Hot Topics
Cyberlaw Cybersecurity Data Security Featured Governance, Risk & Compliance Identity & Access Security Boulevard (Original) Spotlight 

The Ethics of Selling Hacker Tools

Avatar photo by Mark Rasch on May 2, 2023

With Indiana Jones about to enter the space race in the Dial of Destiny, I am reminded of the great Tom Lehrer’s 1965 song about former Nazi scientist Dr. Wernher von Braun’s “apolitical” approach to the engineering of rockets. According to Lehrer’s parody,  “’Once the rockets are up, who cares where they come down? That’s not my department,’ says Wernher von Braun.”

In that vein, to what extent should computer security professionals consider the application and use of their discoveries and works and the ethical and moral questions raised by generating the ability of governments and corporations to successfully invade privacy? Alternatively, to what extent should security professionals also consider the application of their work to prevent governments from “legitimately” peering into the activities of criminals, terrorists, pedophiles and other dangerous persons? And whose job it it to make such determinations? Once the tools are up, who cares where they come down? That’s not my department …

The recent proliferation of cyberattacks and the use of malicious software by state and non-state actors raises fundamental ethical and moral questions for information security professionals. The Washington Post’s Joseph Menn recently reported that the Israeli company NSO Group developed and sold a series of zero-click attacks on updated iPhones. The attacks exploited vulnerabilities in Apple’s iOS 15 and early versions of its iOS 16 operating software, which the Cupertino company asserted have since been fixed. This is in addition to a 2022 zero-click attack on iPhones called “PWNYOURHOME,” which exploited vulnerabilities in Apple’s HomeKit and iMessage code.

These exploits serve as a prime example of the controversies surrounding the sale of hacking tools to governments for both counterterrorism efforts and the suppression of dissent. Should InfoSec professionals care?

NSO Group and Zero-Click Attacks

The NSO Group is a cybersecurity company based in Israel that specializes in the development and sale of surveillance technology. One of its most notorious products is Pegasus, a sophisticated spyware that can infiltrate updated iPhones through zero-click attacks. These zero-click attacks require no interaction from the target, making them particularly effective and hard to detect. They can be used to gather sensitive data, intercept communications and even take control of the device. The company claims that its products are designed to assist governments in fighting terrorism and crime, but there is growing evidence that its technology has been used to target journalists, activists and political dissidents.

Pegasus Infections in Mexico

A report by the Citizen Lab in collaboration with the Mexican digital rights organization R3D (Red en Defensa de los Derechos Digitales) revealed Pegasus infections aimed at journalists and a human rights defender between 2019 and 2021. The victims included two journalists who reported on official corruption and a prominent human rights defender. Opposition politician Agustín Basave Alanís was also infected with Pegasus spyware in 2021. These infections occurred years after the first revelations of Pegasus abuses in Mexico and despite assurances from the current Mexican President, Andrés Manuel López Obrador, that the government no longer used the spyware and that there would be no further abuses. This follows similar reports on misuse of Pegasus software by regimes in Palestinian territories, targeting human rights organizations in Bahrain and a host of other groups.

The problem here is not the tool, per se. It is that the sale of the tool—even to liberal democracies—permits and encourages the use of the tool against pesky journalists, opposition parties and other opposition groups. For repressive regimes, such targeting occurs with impunity.

Control Issues

One of the primary ethical concerns in the sale of hacking tools to governments is the issue of control. NSO Group claimed that it only sells its products to legitimate governments and that it is not responsible for how its clients use the technology. However, the Mexican case raises questions about the company’s ability to control the end-use of its products and the extent to which it should be held accountable for potential abuses. Additionally, the lack of transparency in the sale of these tools and the absence of an international regulatory framework exacerbates the problem, allowing governments to use these tools with impunity. Once the rockets go up, who cares where they come down? It’s not just hacker tools. It is any tool or service in information security. At the end of the day, InfoSec professionals either protect data from prying eyes (defensive tools) or help see things that others don’t want to be seen (offensive tools). Should we care how these tools are being used, or should we simply be hired guns?

Morality and Ethics

The sale of hacking tools raises numerous moral and ethical concerns. On the one hand, it is argued that these tools can be employed for legitimate purposes, such as combating terrorism or tracking down criminals. However, the potential for misuse is significant, particularly when these tools are sold to governments with a track record of human rights abuses. The use of NSO Group‘s technology to target journalists and activists, for example, undermines the fundamental rights to privacy and freedom of expression.

Moreover, the use of hacking tools for surveillance purposes raises ethical questions about the balance between national security and individual privacy. In a world where governments are increasingly turning to digital surveillance to monitor and control their populations, information security professionals must consider the ethical implications of their work and whether their services are contributing to a broader erosion of civil liberties.

Would you be comfortable being hired to secure the communications of a drug cartel, a pedophile ring or a terrorist organization? Certainly not. But what about a corporation that is secretly dumping toxic sludge into waterways or willfully underreporting its earnings? Is it the job of the CISO or InfoSec professional to delve into the reasons the entity wants privacy and security? That is, should you care what they are securing or attacking, or is that someone else’s department? Oh, you want answers? Sorry. None forthcoming here.

Legal Considerations

The sale of hacking tools also raises several legal issues. While the NSO Group argued that it only sells its products to legitimate governments, the definition of “legitimate” is subjective and may vary depending on the country or organization. In some cases, the sale of these tools may violate international law, particularly when they are used to target individuals without due process or for political purposes. Additionally, the lack of a clear legal framework governing the sale of hacking tools makes it difficult for information security professionals to navigate the complex ethical and legal landscape. Security professionals should be aware of the legal implications of their actions, as they may face liability for aiding and abetting clients who use their services for illegal activities. In some jurisdictions, providing assistance, even indirectly, to individuals or organizations engaged in criminal activities can result in severe penalties, including fines and imprisonment. To mitigate these risks, security professionals should establish rigorous due diligence processes to vet clients and maintain strict ethical standards in their work. A case pending before the Supreme Court seeks to hold Twitter civilly liable for “aiding and abetting” certain terrorist attacks merely for failing to prevent the use of the service by those who perpetrated the attacks.

Understanding Client Motivations

It is crucial for computer security companies to understand and assess the reasons why their clients want to secure their systems or develop offensive capabilities. There are several ethically questionable reasons clients may have for seeking these services:

Political repression: Governments may use hacking tools to surveil and suppress opposition groups, leading to human rights abuses and the violation of civil liberties.
Corporate espionage: Private companies may engage in cyberespionage to steal trade secrets, intellectual property or other sensitive information from competitors.
Cyberwarfare: State actors may use hacking tools as part of their broader military strategy, potentially causing collateral damage and violating international law.
Blackmail and extortion: Criminal groups or individuals may use hacking tools to gather sensitive information for blackmail or extortion purposes.
Disinformation campaigns: State or non-state actors may use hacking tools to spread false information, manipulate public opinion or undermine trust in institutions.

In light of these potential motivations, information security professionals must develop strategies for vetting clients and their intentions to ensure that their services are not being used for nefarious purposes.

Should cybersecurity professionals look into the motives of their clients? What are the ethics of offensive and defensive cybersecurity? If we—who are moral and ethical—don’t help attack/defend this infrastructure, won’t the customer simply turn to someone else who is not as moral and ethical as we are? We are white hat (well, grey, maybe) hackers. If we don’t do it, will they turn to black hat hackers?

AI Tools: Unknown Functionality and Uses

The development of artificial intelligence (AI) tools in the cybersecurity industry adds another layer of complexity to the ethical considerations. These tools often rely on machine learning algorithms which can be opaque in their functionality and decision-making processes. As a result, developers may not fully understand how their AI tools work, what biases they may introduce or how they will be used by clients.

This lack of transparency can lead to unintended consequences and ethical dilemmas. For example, an AI-powered hacking tool may inadvertently target innocent individuals or be used by clients to conduct illegal activities without the developer’s knowledge. To address these concerns, developers should strive for greater transparency in their AI tools, collaborate with stakeholders to develop ethical guidelines, and continuously monitor the use of their tools to ensure they align with legal and ethical standards.

Conclusion

The sale of hacking tools, such as those developed by the NSO Group, raises a host of ethical, moral and legal concerns for information security professionals. The potential for misuse is significant and the consequences can be dire for individual privacy and civil liberties. To navigate this complex landscape, security professionals must develop strategies for vetting clients and their intentions, maintain strict ethical standards and be aware of the legal implications of their actions. Additionally, the rise of AI tools in the industry necessitates increased transparency and collaboration to ensure these tools are used responsibly and in accordance with international norms.

Ultimately, the onus is on information security professionals to ensure that their services contribute to a safer digital environment for all, rather than exacerbating existing inequalities and injustices. That may mean turning down (or turning in) clients. But this assumes that governments themselves are also not the problem—and they often are. At the end of the day, we should all care where the rockets go down. That is our department.

Recent Articles By Author
Avatar photo More from Mark Rasch
Mark Rasch , , , , ,
Avatar photo

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for SecurityCurrent.com, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 203 posts and counting.See all posts by mark