Pegasus, the NSO Group, and Cyberweaponry (Part II)
We've known for a while now that nation states are using cyberweapons against one-another. But what about when they aim them at citizens?
Join the DZone community and get the full member experience.Join For Free
In the first part of this series, I raised a few questions about weaponized software and how complex regulating it has become. Malware with clear criminal intent from criminal actors seems easy to regulate — you just make it or the crimes they facilitate illegal, and this has been the approach taken by law enforcement over the last few decades. But what about government approved malware from external consultants? I mean, it steals information, audio, video, and the like, just as more criminal strains. But because a central government approves it, it's not a crime to have been developed or used. Even when targeting people in different countries.
But the two smell awfully similar.
The larger problem is, I think, that we're seeing the start of another cyber arms race, where nations are beginning to directly target individuals in ways too risky to do in the past. The barriers to entry for a software company writing malicious code are much lower than for, say, a company making cruise missiles. Today, these companies are working to stay within the legal confines of the countries in which they're resident. I don't see any reason why this will remain the case in the future.
Some of the more important questions boil down to:
Is it acceptable for residents of countries to be targeted by other countries? If it is, when does it become unacceptable? What are the restrictions that should be imposed on this kind of activity?
Is it acceptable for companies to use 0-days to deliver their products? If it is, is it responsible? And when is it unacceptable? This is certainly in conflict with any EULA I've ever seen.
If it's legal and acceptable for sovereign nations to deliver malware onto the devices of unsuspecting users, is it legal and acceptable for me to defend myself from it? Or is that obstruction?
I don't have answers to any of these questions. It sure seems messy to me, and I'm not sure if anybody's asking these kinds of things yet. Companies in this space seem to be on questionable legal ground today. I do think that companies like Azimuth are working carefully to only offer services to a very specific clientele. I expect the NSO Group is doing its best to do the same, though that certainly seems questionable. This isn't the first time their software's been implicated, and they're currently running operations in almost 50 countries, including the United States. We're beginning to see unexpected consequences of this kind of activity though, no matter how careful folks have been, and I don't expect things to get any better.
Opinions expressed by DZone contributors are their own.