The publication of Tactics Institute’s latest major report is imminent. Written in partnership with the Ira A. Fulton School of Engineering at Arizona State University and Titled Surveillance, Elite Hacking & Democracy – How the West sells means of repression to the Middle East, the report brings together expert analysts to break down the security threats posed by new technologies and the approaches needed to protect populations.
The introductory remarks for the report are written by Alan Brill, Senior Managing Director at Kroll’s Cyber Risk Practice, who offers two examples of dual-use civilian/military good that can be used to advance human society, or conversely, be used as means of destruction. A guidance system can be used for safe civilian travel but can also be utilised to guide a cruise missile to its target. Insecticide can be used to kills disease-carrying insects, but also be repurposed as a chemical weapon used to kill humans.
Chapter two of the upcoming report, written by security analyst Angelos Kaskanis, is titled Transnational Human Rights Abuses Facilitated Through Social Media and Digital Platforms and builds on the theme of dual use communications technology, comparing them to the dual-use technologies of civilian and military goods.
It first looks at the case of Jamal Khashoggi, the Washington Post journalist murdered in the Saudi Consulate in Istanbul in 2018, as an example of the negative side of dual-use technology. The question considered in the report is that of his perceived virtual surveillance. The Citizen Lab in Toronto identifies the Khashoggi case as one of elite hacking, pointing to NSO software called Pegasus, a Spyware that can infect a device, log all activities on it and send it to the entity seeking the information.
It is believed that the Spyware was delivered to Jamal Khashoggi via WhatsApp. WhatsApp, as a result, is suing NSO; however, NSO claims that Facebook, the parent company of WhatsApp, had previously contacted NSO to learn more about the Spyware to assist in monitoring their users on Apple devices.
The chapter also recalls January 2020, when the New York Times published a story with many similarities to the Khashoggi case, titled How Jeff Bezos’ iPhone X Was Hacked. The story concerned the world’s richest man, Jeff Bezos, the CEO of Amazon. Bezos’s iPhone was allegedly hacked and data from private communication used to blackmail him. Investigators believed that his phone was infected by malware which gave the hacker(s) unfettered access to the device and its contents. At the time of the alleged hack, Bezos was engaged in conversations with the Crown Prince of Saudi Arabia via WhatsApp. If Bezos, with multiple layers of security around him, can be victim of such a breach, think how easy it would be to hack the phone of a run-of-the-mill millionaire, or a regular politician, diplomat or worker. Bezos had the ability to respond to the hack, the vast majority do not and must therefore rely on states or international organisations to protect the right to privacy.
Elite state-sponsored or state-sanctioned use of Spyware on citizens of foreign countries is a national security issue and also violates certain fundamental democratic principles. The Bezos case raised several ethical issues around the privacy of technology users and the depths they will plumb to acquire data on people. Pegasus spyware, a privately created surveillance tool, was sold to numerous countries, facilitating indiscriminate spying across borders. The Citizen Lab identified 45 countries that may be conducting such operations. One of the countries was code-named “Kingdom” and was targeting devices in 12 different countries. It is suspected that “Kingdom “was Saudi Arabia.
While civilians need digital borders to be protected just like physical borders, there is a lack of decisive international action to achieve this. Software like Pegasus can become a cyberweapon with the potential for indiscriminate use. As electronic devices and platforms have become central functions in human life, state-sponsored cyber-attacks via social media or person-to-person messaging platforms can plant malware on a citizen. Such attacks offer maximum deniability for the perpetrator and may take years to discover.
A famous case of cyber-attack was Operation Stuxnet, in which the United States and Israel allegedly infected highly complex systems within Iran’s domestic nuclear programme by spinning nuclear centrifuges at different speeds but ensuring the logic controllers showed that everything was normal. Iran allegedly retaliated with Operation Shamoon, a virus that affected Aramco, the Saudi national oil company.
Countries are suspected of planting moles in tech firms to carry out corporate espionage such as stealing intellectual property data. In 2019, the Justice Department in the US arrested two former Twitter employees on suspicion of spying for Saudi Arabia by accessing Twitter accounts belonging to individuals critical of the absolute monarchy. There is a presumption of innocence, but, if proven, it would be further evidence of the insecurity currently inherent in the digital world. No level of encryption or anonymity can protect an individual if the mechanism used to secure them is itself compromised. If all states acted in good faith, then this would not be an issue. However, as the evidence suggests, many states do not, and individuals who openly oppose such states will continue to find their privacy, and even lives, are at risk.
For much more on the issues raised in this article, including proposals for ways states can tackle the cyber security crisis, download the Tactics Institute’s forthcoming report Surveillance, Elite Hacking & Democracy – How the West sells means of repression to the Middle East which will be published on this website in August.