Protesters in Cairo use cell phones to photograph a tear gas container in 2011. Photo: Karimphoto via Getty Images

A new report shows that a military contractor has likely sold spyware to repressive regimes. But the study's authors and other experts differ on how to stop the problem.

The big picture: That study, released Tuesday by the University of Toronto's Citizen Lab, found that 36 surveillance networks used commercial militarized spyware made by the Israeli NSO Group.

  • Many countries operated more than one network, and six of the suspected countries — including Bahrain, Kazakhstan and Saudi Arabia — had histories of using spyware to target dissidents, journalists and other civil targets.
  • Some uses veered toward the petty: One cluster of infections hit supporters of a soft drink tax in Mexico.

NSO is far from the only spyware maker that sells its tools to countries that might be repressive.

  • It happens often enough that companies follow the same script. “They say, ‘We only sell to law enforcement. We’re self-regulating,'" says Bill Marczak, the author of the Citizen Lab report. "But if this wasn’t being used to target civil society, it would never cross our desks.”

We can't get rid of the industry altogether. Lots of countries use commercial spyware for legitimate purposes. The study's list includes the U.S. and Canada, and the new U.S. strategy for military cybersecurity released earlier this week calls for more use of "off-the-shelf" hacking tools.

Citizen Lab's solution: regulation. “The best step to keep the tools in line would be a process of export controls with humanitarian restrictions rather than just defense and national security ones,” says Marczak.

Yes, but: The security industry is still stinging from the last time a powerful group of countries tried to do just that.

  • The nations of the Wassenaar Arrangement, an arms export pact that includes the U.S., EU and others, tried to use that agreement to slow the spread of commercial malware to repressive regimes in 2013.
  • The move was ultimately a disaster. Poor definitions in the agreement inadvertently applied limits not just to spying tools, but to research into spying tools, security testing software and other products that might need to replicate something bad to accomplish something good. Researchers — and Congress — rebelled.

Katie Moussouris, a cybersecurity expert brought in by the State Department to renegotiate the Wassenaar Arrangement, says, "We’ve already seen for 20 years that export controls on software have been hard to do with surgical precision."

  • Moussouris, the CEO of Luta Security, says better alternatives might include sanctions against misbehaving countries or intervention under the military's new cyber strategy.

The bottom line: There are no easy fixes.

  • "Stopping humanitarian abuses is something I think we as human beings typically support," says Moussouris. But there isn't any consensus on how to do that, safely, given the lessons learned the last time nations tried.

Go deeper

Americans reflect on Independence Day amid racism reckoning

A Black Lives Matter banner and a United States flag on the facade of the U.S. embassy building in Seoul, South Korea. Photo: Simon Shin/SOPA Images/LightRocket via Getty Images

America's leaders are rethinking how they view Independence Day, as the country reckons with the historic, unequal treatment of people of color during a pandemic which has disproportionately affected nonwhite Americans.

Why it matters: The country’s legacy of racism has come into sharp focus in the weeks of protests following the death of George Floyd while in Minneapolis police custody. From Confederate statues to Mount Rushmore, Americans are reexamining the symbols and traditions they elevate and the history behind them.

Updated 9 hours ago - Politics & Policy

Coronavirus dashboard

Illustration: Aïda Amer/Axios

  1. Global: Total confirmed cases as of 7 p.m. ET: 11,031,905 — Total deaths: 523,777 — Total recoveries — 5,834,337Map.
  2. U.S.: Total confirmed cases as of 7 p.m. ET: 2,788,395 — Total deaths: 129,306 — Total recoveries: 790,404 — Total tested: 34,213,497Map.
  3. States: ICU beds in Arizona's hot spot reach near capacity.
  4. Public health: The states where face coverings are mandatory Fauci says it has been a "very disturbing week" for the spread of the coronavirus in the U.S.
  5. Economy: The economy may recover just quickly enough to kill political interest in more stimulus.
12 hours ago - Sports

Washington Redskins to review team name amid public pressure

Photo: Patrick McDermott/Getty Images

The Washington Redskins have announced they will be conducting a review of the team's name after mounting pressure from the public and corporate sponsors.

Why it matters: This review is the first formal step the Redskins are taking since the debate surrounding the name first began. It comes after weeks of discussions between the team and the NFL, the team said.