Reports emerged Oct. 16 that UAE-based cybersecurity company DarkMatter recruited officers who had previously worked for Israel's elite cyber intelligence outfit, Unit 8200. Interestingly, the story also noted that many of the Unit 8200 personnel had first worked at the Israeli cybersecurity company NSO Group before reportedly departing the company for larger salaries at DarkMatter. Both NSO Group and DarkMatter have generated a great deal of media coverage for allegedly arming governments with intelligence tools to spy on potential dissidents and journalists, among other targets. These cases, however, undoubtedly only scratch the surface of a much larger threat — that is, the increasing proliferation of intelligence tools and skills on the open market. Today, more actors than ever can purchase advanced intelligence capabilities, forcing us to reconsider the way we think about, analyze and protect against corporate espionage threats.
Corporate espionage is a serious, pervasive and persistent threat that emanates from a widening array of state and private actors. Today, tools such as LinkedIn are increasingly being used to not only acquire recruiting intelligence sources, but intelligence tradecraft by hiring officers and operators with world-class skills.
An Emerging Black Market
When assessing the corporate espionage threat posed by a hostile actor, Stratfor has long used a three-pronged model that gauges the actor's interest, intent and capability. Over the course of my career, I've encountered numerous cases in which an actor had the interest and intent to conduct espionage, but lacked the innate capability to effectively steal some piece of proprietary information or monitor a private organization's activities and communications. State sponsors have helped intelligence services punch far above their weight class in decades past. The training and equipment that the Soviet KGB and the East German Stasi provided Cuba in the 1960s and 70s, for example, helped propel its intelligence agency to top-tier status. Likewise, Jordanian intelligence has become quite competent thanks to its long association with U.S. counterparts. Many other nations and other espionage actors simply did not possess, and largely could not obtain, world-class intelligence capabilities.
But that is changing under this new model of intelligence capabilities proliferation. Certainly, the United Arab Emirates has taken a very big jump in its capabilities by creating DarkMatter and employing some of the world's most elite intelligence officers. Meanwhile, other countries such as Mexico and Saudi Arabia have allegedly purchased and used tools developed by the Israel-based NSO Group to ostensibly spy on journalists, opposition politicians and human rights organizations seen as threats to the regime. China's partner governments in Africa are also reportedly using technology manufactured by tech giant Huawei to track political opponents and other targets.
But while these cases involving Huawei, NSO Group and DarkMatter have garnered headlines, the threat extends far beyond the cyber realm. It has become increasingly common for intelligence professionals to parlay the tradecraft skills they acquired during their government service into high-paying, private sector jobs. This not only includes cyber skills used for hacking, but human intelligence know-how such as source recruitment and handling, as well as other esoteric tradecraft skills such as conducting black-bag jobs. As a result, the full array of espionage tools — including human intelligence tradecraft — is now available for purchase.
In some cases, the price tag for such tools and skills can be relatively steep. The base fee for NSO Group's Pegasus software used by the Mexican and Saudi governments reportedly cost $500,000 — with an additional $650,000 to hack the phones of 10 targets. But while expensive, these fees are certainly well within the budget of not only the intelligence agencies of even small countries, but private companies and large organized crime groups. Drug cartels in Mexico, for example, have hired hackers to help them gather information on their enemies. The notorious Sinaloa cartel also purchased state-of-the-art encrypted cellphones from the Canada-based Phantom Secure to protect both its operations and Joaquin "El Chapo" Guzman Loera's communications with his various wives and mistresses.
The Limitations of Outsourcing Expertise
This new model of intelligence capabilities outsourcing, however, is not without risk. First, as we've seen in Saudi Arabia's alleged killing of journalist Jamal Khashoggi, it can bring a great deal of unwanted attention upon the instigator when intelligence tools are used to help facilitate atrocities or otherwise violate international norms. Since the two stories first broke in late 2018, the Saudi and Mexican governments' use of the NSO Group's software have also resulted in a public uproar and court cases in both countries.
Anyone with the means can now buy advanced espionage skills, and presuming otherwise is as foolish as it is dangerous.
Second is the concern of loyalty. Intelligence providers will know who their clients are targeting, which can grant valuable insight into the internal dynamics of a country or its foreign affairs. There will thus always be some unease over the possibility that the providers of these intelligence capabilities could be double agents who are either still reporting to their former employers, or sharing that information with others — including those being targeted by the client. Take the case of Saudi Arabia: Even if the cyber tools are being employed by Saudi personnel, can the kingdom be positive that the software isn't reporting back to the NSO Group through some sort of backdoor channel where it can then be passed on to Israeli intelligence?
And last but not least, the intelligence tools and techniques up for purchase are either industry-standard or one-size-fits-all, and thus may be somewhat outdated and less effective in going after truly hard targets. Such capabilities are therefore unlikely to grant clients capabilities that rival those of first-tier intelligence agencies, such as the U.S. National Security Agency or the Chinese Ministry of State Security. But they can — and indeed have — sufficed when used to target less difficult targets, such as companies, journalists or nongovernmental organizations. And we expect to see them used increasingly against such softer targets going forward.
Because of this new reality, it is imperative that we update the way we think about the intelligence threat triad. Now, if an actor has interest in a piece of information and the intent to use espionage tools to obtain it — as well as the resources to afford outsourced tools and tradecraft — we must believe that they can acquire the capability to do so; to presume otherwise in an era where anyone can buy advanced espionage proficiency is as foolish as it is dangerous.