- UK and EU must act together to protect western democracy from cyber-attacks
- Ban spies from working as consultants to hostile foreign governments
- UAE and Saudi Arabia engaged in hostile cyber-operations, joining Russia and China
- UN should set international agreement on “acceptable” practices
The UK Government and EU should treat the export of technology and technological know-how like the export of conventional weapons, with strict regulation and restrictions, says a major new report from the Tactics Institute.
The UK-based think tank calls on the Government and EU to take a lead in tackling the threat of cyber-attacks and the use of technology to spread misinformation by hostile powers, which it says not only includes Russia and China, but the United Arab Emirates and Saudi Arabia.
The report, written by Alan Brill, a senior director at Kroll, the high-tech investigations practice; Angelos Kaskanis, an expert on terrorism and security studies from the University of Thrace; Ritesh Kotak, a cybersecurity analyst and consultant, to the Canadian Police; Brigadier-General Metodi Hadji-Janev, a security analyst and Associate Professor at the Military Academy General Mihailo Apostolski and Dimitrios Tsarapatsanis, senior lecturer in law at the University of York, paints a worrying picture where technology such as COVID’s track and trace, can be repurposed to suppress opposition and track political dissidents.
The report warns that the sale of technology and know-how to states who use it against their opponents or to subvert democracy is short-sighted and risks surrendering the West's ‘capability’ lead. In particular, the report's authors are critical of the unregulated market of former spies selling their services to the highest bidder, whether companies or regimes with poor human rights records and a history of suppressing their political opponents.
The new report sets out examples of both legitimate and non-legitimate corporate cyber operations. The Milan based Hacking Team is one such company. Hacking Team work with several law enforcement agencies breaking encrypted messages, allowing the police to monitor communications between criminal groups. At the other end of the spectrum, they detail the notorious Project Raven.
Project Raven was a UAE funded project, which commissioned US-firm DarkMatter, a company that hired, “…former National Security Agency hackers and other US intelligence and military veterans to build and hone an Emirati talent pool able to compromise the computers of political dissidents at home and abroad.” Targets included UK and American citizens and critics of the regime such as the British journalist Rori Donaghy.
Speaking to Reuters last year, one former DarkMatter employee said US-trained government hackers, "…employed state-of-the-art cyber-espionage tools on behalf of a foreign intelligence service that spies on human rights activists, journalists and political rivals".
“In some respects, cyberspace merely enables the continuation of an old game by new means. Last year Russia unveiled a memorial plaque in memory of the notorious Cambridge Five espionage network that provided the USSR with valuable insights for decades. However, the celebration of these members of the British establishment as Soviet heroes disguises the fact that one of the main instruments for leveraging their cooperation was blackmail. The danger of finding and threatening to reveal ‘compromising’ details of one’s private life – using the threat as leverage – is an ancient technique in espionage. The most recent high-profile case to elicit the cooperation of a high-ranking business leader involved the Amazon CEO, Jeff Bezos. In January 2020, UN investigators released a report that concluded with ‘reasonable certainty’ that Crown Prince Mohammed of the Kingdom of Saudi Arabia (KSA) was involved in hacking Bezos' phone” the report says.
It calls on the EU and NATO to hold state and non-state actors to account for their activities such as the recent attack on the World Health Organisation by the DarkHotel during the early days of the COVID-19 crisis – but warns a lack of coordination and commitment between member states and the EU bureaucracy is preventing action.
“In a European context, cyber terrorism experts recognise that one of the challenges at hand is that member states are not in consensus over how to hold sovereign adversaries in check, including China, so cannot spell out necessary retaliatory steps that could act as credible deterrence… taking action is challenging without the consent of the nation-state. Europe appears to have a sum of cybersecurity policies rather than a strategically coherent doctrine to match its Single European Market…” and, indeed, the notion of an EU citizenship” it says.
Brigadier-General Metodi Hadji-Janev, commented: “Cyber-attacks and aggressive online activity by state actors are increasingly being deployed. These regimes and those connected with them aim to subvert democracy and target their opponents. They corrupt existing technologies, repurposing it for their ends.
"This form of hostile action has many benefits not least the technology is readily available, the form of attack is relatively easy to deploy, through the use of proxies allows a certain amount of deniability and perhaps most importantly the West has failed to come up with a cogent strategy of deterrents to deter and punish the aggressors. This explains why smaller states such as Saudi Arabia and the UAE have joined the likes of Russia and China in deploying it.”
The report argues that while the UN can facilitate a discussion about what is and is not acceptable practice, it is the EU and NATO that should take the lead on developing a strategy and measures to deter regimes engaged in this form of cyber-warfare. This should include licensing technology that can be used to suppress free speech and political opponents and regulating the activities of cyber-mercenaries, preventing them for working with regimes engaged in hostile action against any EU or NATO country.
It continues: “States should strive to meet international cyber-governance benchmarks by adhering to an ‘inherent state competencies’ code of cyber-regulation that prohibits specific kinds of contracts. In this endeavour, states must ensure cyber-consulting export controls based on due diligence, incorporating best practices from conventional arms exports, inclusive of license requirements. Finally, states need to ensure proper oversight of know-how proliferation by cyberspace contractors. This objective could be served by public-private monitoring mechanisms that regulate the sharing of cyber operational skills and expertise, particularly when former military and law enforcement personnel are involved. For democracies, individual governments should be blacklisted for specific categories of know-how and cyber-services, not least those referenced in the aforementioned case-studies.”
Dimitrios Tsarapatsanis concluded: “The current unregulated market in western cyber-mercenaries and technology, where expertise and hardware are bought by the highest bidder, even when they could be used to target NATO countries or interests must be stopped. These offensive capabilities must be regulated and controlled like conventional weapons with strict measures designed to prevent their proliferation. These must be backed up by meaningful penalties against those who break the rules and sanctions against those deploying them. Only the EU and NATO are capable of implementing such restrictions and until they do countries like the UK and its’ citizens will remain dangerously exposed to this sort of aggression.”
Notes to Editors:
The Tactics Institute for Security and Counter-Terrorism is an independent, non-partisan, think tank.
They bring together experience in social services, cybersecurity, legal expertise and a pool of experts with procurement, military operations and areas studies expertise. Providing contextually sensitive support for decision makers, whilst also aspiring to opening new public debates on security policy.
Tactics Institute focuses on politically motivated transnational crime, with reports and events designed to guide risk assessment, social and security policy. Going beyond a cause-effect approach, they seek to identify the political and social context in which terrorist threats evolve, without shying away from questions of social and economic significance.
To make a significant contribution to the discrediting of violence as a means of political struggle by supporting security options that bolster open, pluralistic, and cohesive societies governed by the rule of law.