This post seeks to inform your understanding of the cyber landscape from the perspective of the realities of the world as it is vice as we would like it to be.

International efforts to grapple with the complexities of hostile cyber activities continue to languish in the United Nations.  Whether it be trying to codify  cyber norms of state behavior or hashing out the details of a new cybercrime treaty, there is an unquestionable appetite for the world to get some sense of control and standardization with respect to the activities transpiring in cyberspace.  However, while the intent may be there, advancements have been slow, confirming that there may be little hope for meaningful consensus to occur anytime soon that will have an influential effect on how malicious state and nonstate states operate and how they will ultimately be held accountable, thereby allowing the current status quo to persevere.  Absent any governing laws or standards, governments will continue to leverage or at least tacitly allow questionable cyber operations from criminals and hacktivist groups as long as they serve in their interests.  And while governments may continue to proselytize at the alter of cybersecurity, saying the right things about the need for collaboration on working toward common security goals, they will inadvertently go unchecked in pursuing their strategic goals under the banner of national security, whatever their preferred definition of that term is.

There is no sign that this will abate any time in the near future.  In fact, there is more evidence to suggest that the “battles” transpiring in cyberspace are only set to continue for the foreseeable future, according to recent predictions.  As such, there has been increased development of technical countermeasures being offered to mitigate these threats, which is finding customers across industries.  According to a new report from Research and Markets, the world’s largest market research store, the global cyber weapons market is set for substantial expansion in direct correlation with the increasing volume of cyber threats that are only expected to rise over the next ten years.  These offerings span a range of functionality and include anything from “malware and viruses to ransomware and logic bombs, to name a few.  Research from Allied Market Research came to similar conclusions in its own report that valued the global cyber weapons market at USD 9.2 billion in 2021 and estimated to generate an astounding USD 23.7 billion by 2031, with a compound annual growth rate of 10% from 2022 to 2031.

What’s more, these new offensive cyber offerings are popular because they have increasing applicability across both the public (i.e., government, intelligence, military) and private sectors as they can aid in exploitation, data collection, identification, surveillance, and in more severe cases, disruption and destruction.  Indeed, these markets include but are not limited to national defense systems, public utility, industrial control systems, financial systems, and communication networks, among others.  According to data collected by one think tank’s research, between 2011 and 2023, at least 74 governments contracted with commercial firms to obtain spyware to support surreptitious activities.  As of late 2016, there were 525 companies supplying such technologies whose capabilities ranged from bypassing protections systems, monitoring/analyzing communication, and sending fake software updates to targets.  The aggregation of these results is telling:  the demand is there, and so suppliers are more than ready to fill the need.

For a long time, possessing any substantial offensive cyber capability had been mostly the purview of the more advanced states that embraced the possibilities of technology in an integrated digital domain.  Now, in 2023, that has largely changed as more governments and government agencies seek to obtain these capabilities.  And while many may still deny involvement in some of the more noteworthy cyber attacks that garner international media attention (e.g., Stuxnet), others willingly admit that they either already can perform offensive cyber operations or express their interest in doing so.  For example, the Netherlands, Denmark, Greece, and Sweden have openly acknowledged their offensive cyber capabilities, while Australia, the United Kingdom, and the United States have admitted to conducting them under the rubric of “forward defense.”  But now  smaller and developing nations are looking to join the club without the need of trying to develop such capabilities internally.  The cyber weapons marketplace has effectively lowered the barrier either by purchasing readymade tools from companies like NSO whose spyware was used by intelligence and law enforcement entities around the world, or else contracting out to private individuals or entities (e.g., ex-NSA hackers).  In any case, the message is abundantly clear.  Like their larger government counterparts, smaller governments would rather have the capability to perform offensive cyber operations and perhaps not need them than want to conduct them and not have the capability to do so.

In a world where smaller countries are caught in between a rock and a hard place with respect to the cyber powers’ ongoing exploitation of cyberspace to support their own interests, stalled efforts in trying to create cyber norms are leading countries to acquire their own offensive capabilities.  If this trend continues, it could permanently resign UN efforts to the recycling bin as the international community sees that both the leading proponents of both cyber sovereignty and an open democratic leaning of how the Internet should operate are supported by the biggest state perpetrators of hostile acts being perpetrated in cyberspace.  And while the cyber malfeasance of authoritarian regimes that support cyber sovereignty may not come as a surprise to many, the vision supported by the West is equally self-serving to its economic and military advantage.  On the surface, though democratization may seem a more fair and equal approach to global stakeholders, the leaks of sensitive documentation of the United States’ alleged global cyber spy program, monitoring of allied communications, and its collaboration with big tech and Internet companies to collect data certainly calls into question what a democratic Internet in this context looks like, and who benefits most from it.

Exacerbating matters is the perception that hostile state-driven cyber attacks persevere without any significant consequence, which only reaffirms the decisions of smaller states to obtain offensive cyber capabilities, thereby contributing to the growth estimations of the global cyber weapons marketplace and the surveillance industry.  Furthermore, the continued lack of any effort to find common ground further suggests that creating rules and standards on states in cyberspace is not really a priority for influential governments, as there appears more to be gained without them.  Unfortunately, this puts importance on the offensive ahead of the defensive, further increasing the weaponization of a treaty-less cyberspace and begging the question if preserving the status quo for as long as possible isn’t the preferred outcome.

Additional Resources

Corporate Board Accountability for Cyber Risks: With a combination of market forces, regulatory changes, and strategic shifts, corporate boards and their directors are now accountable for cyber risks in their firms. See: Corporate Directors and Risk

Geopolitical-Cyber Risk Nexus: The interconnectivity brought by the Internet has made regional issues affect global cyberspace. Now, every significant event has cyber implications, making it imperative for leaders to recognize and act upon the symbiosis between geopolitical and cyber risks. See The Cyber Threat

Ransomware’s Rapid Evolution: Ransomware technology and its associated criminal business models have seen significant advancements. This has culminated in a heightened threat level, resembling a pandemic in its reach and impact. Yet, there are strategies available for threat mitigation. See: Ransomware, and update.