Can You Drive a Stake through the Heart of Spyware?

The answer to this question, despite the welcome news that the NSO Group has been added to the entities list, is no, probably not. The demand for spyware will only grow as networked digital technologies are universally used and incorporated into human life. Activity centers around digital networks and companies will arise to service this demand.

Almost all countries conduct domestic surveillance, even if they don't always admit it. The real issue is under what rules they surveil and how strong any oversight procedures are to ensure that surveillance complies with these national rules. Democracies have effective rules to control surveillance. Countries that are not democracies or where the rule of law is weak do not. These go well beyond China, Russia, and Iran, and it is this global market that creates demand for services provided by companies like NSO.

Some countries have indigenous capabilities to make advanced surveillance software, but most must buy from an external source (the same way that very few countries make advanced weapons and others must buy from them). That raises a question: Under what rules does the international community regard such sale as legitimate? It is in the interest of democracies to fence the Wild West of spyware with rules governing its sale. That only a relatively few countries have the capability to make NSO-like products, and that many of them are democracies, provides an opportunity for progress in building these rules.

NSO is an Israeli company, and Israel is one of the top three exporters of cybersecurity technology (after the United States and United Kingdom). Its own security needs create a pool of expertise that can be commercialized. Spyware can also bring political benefits to Israel, allowing it to support countries in the Persian Gulf or elsewhere in ways that strengthen relations. NSO Group must be placed in Israel's security and political context to be understood. Israel has been reluctant to clamp down on companies like NSO because of the political and economic benefits they can provide. There is something of a parallel between NSO and the ex-military consultants who are hired to train and equip foreign government forces. European and U.S. companies have sold similar surveillance technologies and services.

Presumably, it was a reluctance to clamp down on NSO that explains the powerful message sent by the United States in placing it (along with another company, Candiru) on the entities list, but this is a piecemeal solution. Progress requires an agreement to cooperate among like-minded nations to restrict the sale of surveillance technology. The United States has already assembled groups of 30 like-minded nations and the European Union to discuss a collective response to ransomware and to build accountability. A similar approach, involving the same countries, would be the best approach to restrict surveillance technologies.

One precedent comes from regimes created to prevent the proliferation of weapons of mass destruction (WMD), where groups of like-minded nations agreed on nonbinding rules to govern and restrict exports of a defined set of dangerous technologies. Over time, these "regimes" can be expanded to include more nations, but they are usually limited at first to those with the capability to produce the dangerous technology. It would not be useful to start with the United Nations unless the desired goal is only waves of posturing. Expanding controls on spyware on the lists used by existing regimes like the Wassenaar Arrangement could be useful, but an agreement that goes beyond Wassenaar in requiring supplier countries to commit to restraints is also needed. Wassenaar may not be the best for controlling what is essentially software or a service, rather than an export of hardware. It is also necessary to involve the private sector and perhaps exports of surveillance technology. 

With the right membership, it should be relatively easy to reach an agreement on ending sales to dangerous end users. This begs the question of whether surveillance technology exports should be completely banned or whether there is some set of sales that could be permissible to responsible end users for legitimate purposes, such as counterterrorism. Part of any agreement would be common principles to guide government decisions on spyware sales. Experience suggests that an approach that allows for safe exports is more likely to succeed than a complete ban, even if this is designed to be very restrictive. It might be emotionally satisfying to announce a complete ban, but current attitudes among potential purchaser states could make this largely symbolic. Surveillance is not going away, and neither is demand for spyware, and a new approach must accommodate this.

Rules for surveillance software are part of the increasing problem of how to govern the digital space. Current tools used by the United States are inadequate since they are based on regulations and laws derived from the industrial international practices of the nineteenth and twentieth centuries. Changing this will require the United States and other democracies to develop common understandings on what is permissible and to create the policy tools needed to govern the digital space. The governance challenge goes well beyond spyware, but given the shared distaste toward this service, it might be a good place to start.

James A. Lewis is a senior vice president and director of the Strategic Technologies Program at the Center for Strategic and International Studies in Washington, D.C.

Commentary is produced by the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).

© 2021 by the Center for Strategic and International Studies. All rights reserved.

James Andrew Lewis
Senior Vice President; Pritzker Chair; and Director, Strategic Technologies Program