Policymakers Ignore Spyware Middlemen Driving Global Proliferation

Vas Panagiotopoulos is a fellow at Tech Policy Press.

Commercial spyware proliferation has skyrocketed in recent years, fuelled by the expansion of a global market comprising more than 500 entities across 40+ countries.

This surge has been facilitated by intermediaries — brokers, resellers, and partners — who, driven by profit and word-of-mouth reputation, act as indispensable enablers in the global supply chain for offensive cyber capabilities (OCCs), including spyware, according to a new report released Wednesday by the Atlantic Council.

Intermediaries have facilitated transactions that otherwise could not have taken place due to regional export controls or trade bans.

For example, reseller InReach Technologies was “solely founded” by spyware vendor Quadream in 2017 to promote its product outside Israel and to bypass the EU’s export controls, the report notes.

Similarly, in 2021, Bangladesh purchased from Passitora Ltd, a reseller for the Intellexa Consortium (maker of Predator spyware), which sold the product to broker ToruGroup Limited, a Swiss company operating from the British Virgin Islands.

Such intermediaries also enable spyware sales where vendors cannot or do not want to appear directly, often to avoid unwanted public attention and potential reputational harm.

“This widens and drives the sales of these capabilities, despite attempts made by export controls to limit such proliferation,” Atlantic Council’s Jen Robers, who co-authored the report, told Tech Policy Press.

For example, ten resellers have helped facilitate NSO Group’s sales of Pegasus spyware to government buyers, a technology linked to several human rights abuses, including the murder of Saudi journalist Jamal Khashoggi.

The limited knowledge regarding intermediaries creates a significant policy hurdle, which in turn, undermines transparency, accountability, compliance, and due diligence, and risks enabling the unchecked proliferation of spyware, whose abuse has been shown to cause demonstrable harm to human rights and national security.

“Overall, their utility rests in remaining opaque, meaning they are similarly difficult to research and report on,” said Atlantic Council’s Sarah Graham, who co-authored the report.

From product development to training: spyware intermediaries fulfil key functions

Apart from expanding market access across jurisdictions, these entities drive proliferation by fulfilling a number of key functions.

These include supporting product development by providing skills and services or pieces of an end product; facilitating operational deployment by establishing operational training centers, or by operating front companies to ship products, or providing data analysis systems.

Intermediaries also introduce market complications through cost escalation, by adding a 10-15% markup to exploits for onward sale; product homogenization, by focusing on a few, high-value exploits, e.g., popular target vectors such as iOS and Android devices, and supply chain obfuscation, which complicates, for example, “responsible purchasing,” notes the report.

The report draws on roundtable interviews with experts who, across a variety of topics, consistently returned to two market observations that parallel those found in other opaque marketplaces — for example, the diamond trade.

“First, individuals and small shops are often driven by the potential for high profits, which can overshadow any nonbinding due diligence advice, and second, transactions frequently rely on reputations and word-of-mouth,” explained Graham.

“Both elements rest in the overall market opacity.”

Policymakers are ignoring the role of spyware intermediaries

The report makes a number of policy recommendations and, in the words of its authors, it is “a step towards greater transparency and a call to action for policymakers to consider subsections of markets as key marketplace players that might have initially been overlooked.”

Firstly, it advocates for the implementation of Know Your Vendor requirements – i.e., third-party risk management processes used to verify a vendor's identity. This would mandate that OCC brokers and resellers disclose their supplier relationships, vendor partnerships, investors, subcontractors, and parent entities so that governments can detect links to sanctioned or restricted entities before signing contracts.

Secondly, corporate-run registries for brokers and resellers should be improved to include at least basic company information, ownership details, operational information, and corporate history.

Finally, programs for the certification of brokers and resellers should be introduced, for example, by France and the UK, which are leading the ongoing Pall Mall Process addressing the irresponsible use of CCIs. Such programs would recognize brokers and resellers that demonstrate exceptional compliance practices and encourage other signatories to the Pall Mall Process Code of Practice for States to do the same.

“Policy frameworks tend to underspecify intermediaries. If intermediaries are mentioned at all, they are often conflated within one broad category while, in reality, they serve different market functions,” said Roberts, adding that “without clarification, policymakers risk applying underdeveloped or misdirected policies that may have minimal or counterintuitive effects on marketplace transparency.”

Roberts called on the 27 states that have signed on to the Pall Mall Process: “It is vital that Pall Mall states consider levers to counteract the role intermediaries play in proliferating this industry during this phase of the process.”