bashir, Public Policy & Internet Governance Strategist