A Darker Future Is Here

With Reuter's report on Project Raven and the regular releases of information from Citizen Lab, it's pretty clear that the ability to execute sophisticated, advanced cyber operations are beginning to propagate to smaller countries with less of a technical footprint. We've expected and become used to countries like China and Russia fielding sophisticated cyber operations. Now, we're seeing that ability migrate to countries like the UAE.

We know that client states like Iran and North Korea have been executing relatively sophisticated operations for years now. This is the first case of a country essentially buying the capability by essentially hiring cyber-mercenaries. While we have also seen countries turn to commercial operations, like Vupen or the NSO Group, this is different. Buying cyberweaponry is more akin to purchasing guns or artillery. Arms sales are nothing new, really, and it's been going on for years in the cyber market — in both open markets and black markets, for that matter.

Project Raven is a significant shift in how cyber operations and capabilities are developed. Certainly, mercenaries are nothing new and have been working around the world since, roughly, the beginning of recorded history, I figure. Training local governments militarily isn't anything new either. But cyber is different.

It just scales so much better than just about anything else.

So, today, we've found out about Project Raven and how the UAE has used that engagement to begin to develop their own direct cyber capabilities. As we've seen in other places (looking at you, Afghanistan), alliances and relationships fray. And once you teach someone something like this, there are no take backs.

The technology used in the UAE was surveillance-centric, certainly. And the UAE isn't in the safest neighborhood. I'm not suggesting that the UAE is an irresponsible nation-state either. But they are going to defend their own interests, as any country will. And any country receiving this kind of help will have interests that diverge from their sponsors. Not just the UAE — this applies to everybody. And the functional overlap between spyware and destructive malware is significant — just look at Stuxnet and Duqu.

It's pretty clear, at this point, that cyber capabilities are following the same kinds of patterns that we've seen with defense capabilities in the past. Countries with these capabilities are not only exporting systems and support, but they're also exporting knowledge and tradecraft. And it's certainly going to continue. We also know that we're going to lose control of these kinds of things and that they'll eventually be used against us. It's just a matter of time.