Commercial offensive cyber industry poses challenges for government agencies

A woman consults the website of the Israeli NSO Group, makers of Pegasus spyware, in Nicosia, Cyprus, on 21 July 2021. NSO Group has denied media reports that its Pegasus software is linked to the mass surveillance of journalists and human rights defenders, and insisted that all sales of its technology are approved by Israel's Ministry of Defence. (Mario Goldman/AFP via Getty Images)

A high-profile case in a UK court has drawn attention to the role of private companies in providing offensive cyber capabilities to foreign governments. A UK High Court judgment publicised on 6 October 2021 found that the ruler of Dubai, Sheikh Mohammed bin Rashid al-Maktoum, had probably authorised the use of a surveillance product called Pegasus against his estranged wife, Princess Haya, and two of her lawyers. Sheikh Mohammed denied the allegations, the Financial Times reported. The case came amid heightened public attention around the private surveillance industry, driven by media reports about the actions of US, Israeli, and other companies in this space.

The core offering of these companies is the ability to sustain remote access to a targeted digital device. For this reason, a March 2021 report by the Atlantic Council, ‘Countering cyber proliferation', used the term ‘Access-as-a-Service' (AaaS) to describe the industry. The report argued that AaaS was an example of an offensive cyber capability, defined as “a combination of technological, individual, organizational, and infrastructural elements that jointly enable operations in the cyber domain”.