Cybercrime gangs like the notorious Lazarus group and spyware vendors like Israel’s NSO should be considered cyber mercenaries – and become the subject of a concerted international response – according to a Monday report from Delhi-based think tank Observer Research Foundation (ORF).
Author Fitri Bintang Timur argued the term mercenary applies because, as amendments to the Geneva Convention put it, mercenaries are “an entity having the motivation to gain financial or material compensation in return for their willingness to fight for the recruiter’s country.”
The modern equivalent is those who carry out their operations using information technology and networks – hence the term cyber mercenaries. Such groups have been noted and studied by groups like Citizen Lab and Amnesty International since the early 2010s but are often considered mere criminals.
Timur argued that Lazarus Group earned the dubious title of cyber mercenary by working to develop and distribute malware on behalf of the North Korean government. She asserted that NSO Group joined the club by peddling its Pegasus spyware to governments willing to purchase and deploy it despite being a legitimate (if controversial) business. Other cyber mercenary operations offer hackers-for-hire.
The report asserted that the market for cyber mercenaries is growing, as it is useful for state actors to improve their offensive capabilities while maintaining “plausible deniability through the avoidance of identification.”
Cyber mercenaries are also seen as cost effective. They don’t require a human resource department, training, or other personnel costs. Nations that can’t afford an offensive cyber-ops crew may therefore hire cyber mercenaries to get into the game.
While some work has been done to curb such actors, Timur suggested more needs to done. She called for legislation that aligns the use of intelligence and digital forensic tools with human rights obligations.
She also states that standards must be set so that acts conducted in the name of national security also respect human rights declarations. Timur noted in her report that peaceful countries use legislative loopholes to “harbor cyber-mercenary subsidiaries and research centers” – an action that can turn sour, for instance when information is leaked or otherwise used for questionable purposes.
For example, in the case of NSO Group, the EU Commission chose not to interfere with individual member states’ use of its notorious Pegasus malware as it was categorized as a “national security” tool. Yet the software was used to target government officials, journalists, businesspeople, activists, academics, and other targets that posed little plausible threat to safety – but may have been irritants to politicians.
The report concludes by calling for citizens to demand accountability from governments and businesses who engage cyber mercenaries. Timur noted that civil society groups have taken action through lawsuits to demand better transparency. ®