Protesters in Cairo use cell phones to photograph a tear gas container in 2011. Photo: Karimphoto via Getty Images

A new report shows that a military contractor has likely sold spyware to repressive regimes. But the study's authors and other experts differ on how to stop the problem.

The big picture: That study, released Tuesday by the University of Toronto's Citizen Lab, found that 36 surveillance networks used commercial militarized spyware made by the Israeli NSO Group.

  • Many countries operated more than one network, and six of the suspected countries — including Bahrain, Kazakhstan and Saudi Arabia — had histories of using spyware to target dissidents, journalists and other civil targets.
  • Some uses veered toward the petty: One cluster of infections hit supporters of a soft drink tax in Mexico.

NSO is far from the only spyware maker that sells its tools to countries that might be repressive.

  • It happens often enough that companies follow the same script. “They say, ‘We only sell to law enforcement. We’re self-regulating,'" says Bill Marczak, the author of the Citizen Lab report. "But if this wasn’t being used to target civil society, it would never cross our desks.”

We can't get rid of the industry altogether. Lots of countries use commercial spyware for legitimate purposes. The study's list includes the U.S. and Canada, and the new U.S. strategy for military cybersecurity released earlier this week calls for more use of "off-the-shelf" hacking tools.

Citizen Lab's solution: regulation. “The best step to keep the tools in line would be a process of export controls with humanitarian restrictions rather than just defense and national security ones,” says Marczak.

Yes, but: The security industry is still stinging from the last time a powerful group of countries tried to do just that.

  • The nations of the Wassenaar Arrangement, an arms export pact that includes the U.S., EU and others, tried to use that agreement to slow the spread of commercial malware to repressive regimes in 2013.
  • The move was ultimately a disaster. Poor definitions in the agreement inadvertently applied limits not just to spying tools, but to research into spying tools, security testing software and other products that might need to replicate something bad to accomplish something good. Researchers — and Congress — rebelled.

Katie Moussouris, a cybersecurity expert brought in by the State Department to renegotiate the Wassenaar Arrangement, says, "We’ve already seen for 20 years that export controls on software have been hard to do with surgical precision."

  • Moussouris, the CEO of Luta Security, says better alternatives might include sanctions against misbehaving countries or intervention under the military's new cyber strategy.

The bottom line: There are no easy fixes.

  • "Stopping humanitarian abuses is something I think we as human beings typically support," says Moussouris. But there isn't any consensus on how to do that, safely, given the lessons learned the last time nations tried.

Go deeper

Doomsday has arrived for tens of thousands of workers

Illustration: Sarah Grillo/Axios

Federal coronavirus aid for airlines expires on Thursday with no renewal in sight, meaning massive layoffs for the industry aren't far behind.

The big picture: Airline workers aren't alone on the unemployment line. Oil companies, tire manufacturers, book publishers and insurers are among those that have announced tens of thousands of layoffs. Federal aid through the CARES Act earlier this year delayed most layoffs — until now.

3 hours ago - Science

How the brain handles the unknown

Illustration: Sarah Grillo/Axios

Uncertainty can be hard for humans. It drives anxiety, an emotion neuroscientists are trying to understand and psychologists are trying to better treat.

Why it matters: Under the threat of a virus, job insecurity, election uncertainty, and a general pandemic life-in-limbo that is upending school, holidays and more, people are especially anxious.

Updated 3 hours ago - Politics & Policy

Coronavirus dashboard

Illustration: Eniola Odetunde/Axios

  1. Global: Total confirmed cases as of 3 p.m. ET: 34,103,279 — Total deaths: 1,016,167 — Total recoveries: 23,694,869Map.
  2. U.S.: Total confirmed cases as of 3 p.m. ET: 7,255,546 — Total deaths: 207,374 — Total recoveries: 2,840,688 — Total tests: 103,939,667Map.
  3. Politics: House prepares to pass revised COVID relief bill as White House talks hit roadblock.
  4. Health: Health officials urge flu shots, warning of "twindemic" with COVID-19 — Coronavirus infections rise in 25 states.
  5. Business: Remdesivir is good business for Gilead.

Get Axios AM in your inbox

Catch up on coronavirus stories and special reports, curated by Mike Allen everyday

Please enter a valid email.

Subscription failed
Thank you for subscribing!