B (11:02)

At Talas, they know cyber security can be tough and you can't protect everything. But with Thales, you can secure what matters most. With Thales industry leading platforms, you can protect critical applications, data and identities anywhere and at scale with the highest roi. That's why the most trusted brands and largest banks, retailers and healthcare companies in the world rely on Thales to protect what matters most applications, data and identity. That's Talas. T H A L E S Learn more@talasgroup.com Cyber what's your 2am Security worry? Is it do I have the right controls in place? Maybe are my vendors secure? Or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual work so you can stop sweating over spreadsheets, chasing audit evidence and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data and simplifies your security at scale. And it fits right into your workflows, using AI to streamline evidence, collection of flag risks, and keep your program audit ready all the time. With Vanta, you get everything you need to move faster, scale confidently, and finally get back to sleep. Get started at vanta.com cyber that's V-A-N-T a.com cyber.

A (12:55)

Sarah Graham is from the Atlantic Council's Cyber Statecraft Initiative, or CSI, and she is discussing their work and findings on mythical beasts diving into the depths of the global spyware market with Dave Buettner. Here's their conversation.

C (13:10)

So spyware can be defined in a few different ways, but in our report and this second published report we have here, we take a relatively narrow scope to how we're defining spyware as a type of malicious software that enables the unauthorized remote access of a target device for the purposes of intrusion and surveillance. And so oftentimes folks will ask us why isn't the scope broader? Or did you include something like stalkerware or ad tech? And we really keep a relatively narrow definition here focused on that unauthorized remote access specifically for the purposes of surveillance.

B (13:51)

Well, can you paint a picture of this market for us here? I mean, who are the key players and how do they tend to operate?

C (13:58)

Sure. So in terms of the marketplace, in recent years there's been A lot of great reporting by different organizations, including Citizen Lab and Amnesty Tech, about the harms coming out of the spyware industry. But in contrast, there's been a relative lack of transparency about what's happening within the marketplace. We oftentimes see headlines about big players such as the NSO Group, but there's a lot of other players, small, medium sized and more than just vendors. So our report is really trying to turn to look at the marketplace as a whole and understand the supply chain of different vendors, holding companies, investors and the like across the marketplace at a global scale.

B (14:43)

Well, who are some of the key players here?

C (14:46)

Yeah, so in our report we really take a look at the global scale of the spyware market, but hone in on a few particular areas of interest. On first turn, one of our major trends that we identified in the original report and see holding consistent with data from this past year are that the majority of identified entities are domiciled in Israel, India and Italy. But something I really want to point out, and we see as a trend emerging in this updated data set, is that there has been a significant increase within our sample of US Based investors that continue to disproportionately fund capabilities. And really we want to highlight this because it really undermines the important US government action that we've seen in the past 18 months to two years on spyware, in contrast with the investors from the US who continue to invest in these types of technologies.

B (15:43)

Yeah, can we dig into that a little bit? What, what insights can you provide as to what's driving that market investment from.

C (15:53)

From the US So to start with a bit of data, we see with the data from this past year, a total of 31 total US investors that we were able to identify. And this that we find is particularly remarkable given that some of the entities that US Investors are investing in are actually listed on the US Entity list. So, for example, Candiru, listed on the entity list, has investment from US Firms, including Integrity Partners, as well as a few other venture capital firms and pension funds coming out of different states. So we're seeing that there's investment from a wide range of investors into a wide range of different spyware vendors, not only including Candiru, but Cognant and a few others as well. And to your question of what's really driving this, our data doesn't necessarily answer that question, but something that my fantastic co author Jen Roberts continues to point out as we've dug into this data is there has to be a reason investors invest when they see the potential for profit despite US Policy actions such as the entity list, there obviously must be some expectation that there is a future profit to be had here.

B (17:15)

Yeah. Well, help us understand how these commercial spyware vendors differ from traditional state intelligence operations.

C (17:24)

One thing that we get asked about quite a bit is how do these spywares differ and how are they useful to governments for national security? And there's a strong sense that there's some political will to put controls on these technologies, despite the fact that they are used for permissioned uses in state national security operations. But there is interest to preserve that limited use, and the ability to do so really hinges on these sorts of transparency efforts with data sets like the ones that we've created here to ensure and maintain the integrity of those capabilities for those narrowly defined and permissioned use cases.

B (18:12)

Well, one of the things you uncover in the report here digs into the government's role both as buyers and regulators of this.

C (18:23)

Sure. So the government, the state plays a different role in different jurisdictions here. And so I can give you a few examples. As I mentioned at the start, what we do observe and see consistent is that three jurisdictions in particular, India, Italy and Israel, have a lot of activity within their boundaries. And what is something that we see is consistent amongst these three is that it's a relatively permissive environment with some sort of state involvement. This varies. We see in the Indian cluster that this is most common in the sort of hack for hire market. In Italy. There's a much older history of spyware with quite a bit of overlap with state entities, whether that's as buyers, but also as regulators, which as you can imagine, can oftentimes create some either implicit or explicit conflicts of interest and can really make transparency efforts and ultimately any meaningful regulation quite challenging.

B (19:28)

Why is it so difficult to hold these spyware companies accountable? I mean, is it as simple as the fact that they're offshore from our own local regulators?

C (19:39)

It's a million dollar question. I think a lot of people would like to know the answer to this. I can point out to a few things. One trend that we see in all of our reporting has been this feature of shifting vendor identities. So that might be really subtle name changes or total rebrands of different entities that make it really difficult to track consistency in their activity. These entities have a lot of smart folks involved, and so strategic jurisdictional hopping is something that they certainly partake in. And we see this in a few different examples. For example, we know from a court case that Quadream established a presence in Cyprus to avoid European export controls. And so as you can imagine this sort of limited ability to consistently track is a huge barrier. And that actually highlights one of our second key trends in this report around the role of resellers and brokers, which I'd be happy to talk about a bit more, too.

B (20:46)

Well, yeah, let's dig into it. What can you share about that?

C (20:49)

Yeah, what we find with our updated data sample is a large number of what we're calling resellers and brokers. These are sort of partners within the marketplace, and that can be unrelated to the development of spyware, but they contribute some sort of technical or business need for the vendor. So this could be something like marketing services, the provision of telecommunications intercept devices, or creating access to some sort of regional market that an original vendor might not have otherwise been able to easily enter and sell to interested buyers. And so through access to public data sources, we've been able to identify a larger share of these entities and have come to identify more and more that in this expanded and opaque marketplace, these types of intermediary entities are playing a pretty crucial role to limiting transparency.

B (21:49)

Yeah, can we talk about that? I mean, one of the things that it strikes me is that these spyware companies give a lot of nation states plausible deniability. Right? I mean, to what degree is that an element here?

C (22:03)

Certainly there's plausible deniability sort of up and down the supply chain. You could imagine all the way through at the end, use of surveillance, plausible deniability in terms of how particular information is gained. But there's also plausible deniability upwards on the supply chain. And I think these brokers and resellers play a really crucial role to that, whether it's mere overlap only of business officers, or whether that's some sort of larger overlap between, for example, the original vendor and setting up some sort of satellite office in another state to gain access to that market. Some examples that we really dug into in the report are around the Mexican spyware ecosystem. And with some recent transparency reporting, we've been able to see how there were layers and layers of plausible deniability through the creation of contracts that only very subtly indicate, perhaps, that these technologies were being sold to different state agencies.

B (23:11)

Where do we stand with policymakers here in the US Is there any broad agreement on the place that spyware is.

C (23:21)

Intended to play with the new administration? It's actually still relatively early, within the tenure of four years, and we haven't seen any public indications of change to the current status quo of the US policy perspective on these issues. But I think something to point out is that the absence of any change suggests at least that at minimum the current trajectory, which has in the past included this effort through listing vendors on the entity list, issuing sanctions and visa restrictions. Given that these things have not necessarily been pulled back, is some sort of signal that this might continue, this sort of policy action might continue.

B (24:10)

So to what degree should regular people be concerned about this for our listeners? Is this high level espionage kind of thing or does it affect people in their day to day lives in terms.

C (24:25)

Of targeting with spyware? Our report doesn't go into this in great detail and I would really encourage listeners to go and check out some organizations that really give a lot of context and color to these sorts of targeted surveillance intrusions coming from organizations like I mentioned of Citizen Lab or Amnesty Tech. But that doesn't deny the fact that we all can take some personal steps in our personal digital footprint and securing that What I think does matter though for most Americans is what I talked about with U.S. investments. When we dig into this a bit more in detail, we actually found that a few different pension funds, for example, are invested in spyware companies. If I'm recalling correctly, I believe a pension fund out of New Jersey and Washington State state are included in this. And while that might not be something that an everyday person is aware of, being able to have some context over where your finances are being invested into is certainly a first step in understanding what's going on and how entangled these sorts of ecosystems actually are.

A (25:36)

That was Dave Bittner sitting down with Sarah Graham on the Atlantic Council's Cyber Statecraft initiative, discussing their work and finding on mythical beasts diving into the depths of the global spyware market. When did making plans get this complicated? It's time to streamline with WhatsApp, the secure messaging app that brings the whole group together. Use polls to settle dinner plans, send event invites and pin messages so no one forgets mom 60th and never miss a meme or milestone. All protected with end to end encryption. It's time for WhatsApp message privately with everyone.

C (26:25)

Learn more@WhatsApp.com this episode is brought to you by Indeed.

B (26:32)

When your computer breaks, you don't wait.

C (26:34)

For it to magically start working again.

B (26:36)

You fixed the problem, so why wait to hire the people your company desperately needs?

A (26:41)

Use Indeed sponsored jobs to hire top.

B (26:44)

Talent fast and even better, you only pay for results. There's no need to wait. Speed up your hiring with a $75 sponsored job credit@ Indeed.com podcast.

A (26:56)

Terms and conditions appreciate In Derbyshire, the spy Dog spy pups and Spy Cat books, which are all wholesome tales of gadget wielding pets solving crimes. Well, they've been abruptly recalled after a web address printed in the back of the books started leading somewhere far less child friendly. And the site for these books, which was once home to bonus content, was taken over by a third party who replaced puppies and paw prints with explicit material. Yikes. Yeah. Publisher Puffin and author Andrew Cope expressed horror, urging everyone not to visit the link and vowing swift action through quote, appropriate channels. Schools, meanwhile, are treating the incident like a national security emergency, emailing parents, removing books, and issuing return immediately orders. For now, it seems Spy Dog's latest mission is an undercover operation in digital damage control. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com hey CyberWire listeners. As we near the end of the year and yeah, can you believe we're almost there already? It is the perfect time to reflect on your company's achievements and set new goals to boost your brand across the industry next year. And we'd love to help you achieve those goals. We've got some unique end of year opportunities, complete with special incentives to launch 2026, so tell your marketing team to reach on out to us. Send us a message to sales@thecyberwire.com or visit our website so we can connect about building a program to meet your goals. We'd love to know what you think of our podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K senior producer is Alice Carruth. Our producer is Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester with original music by Elliot Peltzman. Our Executive producer is Jennifer Ivan. Peter Kilpe is our publisher and I'm your host Maria Varmazes, in for Dave Bittner. Thanks for listening. We'll see you tomorrow.

B (30:11)

Cyber Innovation Day is the premier event for cyber startups, researchers and top VC firms building trust into tomorrow's digital world. Kick off the day with unfiltered insights and panels on securing tomorrow's technology. In the afternoon, the 8th annual DataTribe Challenge takes center stage as elite startups pitch for exposure, acceleration and funding. The Innovation Expo runs all day, connecting founders, investors and researchers around breakthroughs in cybersecurity it all happens November 4th in Washington, DC. Discover the startups building the future of cyber. Learn more@cid.datatribe.com.