As the news cycle moves through stories about countless rounds of layoffs, there is one job that has remained steady throughout decades: hacking. In history, hacking has traditionally been used by nations to gather intelligence. A famous example of this is the enigma machine that Alan Turing made to break German crypto back in WW2. Today, hacking activities are not limited to nation-states carrying out intelligence gathering or cyber warfare anymore. They are also conducted by for-profit hacking businesses, with some countries even integrating both activities into their national industry. And that industry is booming.
According to a report from Cybersecurity Ventures, the global cybercrime costs are estimated to reach $10.5 trillion annually by 2025. This includes the costs of damage and destruction of data, theft of personal and financial data, embezzlement, fraud, post-attack disruption to business, forensic investigation, restoration and deletion of hacked data and systems, and reputational harm. The report also states that the cybercrime industry is currently worth around $1.5 trillion, including everything from the sale of ransomware to the development of exploit kits.
In my eyes, “hacking” is no longer just about intelligence gathering. Now there is a large industry in some countries that focuses totally on converting hacking into a sustainably profitable business. One recent and alarming development is the proliferation of powerful exploits or malware, which are being used to access mobile phones without any user interaction, bypass encryption, and spy on individuals' activities.
The Pegasus Project is a surveillance operation centered around a spyware application called Pegasus, which is developed and sold by an Israeli company called NSO Group. Pegasus can infiltrate mobile devices without user interaction, and once installed, it can steal data, photos, emails, and text messages, record phone calls, and activate the device's camera and microphone without the user's knowledge. In essence, it can turn the victim's phone into a surveillance device.
Typically, most malware attacks require the victim to click on a link or download a malicious file. Pegasus, on the other hand, can infect the device simply by sending a text message or missed call, which often goes unnoticed by the user. This level of sophistication has made Pegasus one of the most powerful cyber weapons in the world, capable of targeting anyone with a smartphone, regardless of their location or version of iOS or Android.
NSO Group has defended the use of its product, stating that it is intended to help governments combat terrorism and other criminal activities. However, it is widely believed that the company has sold Pegasus to several authoritarian regimes, including Saudi Arabia, the United Arab Emirates, and Hungary, where it has been used to target political dissidents, journalists, and human rights activists. The Pegasus Project revealed that at least 50,000 phone numbers were on a list of potential targets, including those of high-profile individuals such as heads of state, politicians, business leaders, and journalists. In fact, one of NSO's founders has recently emerged as the new majority owner of the company.
The Pegasus Project highlights the dangers posed by powerful exploits and the need for tighter regulation in the cyber world. As mentioned earlier, these types of attacks are not just limited to governments but also for-profit hacking businesses. The cybersecurity industry has seen an increase in the number of ransomware attacks, where criminals encrypt a victim's data and demand payment in exchange for the decryption key. This form of attack has led to a significant rise in economic cybercrime, with companies and individuals being held to ransom and forced to pay large sums of money.
There are now illicit organizations that focus solely on turning hacking into a sustainable business model. The rise of profit-driven hacking businesses has been fueled by the sale of computerized arms on the dark web and through company acquisitions. This is a concerning trend and it is imperative that we establish an international accord to curb the growth of this industry and prevent the weaponization of hacking for profit.
If we fail to acknowledge the details and allow these purchases to happen, we are enabling the creation of the business of cyber arms. Ransomware attacks have already become a new form of economic warfare, with privately owned companies being targeted by other companies in different countries. It's possible that companies, such as large US banks, may purchase these exploits and use them to retaliate against attackers, but we need to consider whether this is ethical or legal, and what it means for international relations. The internet has changed how borders are defined, and we need to consider how it has also changed warfare and adopt new rules accordingly.
Cybersecurity Ventures: "Cybersecurity Ventures: Global Cybercrime Costs to Reach $10.5 Trillion Annually by 2025" (2021) - https://cybersecurityventures.com/global-cybercrime-damages-to-cost-10-5-trillion-usd-per-year-by-2025/
The Guardian: "Pegasus project: widespread abuse of phone hacking software 'terrifying'" (July 18, 2021) - https://www.theguardian.com/news/2021/jul/18/pegasus-project-reveals-how-murderers-and-despots-used-phone-hacking-tool
The Washington Post: "NSO Group’s Pegasus spyware implicated in hacking of journalists, activists worldwide" (July 18, 2021) - https://www.washingtonpost.com/world/interactive/2021/nso-spyware-pegasus-cellphones/
Amnesty International: "Forensic Methodology Report: How to catch NSO Group’s Pegasus" (July 18, 2021) - https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/
The New York Times: "Israeli Spyware Maker Is in Spotlight Amid Reports of Wide Abuses" (July 18, 2021) - https://www.nytimes.com/2021/07/18/world/middleeast/israel-nso-group-pegasus-spyware.html
The Guardian: "NSO Group co-founder emerges as new majority owner" (March 1, 2023) - https://www.theguardian.com/technology/2023/mar/01/one-of-nso-groups-founders-emerges-as-new-majority-owner
These sources provide extensive reporting on the use of Pegasus by authoritarian regimes and the harm it has caused to human rights defenders, journalists, and political dissidents.