In his farewell address, then President Dwight D. Eisenhower acknowledged the need to “guard against the acquisition of unwarranted influence…by the military-industrial complex,” a term to address the intensifying relationship between government and the private sector’s defense industrial base (DIB), and its potential influence on national policy. In the years since his departure, there has been increasing evidence showing that Eisenhower was prescient in warning against this development. Fast forward to today, and we’ve seen a similar transformation with respect to the larger cybersecurity industry with close ties having been forged between governments and private sector companies. Some of this has been purely a commercial arrangement with the purchasing of goods and services. Others may be more questionable, with companies working at the behest of or willingly supporting a government’s interests, being more assets than private, independent entities.
Leveraging private companies to support government cyber missions is not a completely foreign concept. A DIB by definition is a worldwide industrial complex that supports military requirements for material, products, and technologies. While in the past the DIB has focused on the design, production, and delivery of traditional weapons/equipment, the cyber age has ushered in similar needs for such support from the private sector to provide cutting edge innovation. Therefore, it’s logical to presume that governments interested in obtaining, developing, and/or sustaining their cyber capabilities would solicit such assistance under the auspices of pursuing its national interests., especially from an industry that spawns advanced technologies and products. The types of services and products being offered range in sophistication and purpose from advanced surveillance capabilities to more destructive payloads.
Take for instance the hundreds of documents released by Wikileaks that revealed that approximately 160 such companies in 25 countries had developed an economy where they offered commercial products and services to governments interested in increasing its capabilities to surveil, intercept communications, and eavesdrop. One German company’s marketing material described how its software took advantage of newly found exploits to install on users’ computers for the purposes of stealing encryption keys and facilitate eavesdropping. Similarly, an Indian company claimed its product could trace encrypted banking transactions, as well as Gmail messages. Then there have been companies like the Hacking Team, Gamma International, Ltd., and NSO gained instant notoriety when many of their business dealings with law enforcement and intelligence agencies came to light exposing the extent of how their technologies were used to support obtrusive surveillance against politicians, journalists, and human rights groups, to name a few. Even though these companies have been considered facilitating the injustices of the “surveillance state,” they nevertheless have been ambivalent to what government agencies they sold their products.
However, there are instances where cybersecurity companies have crossed the line to support offensive activities in cyberspace, as well. This seems curious as cybersecurity by implication intimates a defensive mindset with technologies developed for the purposes of increasing capabilities to identify, mitigate, and remediate from hostile cyber actions. But given the fact that many offensive cyber tools are dual use and originally developed for defensive purposes, such lines can be difficult to navigate. Many pen-testing tools (e.g., Metaspolit CobaltStrike), administrative remote access tools (e.g,, TeamViewer), and encryption ciphers have been leveraged by hostile actors to facilitate unauthorized access and engage in ransomware extortion practices.
Recently, an article suggested how the Russian cybersecurity company Vulkan is instrumental to Russia’s cyber warfare program, and whose services are relied upon by Russia’s intelligence and security apparatus. Based on reporting from approximately 1,000 leaked documents spanning 2016-2021 that were provided to a German reporter, Vulkan has supported Russia’s GRU (military intelligence), SVR (foreign intelligence), and FSB (domestic intelligence) agencies by providing tools and services . Per the article, the intimation is that Vulkan is not the sole private company helping out its government, but that there are other companies able to provide similar expertise to Moscow. Additionally, a cyber weapons market report identified at least two well know cybersecurity companies as being “key market players “adopting strategies, partnerships, contracts, and collaborations” in this area, further showing how such lines can be blurred easily when it comes to cyber technologies.
The Internet has not only connected the world, but it has also inextricably linked telecommunications and cybersecurity companies with governments via their products and services. As such, these companies may not necessarily be purely private in the sense that they have a vested interest supporting a government in some capacity because of some unique offering or insight that the government does not possess. A recent declassified Office of the Director of National Intelligence (ODNI) report on commercially available intelligence (information provided by subscription that also includes publicly available intelligence) found that such offerings provide value to government intelligence efforts citing such companies like Lexis/Nexis and ZeroFox as examples of providing such services. What’s more, the report clearly underscored the potential danger of commercially available information and privacy concerns that can result without proper supervision. Given the recent revelation that the Federal Bureau of Investigation conducted more than a quarter million illegal searches on U.S. citizens over the years, it is easy to see how these types of services can be harnessed to bolster law enforcement/intelligence capabilities.
Cybersecurity companies have been very involved in exposing some of the more sophisticated nation state-driven cyber espionage, an activity typically associated with being carefully surreptitious. Over the past year, even Chinese cybersecurity companies have emerged on the scene and have shared reporting on alleged U.S. cyber malfeasance, something that they had not done years before. Again, the suspicion here is that these companies are being used at the behest of the government as assets to expose suspected U.S. cyber activities and tarnish the United States’ global image. At least one cybersecurity company has been accused of being controlled by or directly working for a government, a strange accusation given that companies provide products and services to governments all the time. Others share their research with governments, with some of these companies advertising potential employment opportunities for candidates possessing security clearances, ostensibly to be able to work at government sites where classified information is produced, processed, or shared.
Generally, companies profit from enhanced security concerns and a ramped up environment, which is likely indicative of more attention being given to threats that are faced. The same goes for the cybersecurity industry, which has benefited from a 24×7 news cycle, the increasing sophistication of state and nonstate cyber attackers, and the need to address the vulnerabilities of the technologies themselves. But looking back at the tenets of Eisenhower’s address, one cannot help but recall the impetus of the former president’s warning – that liberties and democratic process could be threatened by an unchecked complex. This is not to say that we have arrived at this point in cyberspace but given the advancements in technologies and incidents where they have been misused, it’s fairly easy to see that we may be close.
There are just too many positives achieved through this industry to cast the baby out with the bathwater. But the great capability that comes with these advancements needs better oversight and accounting of who uses them and how they are used. As various cyber bills make their way through Congress, it would be comforting to know that lawmakers recognize that errors – whether intentional or not – can happen and that there is a process in place to audit, review, and ensure that the most powerful tools produced by the private sector are not improperly used. With FISA renewal currently being debated by Congress, now would be the right time for lawmakers to demonstrate they have learned from the past and are prepared not to repeat the same mistakes.
