Spyware is spreading far beyond its national-security role

Spyware is increasingly exploited by criminals or used to suppress civil liberties, and this proliferation is in part due to weak regulation.

Politicians, diplomats, human rights activists and journalists have been targeted by malicious software worldwide. Just last week, former Polish justice minister Zbigniew Ziobro was arrested for allegedly approving use of spyware on 600 people, including opposition leaders.

Spyware is increasingly exploited by private actors, often criminal, for international crime, corruption, transnational repression and weapons smuggling. For instance, Mexican criminal organisations have tapped into Titan, security software used by law enforcement and intelligence agencies, to geolocate their rivals and conceal criminal activity. What’s more concerning is that some of these spyware products are being procured by government officials informally, without bureaucratic checks and balances.

The opacity of the spyware trade can make it difficult for governments to develop effective policies and regulatory controls. While commercial spyware giants such as the NSO Group, Intellex Consortium, NoviSpy and Cellebrite have become well known and increasingly scrutinised, hundreds of smaller firms have attracted little attention and oversight. They also provide hackers-for-hire services and such products as economical intrusion software. They are often set up by larger entities as a means of evading export controls, and they offer a more discreet way for governments and private actors to procure spyware, including illicit services and products.

The Atlantic Council’s Cyber Statecraft Initiative found connections between 435 entities across 42 countries in the spyware market. This revealed a web of investors, vendors, holding companies, subsidiaries, suppliers and individuals in the exploitation supply chain that contribute to spyware development, proliferation and misuse.

Misuse of spyware by malign actors can threaten national security and undermine civil liberties. This is a challenge for democracies and authoritarian regimes alike.

Between 2011 and 2023, at least 74 governments contracted commercial firms to obtain spyware or digital forensics technology. Of these, 44 were autocratic regimes, and 56 procured such technologies from firms based in or connected to Israel, the leading exporter of spyware.

The commercial spyware market is characterised by convoluted corporate structures and obscure supply chains, underscoring the need for collective efforts to increase transparency. The international community will need to cooperate and align their spyware regulations and approaches to address shared risks.

On 31 January, WhatsApp revealed it had detected spyware attacks targeting users across multiple countries. The software had come from Israeli company Paragon Solutions, but WhatsApp was unable to identify the user.

The international community is making some moves to counter misuse of commercial spyware. In January, Australia released a statement at the United Nations calling out the practice. Australia is also one of 23 signatories of the US-initiated joint statement on countering spyware proliferation and misuse.

Britain and France have also established the Pall Mall Process, which involves industry, governments and civil society committing to developing comprehensive guiding principles on the proliferation of commercial spyware.

These measures are major developments in the multilateral commitment to develop stricter safeguards, bringing states closer to alignment on spyware regulation policies.

However, too few countries and entities remain involved in the global effort to counter the proliferation and misuse of spyware. Stakeholder participation within existing mechanisms remains limited. This participation is concentrated in a small number of countries, mainly in Europe and North America, as well as Australia and a few Northeast and Southeast Asian states. This is despite a history of major emerging economies, such as Brazil, advocating against mass surveillance.

Countries need to develop more stringent regulations to prevent the proliferation and misuse of spyware. Nations should establish clear guidelines for nations’ preparedness and pathways to improvement, as well as transparency around what proliferation means to each state. This will help partners to understand and communicate their biggest hurdles, and what is needed to drive reforms.

Identifying and improving domestic commercial spyware landscapes is a good starting point for multilateral initiatives, but bringing the technology into international discussions would also help to mobilise the international community to respond. Australia should work together with partners in the European Union and the Association of Southeast Asian Nations to incorporate the issue into regional organisations. Both the EU and ASEAN are home to an increasing number of commercial spyware entities, even though its member-states also have a vested interest in preventing misuse of the technology.

Inaction or complacency by democracies risks the legitimisation of a largely unregulated industry. This reduces the impact and likelihood of developing meaningful policies to curtail the industry, further enabling spyware misuse.

You might also like
Getting regulation right to improve Australia’s cybersecurity
Economic cyber-espionage: a persistent and invisible threat
Getting cybersecurity right requires a change of mindset
Protecting our national identity assets is a matter of national security
Anonymous no more? Make it a crime to re-identify personal data
Australia needs a sovereign ICT capability