Partner Maria Theodoulou and Barrister Jessica Sobey discuss cyber intrusion and “hackers for hire” in The Times

Partner Maria Theodoulou and Barrister Jessica Sobey explore the proliferation of commercial cyber intrusion capabilities, and discuss how government action is needed to crack down on abuse of spyware and cyber-attacks.

Maria and Jessica’s article was published in The Times, 7 March 2024, and can be found here.

As technology continues to develop exponentially, the proliferation and irresponsible use of commercial cyber intrusion capabilities pose many challenges. Given the constant evolution in the management of our data and in how we communicate, policymakers and legislators have struggled to keep pace in preventing the abuse and manipulation of spyware tools and services.

The international Pall Mall Process agreement, an Anglo-French initiative that was signed by more than 30 countries in February, aims to tackle the problem by establishing guiding principles and policy options for states, industry, and civil society.

The agreement notes the spyware market’s impact on national security and human rights, together with expansion of the “potential pool of state and non-state actors with access” to powerful spying tools. It calls on signatories to use spyware tools in a legal and responsible manner, with precision, and to introduce greater oversight and create increased transparency with commercial spyware vendors.

Last year, the UK’s National Cyber Security Centre (NCSC) – part of GCHQ – warned that thousands of people are being targeted through the “irresponsible use of spyware,” and that the number of cyber-attack victims is likely to rise alongside the growing demand for “hackers for hire.”

Malicious tools are used by these bad actors to gain access to people’s devices, listen to their calls, and remotely operate cameras and microphones: this facilitates access to data, as well as stealing people’s identity, their intellectual property, and their money.  According to the NCSC, the commercial cyber intrusion sector is doubling in size every ten years.

Serious concern has also been raised by organisations such as Human Rights Watch, which argues that the misuse of commercial spyware is facilitating human rights abuses across the world. This includes their own staff, who have been repeatedly targeted by NSO’s Pegasus, “advanced surveillance spyware”, in Jordan.

In opening the recent UK-France Cyber Proliferation conference, Deputy Prime Minister, Oliver Dowden, said that: “We must establish guidelines for best practice for developing, selling, facilitating, purchasing, and using commercially available cyber intrusion tools and services, and we must be clear about what irresponsible behaviour looks like, and how to discourage it.”

Although legal and policy initiatives have sought to address the problems caused by manipulation or intrusion, it is imperative that governments also introduce robust regulation that mitigates their impact.   

Failing to act is not an option. Without action, cyber-attacks will rapidly develop beyond sophisticated bad actors and opportunistic criminals. It is clear that oversight of the development, marketing and sale of commercial spyware is now necessary in order to ensure that it is not misused to facilitate further abuse. Companies that are responsible for improper use should be blacklisted, and if appropriate, potentially face criminal sanctions.