Branching Out: Factors Motivating Nondemocratic Use of Commodity Spyware

Published by:
SecAlliance
Published on:
September 7, 2023

State-led surveillance has long been an integral part of intelligence activities, varying in form depending on the society in which it operates. In democratic states, surveillance is a precision tool used to combat security threats while adhering to political and legal checks and balances.

However, in nondemocratic states, surveillance is often driven by repressive tendencies to control internal threats posed by political opposition and activists, safeguarding the incumbent regime.

We use the term ‘branching in’ to describe a state’s ability to utilise internal developed surveillance assets and mechanisms for domestic purposes, and the term ‘branching out’ to describe the scenario when a state solicits external services in the form of commodity spyware.

Sometimes, a nation that fulfils the necessary criteria to ‘branch in’ still chooses to ‘branch out.’

The emergence of the Internet and digital technology has provided new communication avenues, enabling states to access, monitor and surveil such communications. Developing and applying such capabilities requires significant resources and expertise. While some states can organically develop these surveillance capabilities, others may choose to acquire them through the purchase or lease of commodity spyware - malicious software that grants extensive access to a target device and its data.

Commodity spyware is developed, sold, and sometimes operated by private sector entities, such as Israel-based NSO Group’s Pegasus spyware or Europe-based Cytrox’s Predator product.

To successfully branch in, a state must fulfill certain criteria, including infrastructure control, offensive cyber capability, and sufficient resources. Failure to meet these criteria may force a state to consider commodity spyware as an alternative.

Criteria for "Branching In"

Infrastructure Control

A state’s ability to branch in is dependent upon the degree to which a state controls its domestic telecommunications infrastructure. This control can be inherent, such as through state ownership of relevant entities, or expanded through legislation, such as legal frameworks facilitating state access to telecommunications data. However obtained, states with higher degrees of control over this infrastructure consequently have a greater ability to direct, coopt, or force telecommunications entities into facilitating or actively participating in surveillance at the state’s behest.

States seeking to branch in must have control over the necessary technological infrastructure for surveillance activities. This includes access to telecoms networks, data centres and other critical components for effective monitoring.

Cyber Capability

To conduct internal surveillance efficiently, a state needs offensive cyber capabilities. This involves expertise in hacking, exploiting vulnerabilities and gaining unauthorised access to target devices.

We can look to a state’s level of capability and expertise in the cyber domain, considering the development, maintenance and utilisation of advanced threat actor groups capable of developing and using custom tooling to target technological devices and act on state-directed objectives, such as conducting espionage or facilitating surveillance.

Offensive cyber capability can be difficult to judge, as states have a natural requirement to keep this important tactical and strategic intelligence to themselves. Difficulties in technical analysis or deliberate false flag operations may complicate attribution of a threat actor or incident to a particular state, while highly sophisticated activity may go unreported or even undetected.

But factors such as a state’s broader geopolitical motivations, technical indicators within malware and techniques, and state and law enforcement reporting can help attribute incidents and indicate a state’s general level of offensive capability.

States with well-developed offensive cyber programmes are capable of targeting not only foreign adversaries but also elements of the domestic population where required. Conversely, states with immature or non-existent cyber capabilities are less able to use their own assets for this activity.

Sufficient Resources

Developing and maintaining surveillance capabilities requires substantial resources, including financial investment, skilled personnel, and ongoing research and development.

Human resources are key: states lacking enough technically skilled personnel -- or the professional and practical opportunities to develop a skilled workforce -- are likely to be limited in terms of offensive cyber capability, so more likely to branch out to address these deficiencies.

In general, developing a sophisticated offensive cyber capability in itself requires considerable expenditure. Although there is little detailed information available regarding the specific costs of offensive cyber programs, broader intelligence budgets can give some indication of the significant financial resources required. For example, in 2021–2022 the United Kingdom spent a total of GBP3.7bn through its Single Intelligence Account, projecting a budget of GBP7.3bn for intelligence and security activities by 2024–2025.

Furthermore, the fluctuating nature of cyberspace and constant efforts of network defenders to identify and patch exploited vulnerabilities forces constant updating of capabilities, adding an additional financial burden and pushing these capabilities further out of reach for states with fewer resources or greater economic priorities.

Therefore ‘branching in’ is also dependent on a state having sufficient financial resources.

China’s surveillance activity

States that fully meet all of the criteria above are able—and consequently more likely—to branch in for domestic surveillance purposes. Conversely, states that lack one or more of these criteria are less able to branch in. Therefore, most states must branch out and use commodity spyware to address these deficiencies.

China is one nation which meets the above criteria, so is worth studying from a ‘’branching in’ perspective. We know the Chinese state has comprehensive control of domestic telecommunications infrastructure, dominated by state-run enterprises like China Telecom and China Mobile, with the state exploiting this control and control over other telecommunications-related entities to establish a vast-ranging digital surveillance infrastructure.

Control is furthered by legislation, such as Article 40 of the Chinese constitution, which essentially authorises public bodies to access personal data of all citizens. The 2017 Cybersecurity Law also mandates that Internet service providers engage in censorship and surveillance on behalf of the state. In fact, virtually all aspects of online (and offline) activity are subject to state surveillance, with the censorship of WeChat messages discussing the November 2022 anti-COVID-19 lockdown protests standing as a prime example.

Demographics considered greater security threats, like the Uyghur population, are subject to even more extreme surveillance, including deployment of facial recognition infrastructure, Internet and telecommunications surveillance and forced installation of surveillance applications onto individuals’ devices, which have been used to identify individuals for detention and questioning based on their online activities.

China also has a highly sophisticated offensive cyber capability. The activities and skillsets of its various cyber actors, such as APT31, APT40 and APT10, are well-documented, with these groups likely linked to various subsections of China’s Ministry of State Security (MSS) and Ministry of Public Security.

Figures for China’s offensive cyber development and implementation costs are not in the public domain. Extrapolating from China’s 2021 GDP of US$17.73tr, its 2022 defence budget of US$229bn, and the frequency and sophistication of its state-linked cyber activities indicates a significant level of financial resources available for development and implementation of offensive cyber activity.

China has one of the fastest-growing rates of digitisation and is a world leader in cyber-related fields like quantum communications, serving as an indication of the technical capabilities and innovation of its information security professionals.

So, we can see that China meets the criteria for branching in: control over telecommunications infrastructure, highly sophisticated offensive cyber power and sufficient financial and human resources.

China is indicative of how states that sufficiently meet the criteria branch in and utilise internal state assets and capabilities for domestic surveillance, with little need to branch out to commodity spyware for such purposes.

Legal restrictions lead to branching out

Meanwhile, while varying in degree, control of telecommunications infrastructure is generally characteristic of nondemocratic regimes.

Democratic states generally maintain a legal precedent regarding targeted surveillance against threat to state security, such as terrorists or organised crime groups, but such activity must be necessary and proportionate: access to communications networks and data is constrained by legal requirements.

While factors like corruption or a breakdown in oversight mechanisms could enable democratic governments to sidestep these safeguards, as a general rule democracies are highly unlikely to be able to branch in to conduct unwarranted surveillance against threats not to the state but to the government such as political opponents, journalists and activists.

Those states lacking infrastructure control are pushed to branch out toward commodity spyware to overcome this limitation.

Several democracies have engaged in this activity. For example, Hungary, despite pseudo-authoritarian behaviour from its incumbent government, maintains a relatively strong constitution and domestic surveillance is covered by numerous pieces of legislation. While the Fidesz administration has attempted to expand state access to telecommunications data and its infrastructure control, such legislation remains limited and does not allow generalised or unwarranted access to the content of communications. Unable to use state assets for more generalized surveillance of threats to the government as opposed to threats to the state, the Hungarian government instead branches out to commodity spyware like Pegasus and Candiru to target civilians and opposition politicians.

Likewise, Poland targeted political opponents, government auditors, lawyers and citizens with Pegasus, Spain targeted almost 70 Catalan politicians with Pegasus and Israeli cyber espionage company Candiru, while Greece used Pegasus and Predator spyware against numerous opposition politicians, journalists, and public figures.

A European Parliament report into spyware use determined spyware to be integral in democratic surveillance of critics, political opposition, media figures, journalists and whistleblowers.

These examples highlight how states lacking pre-existing or legislated control of telecommunications infrastructure are unable to branch in and use state assets to surveil these specific threats.

However, it remains clear that these states—or more accurately, the governments of these states—are more likely to branch out to commodity spyware to address this intelligence gap.

There is, however, a significant degree of nuance between the polarisations of branching in and out, with states meeting the criteria to a sufficient degree but nevertheless taking the hybrid path of branching both in and out to use their own capabilities and commodity spyware.

While motivations for taking this hybrid path vary from state to state, the inherent characteristics of commodity spyware likely make it an attractive choice for the vast majority of states, even those capable of branching in. Ultimately, states fully meeting these criteria branch in and states failing to fully meet one or more of these criteria are forced to branch out, but for middle-ground states meeting these criteria to a sufficient degree, branching out to commodity spyware is a choice.

While we are seeing increasing links between democracies and use of commodity spyware, along with the inherent attractiveness of commodity spyware as a domestic espionage tool, reveals that democratic and nondemocratic use of spyware is unlikely to slow down or reverse. That is, unless there is specific action, such as greater efforts to identify spyware, creation and adoption of internally applicable and robust regulatory frameworks and far greater visibility into state use of these tools.

While the character and constitutional composition of democracies may make them more likely to adopt such steps, nondemocratic regimes currently benefitting greater from commodity spyware are likely to resist such action, with ongoing consequences for individual privacy, security and fundamental human rights under such regimes.

*This article is taken in part from a new SecAlliance article, by Katharine Palmer (2023): Branching Out: Factors Motivating Nondemocratic Use of Commodity Spyware, International Journal of Intelligence and CounterIntelligence, DOI: 10.1080/08850607.2023.2202345