Thursday, September 26, 2024

Mythical Beasts


One of the more interesting diplomatic processes in our space right now is the Pall-Mall process, a joint British and French effort to tackle commercial spyware from a nation-state norms and unified regulatory angle. Just as in the Pall-Mall game in Bridgerton, this kind of large political effort is complicated by every government hitting the ball all over the place, engaging in their own bilateral romantic endeavors, and requires a Lady Whistledown-level of dissection to even understand because, much like a Victorian High Society, so much of the incentive structure is both obvious and unmentionable. For example, we will not go into the failure of the Apple lawsuit against NSO Group, or whether civilian courts are the right place to enforce norms of this nature.

Recently the Atlantic Council's Digital Forensics Lab project released a paper on the commercial spyware economy and what to do about it. The goal of this blog is to examine a couple of the suggestions in the paper. 



We will skip over the methodology and the findings in the paper. These tend to be vestigial at best - the heart of these sorts of papers are usually their policy recommendations and when you are reading this kind of paper you may feel they probably wrote the recommendations first and then came up with the data to back it up later - so we start with an overview of their suggestions, which are as follows:
  1. Mandate "Know Your Vendor" requirements for spyware vendors to disclose supplier and investor relationships.
  2. Improve government-run corporate registries to provide more comprehensive and accessible information on businesses.
  3. Expand and enforce beneficial ownership identification requirements.
  4. Enrich, audit, and publish export licenses for spyware and related technologies.
  5. Implement policies to limit jurisdictional arbitrage by spyware vendors.
  6. Provide greater protection against Strategic Lawsuits Against Public Participation (SLAPP) to safeguard reporting on the spyware industry.

These recommendations aim to increase transparency in the spyware market (especially to think tanks like Atlantic Council!), limit vendors' ability to evade regulations by moving between jurisdictions and improve scrutiny of the industry's supply chains and investor relationships. The authors argue these steps could help address human rights and national security concerns related to spyware proliferation.

While a detailed analysis would be as long as the paper itself, I wanted to demonstrate a tenor by sampling two of the recommendations and looking at them in depth.

Know Your Vendor  

With various revelations that the FBI had purchased NSO Group's technology, but claimed not to have used it, which brought flashbacks of Bill Clinton saying he smoked pot but didn't inhale, it became clear that it was difficult for countries to know which offensive technology vendors they themselves used. The basic path to having their cake (the Western Market) and eating it too (also the rest of the world's less scrupulous markets) was that each vendor set up a little company in the US, and has that subcontractor sell spyware technologies to the US market, sometimes under a new brand. 

This dynamic has a number of poor side effects, from the perspective of the USG. First of all, it subsidizes foreign offensive technologies and the entire supply chain that supports them. Ideally all the best private iOS exploit developers are in some giant glass building in Fairfax VA, and not Tel Aviv or Nicosia, Cyprus. Niche markets like this are also very subject to manipulation - subsidized foreign capabilities can be used to starve the local talent market of opportunity. Because offensive capabilities are national security levers, this definitely puts us in a bad position.

And of course, there are many OPSEC reasons to buy local as well, which we will not go into here.

On the other hand, not letting US companies buy exploits from non-US people, or not letting the FBI use (Israeli) Cellebrite (which is the best in its market right now), has its own significant downsides.  

The Mythical Beasts paper proposes implementing "Know Your Vendor" (KYV) requirements for spyware vendors as a way to increase transparency in the market and improve due diligence for government clients. This proposal would apply to the United States and the 16 additional signatories of the Joint Statement on countering spyware proliferation. Under these requirements, vendors would need to disclose their supplier and investor relationships, as well as any parent corporate or holding entities, before being awarded government contracts for cyber operations (written broadly, this means basically anything from forensics to penetration testing and beyond).

In the US, this requirement would be implemented through updates to the Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation Supplement (DFARS). The goal is to create a more consistent reporting environment, allowing government clients to check if prospective supply chains include firms on restricted entity lists and enabling efforts to reduce spending on high-risk vendors. The paper suggests that a more effective version could mandate disclosure further down the supply chain. It also acknowledges that larger conglomerate firms might need more targeted disclosure requirements. The authors present this as a credible step toward better information about the spyware market segments with which governments might do business, aiming to create a united front among countries that claim to work only with "government" and "Western government" clients.

But, to put it mildly, this is a difficult proposal to put into practice, especially across the critical and extremely broad cybersecurity sector. There is no precedent for requiring such extensive disclosure of investor and supply chain information as a condition for government contracts, even for confidential use. This represents a dramatic and potentially harmful shift in government-contractor relationships. Vendors are going to say that the policy constitutes egregious regulatory overreach, infringing on corporate privacy rights and threatening to stifle innovation in the cybersecurity sector. Ironically, it would likely create significant security vulnerabilities by centralizing sensitive information about vendors and their supply chains, making it a prime target for hackers and hostile state actors. The stringent requirements would inevitably favor large, established companies, potentially crushing smaller innovative firms that are the bedrock of our most critical efforts in this space and reducing market competition. While the paper acknowledges and attempts to address jurisdictional arbitrage, its proposed solutions may not be sufficient to prevent determined bad actors from circumventing the system, especially those operating entirely outside cooperating jurisdictions.  The additional compliance burden would significantly increase costs, making cutting-edge cybersecurity tools less accessible and potentially weakening national security. Finally, forced disclosure of investor information raises serious privacy concerns, likely deterring investment in critical cybersecurity technologies and conflicting with existing confidentiality agreements and business practices.

Spyware Export Control

The report proposes significant changes to export control policies for spyware and related technologies. Specifically, it recommends enriching export licenses with detailed information, including the names of employees who have a material impact on product development. It also calls for implementing mandatory regular audits of these licenses. Most controversially, the proposal suggests making both the audit reports and the original export licenses publicly accessible. The stated aim is to increase transparency and accountability in the spyware industry. 

However, this proposal is deeply problematic and represents an unprecedented overreach of government authority. It is far beyond the typical scope of government to collect, let alone publish, such detailed information about private companies and their employees. We don't do this currently for nuclear weapon technologies, but we want to do it for exploits? The inclusion of key employee names on public export licenses is an egregious violation of individual privacy rights, potentially exposing workers to harassment, threats, or recruitment by hostile actors. Publishing detailed export licenses could provide a roadmap for corporate espionage and pose significant national security threats by aiding hostile nations or groups in identifying vulnerabilities in cybersecurity systems.

The proposed regular mandatory audits would likely create an enormous bureaucratic burden, potentially paralyzing the export process and crippling the cybersecurity industry's ability to respond to rapidly evolving threats. This level of government intrusion into private business operations not only borders on authoritarian control but also represents a fundamental misunderstanding of the limits of government authority in a free market economy (i.e. companies are going to decline to do business with governments who attempt to do this sort of thing). The threat of public exposure and constant audits could stifle participation in key offensive cybersecurity research and development efforts, to say the least. Moreover, by focusing intensely on legal exports, this policy could inadvertently push more activity into black and grey markets, making the industry harder to monitor and control. Overall, these proposed export control policies appear not just likely to be counterproductive to their stated aims, but also represent a dangerous overreach of government power into private industry.

This proposal is weirdly exactly what the Chinese government would like for us to do, and I was surprised it made it through peer review.

Conclusion

The Mythical Beasts paper, while well-intentioned, seems to have lost its way in the complex landscape of international cybersecurity norms creation. Its proposals for "Know Your Vendor" and enhanced export controls, though aimed at transparency, risk creating more problems than they solve. These recommendations, if implemented, could stifle innovation, compromise privacy, and ironically, weaken the very national security they aim to bolster.

So, while we appreciate the Atlantic Council's attempt to play Lady Whistledown in the high-stakes game of international cybersecurity, perhaps it's time they put down the quill and step away from the Pall Mall mallet before they accidentally knock the ball into China's court. In the delicate balance of global cyber policy, sometimes less interference is more, and good intentions don't always translate to effective solutions.