The Atlantic Council: “State cyber capabilities are increasingly abiding by the “pay-to-play” model—both US/NATO allies and adversaries can purchase interception and intrusion technologies from private firms for intelligence and surveillance purposes. NSO Group has repeatedly made headlines in 2021 for targeting government entities in cyberspace, but there are many more companies selling similar products that are just as detrimental. These vendors are increasingly looking to foreign governments to hawk their wares, and policymakers have yet to sufficiently recognize or respond to this emerging problem. Any cyber capabilities sold to foreign governments carry a risk: these capabilities could be used against individuals and organizations in allied countries, or even in one’s home country. Because much of this industry operates in the shadows, research into the industry in aggregate is rare.
This paper analyzes active providers of interception/intrusion capabilities within the international surveillance market, cataloguing firms that have attended both ISSWorld (i.e., the Wiretapper’s Ball) and international arms fairs over the last twenty years.
This dataset mostly focuses on Western firms and includes little on Chinese firms, due to historical under-attendance of Chinese firms at ISSWorld. However, the overarching nature of this work will help policymakers better understand the market at large, as well as the primary arms fairs at which these players operate. This paper identifies companies explicitly marketing interception/intrusion technology at arms fairs, and answers a series of questions, including: what companies are marketing interception/intrusion capabilities outside their headquartered region; which arms fairs and countries host a majority of these firms; and what companies market interception/intrusion capabilities to US and NATO adversaries?
The resulting dataset shows that there are multiple firms headquartered in Europe and the Middle East that the authors assess, with high confidence, are marketing cyber interception/intrusion capabilities to US/NATO adversaries.
They assume that companies offering interception/intrusion capabilities pose the greatest risk, both by bolstering oppressive regimes and by the proliferation of strategic capabilities. Many such firms congregate at Milipol France, Security & Policing UK, and other arms fairs in the UK, Germany, Singapore, Israel, and Qatar.
The authors found that 75 percent of companies likely selling interception/intrusion technologies have marketed these capabilities to governments outside their home continent. Five irresponsible proliferators—BTT, Cellebrite, Micro Systemation AB, Verint, and Vastech—have marketed their capabilities to US/NATO adversaries in the last ten years.
This paper categorizes these companies as potentially irresponsible proliferators because of their willingness to market outside their continents to nonallied governments of the United States and NATO—specifically, Russia and China. By marketing to these parties, these firms signal that they are willing to accept or ignore the risk that their products will bolster the capabilities of client governments that might wish to threaten US/NATO national security or harm marginalized populations. This is especially the case when the client government is a direct US or NATO adversary…”