Earlier this week, Tom Burt, corporate vice president of ‘customer security and trust’ at Microsoft, published a blog post expressing the company’s support towards WhatsApp in its legal battle against the Israeli NSO Group. With this, Microsoft officially joined a league of the world’s most prominent technology companies in fighting cyber mercenaries. The case harks back to the notorious Pegasus hack that ran riot on WhatsApp, targeting journalists and human rights activists on behalf of governments. The term itself seems about right, referring to Tim Maurer’s novel titled Cyber Mercenaries – The State, Hackers and Power.
The intention, hence, is pretty clear – technology companies are sitting up and officially taking note of the present cyber security climate. Organisations such as the NSO Group have till date flaunted governmental immunity, stating that it builds specialised and highly sophisticated cyber espionage tools at the request of nations. These tools, in turn, are used by national governments to carry out strategic cyber warfare on targets. As a result, the NSO Group has so far claimed immunity from legal prosecution, citing its contribution to state-backed cyber operations as classified information. Now, technology majors such as the Facebook-owned WhatsApp, along with Google, Cisco, VMWare and now Microsoft, have joined the fray.
The state of today’s cyber security
Such a move may not result in immediate, direct benefits in prosecuting cyber threat actors, especially those with nation-backed funds and motives. However, it underlines the state of cyber security around the world today. Keeping aside the major privacy issues of Big Tech, cyber threats today exist in consumer apps strewn across Android’s Google Play Store, and in numerous third party websites. These threats include spyware such as Pegasus, which often deploy zero-click tactics and exploit zero-day vulnerabilities to secretly install on smartphones.
Such attacks then deploy common cyber attack tactics, such as privilege escalation to gain high level access in devices. Such access, such as what NSO’s Pegasus took in systems it infiltrated via WhatsApp, would allow these spyware to gain privilege to read a device’s display and bypass standard security processes such as biometric authentication. It then combined these tactics with remote access trojan (RAT) processes to relay key information back to a remote server, which in turn would allow infiltrators to scrape information off unsuspecting users and send sensitive data to attackers.
Beyond the spyware attacks, rampaging ransomware attacks such as WannaCry and NotPetya have used a mix of these tactics to hold critical sectors for mammoth ransom. At the centre of the alarmingly growing cyber crime world are nations, and state-backed hackers with deep funds to develop tools that bypass the common layers of cyber security. What makes it all even more alarming is how difficult any of them are to track down, and immunities in the form of national security and national interest that these organisations are afforded.
Valuable amicus curiae to the complainant
It is this cyber security scenario that makes Microsoft’s move particularly relevant. While the companies have not formed an official consortium, Microsoft’s Burt says that the amicus brief filed by Microsoft, along with Cisco, GitHub, Google, LinkedIn, VMWare and the Internet Association, aims to put a check on the NSO Group’s “dangerous business model.” In ways, this would set precedent in many ways for consumer cyber security.
Burt says, “Private sector companies creating these weapons are not subject to the same constraints as governments. Many governments with offensive cyber capabilities are subject to international laws, diplomatic consequences and the need to protect their own citizens and economic interests from the indiscriminate use of these weapons. Private actors like the NSO Group are only incented to keep these vulnerabilities to themselves so they can profit from them, and the exploits they create are constantly recycled by governments and cybercriminals once they get into the wild.”
It is this that WhatsApp, with ancillary support from the likes of Google and Microsoft, aims to force legal counsel to alter. In essence, what the tech companies are now seeking is regulation of the state-backed cyber operations sectors in nations, and industry experts who News18 spoke to say that in the long run, such moves may help establish international regulations for what national cyber operations and cyber tools may operate under.
As for your personal cyber security, the long term impact of the move by Microsoft and other companies can trickle down to tighter regulations that offer you a legal recourse in fields such as state-sponsored cyber campaigns. It may add an extra layer of security for users to come under. Regulating private sector involvement in national cyber operations would also help in determining clear routes through which malware, spyware and other tools reach the dark web markets. In turn, this would also help detect which tool originated as a nation-state spyware, and which was the wilful work of a private organisation for commercial gains.