Madupa Akinola

Hi, I'm Madupa Akinola from TED Business and I'm here to talk about the Financial Times. Every day the world bombards you with endless headlines and noise. What matters most? Facts and context. That's where the Financial Times comes in. With clarity, depth and truly independent reporting, the FT helps you cut through the noise and see what's real and why it matters. Stay informed with the trusted source leaders around the world rely on. Visit FT.comSourceFT to read more and save 40% on a digital FT subscription.

Sarah Graham

Did I talk too much?

Unidentified Advertiser/Host

Can't I just let it go?

Justin Sherman

Thank you so much.

Madupa Akinola

Take a breath, you're not alone. Counseling helps you sort through the noise with qualified professionals.

Jen Roberts

Get matched with a therapist online based on your unique needs and get help.

Madupa Akinola

With everyday struggles like anxiety or managing tough emotions.

Jen Roberts

Visit betterhelp.com randompodcast for 10% off your first month of online therapy and let life feel better.

Unidentified Advertiser/Host

Deleteme makes it quick and easy and safe to remove your personal data online. At a time when surveillance and data breaches are common enough to make everyone vulnerable, Deleteme does all the hard work of wiping your and your family's personal information from data broker websites. They know your privacy is worth protecting. Sign up and provide Delete Me with exactly the information you want deleted and their experts take it from there. They send you regular personalized privacy reports showing what info they found, where they found it and what they removed. I want to tell you I actually read these reports and you know Delete Me isn't just a one time service. It's keeps going. You know, the data brokers keep putting me back in and so Delete Me keeps taking it out again and again and again. It's constantly monitoring and removing the personal information you don't want on the Internet. The New York Times Wirecutter name Delete Me their top pick for data removal service. I have an active online presence. You know, I talk for a living, I talk about controversial issues and I've been the victim of identity theft and harassment. Still waiting on doxxing, but it'll happen eventually. If you haven't been a victim of this stuff yourself, you probably know someone who has. Delete Me can help. So take control of your data and keep your private life private by signing up for Delete Me now at a special discount for our listeners. Get 20% off your DeleteMe plan when you go to JoinDeleteMe.com lawfare20 and use promo code lawfare20 at checkout. The only way to get 20% off is to go to JoinDeleteMe.com Lawfare20 and enter code lawfare20 at checkout. That's JoinDeleteMe.com lawfare 20 code lawfare20.

Sarah Graham

Reporting suggests that brokers and resellers really perhaps distort the price of capabilities and the exploits they rely on. And this could really drive up costs and despite that, really introduce more risks to the entire supply chain, therefore constituting a really important but so far relatively understudied force in the market itself.

Justin Sherman

Justin it's the lawfair podcast. I'm Justin Sherman, contributing editor at lawfair and CEO of Global Cyber Strategies, with Jen Roberts and Sarah Graham of the Atlanta Council to discuss their new report, Mythical Beasts, on the state of the global spyware industry.

Jen Roberts

So these capabilities are being utilized against Americans. They are a counterintelligence risk for American security. And a large part of the the industry doesn't necessarily operate within the US Parameters, so we have less oversight and ability to sort of shape this market.

Justin Sherman

Today we're talking about the global spyware market, how it's evolved in the last few years and the future of the risks to the United States. Let's kick off with both of you telling us a bit about yourselves and what you are working on currently.

Jen Roberts

Sure, I'll kick off. Hi, my name is Jen. I'm an associate director with the Atlanta Council's Cyber Statecraft Initiative. We're a think tank that's based in Washington, D.C. over at the Council I work on our proliferation of offensive cyber capabilities. This is primarily focused on spyware for the past two years, but sort of encompasses wider market dynamics of offensive cyber.

Sarah Graham

And hi, I'm Sarah. I'm a research consultant with the Atlantic Council's Cyber Statecraft Initiative and have been working on co authoring this particular spyware piece with Jen and more broadly working on some follow up works to it as well.

Justin Sherman

We're going to talk today about the as you just alluded to and as we heard in the intro, about the state of the global spyware industry and trends in everything from investments in spyware to the capability resellers themselves, you have a new report out, as Sarah just referenced, that will form the basis of this conversation called Mythical Beasts Diving into the Depths of the Global Spyware Market, which is published with the Atlantic Council, it also builds on some past work you've done in the vein of what Jen was saying, including a 2024 report that similarly snapshotted the spyware market. So we're going to get into all of that in a minute. But just to start us off with some definitions here, what is spyware? How do you define spyware? And then typically, if we're talking about spyware versus other kinds of hacking or cyber intrusion capabilities, how are those typically distinguished in their definitions?

Jen Roberts

Sure. So this new report called Mythical Beasts diving into the depths of the global Spyware Market, as Justin you alluded to, is part of a larger series that we have done at the Atlantic Council, which dives into the supply chain of the global spyware market. When we're talking about spyware, there has been some debate over how to even define spyware. So in the report, we spend a lot of time scoping what we mean by a spyware. And that definition is. Spyware is software that facilitates unauthorized remote access to an Internet enabled target device for the purpose of surveillance or data extraction. This differentiates itself from other offensive cyber tools both in terms of scope and scale. For example, out of 195 countries in the world, at least 80 are known to have procured spyware spyware from commercial vendors. In a report from Google a couple years back, they found that over 50% of all of their zero day exploits were utilized by spyware vendors. So this is a really big sector of the offensive cyber capabilities market. And it's particularly an invasive type of malware. It can gain, oftentimes without any user interaction, access to your applications, your search history, calls, your texts, photos, locations, microphones, recording geographic data, anything that you can sort of think of spyware sort of captures once it's on your device. So this industry is pretty prolific, it's pretty obscure. And what the Mythical beast report tries to do is inject information about this industry and its supply chain so that policymakers and researchers alike understand the scope and scale of this market.

Justin Sherman

Several things in there we'll dig into just to note. As many listeners know, of course, zero day as you're referring to being a flaw that has been discovered for zero days. That is, folks don't know it's there. So you touched on this a little bit, but just to pull this out explicitly, this is an industry, it's a market. And so it's therefore meeting some kind of demand. What are some of those demands from a buyer standpoint that these spyware companies are meeting?

Jen Roberts

Sure. So this commercial industry of spyware vendors sells primarily to states that either A cannot develop their own offensive cyber tools, or B, can develop them, but don't necessarily want to utilize them for the scope of a certain attack that they are conducting. So if they deem it not necessarily as high of a priority. They might not want to burn a capability that they have in the chance that it gets discovered. So essentially a large part of this market in this industry is going to states that want these tools for national security purposes or other purposes that necessarily cannot develop them themselves.

Justin Sherman

To start getting into what you found in this study, let's first get the rundown on what you actually examine. So briefly describe to us the data on which the report is based and maybe some more detail on, you know, how many of these vendors and entities did you look at? Where are they geographically and are there? Just to give additional color to this, a few names of spyware players you looked at that might be familiar to listeners.

Sarah Graham

Sure. So this report is the second edition, as you mentioned, of the Mythical Beast project released last year. And so to give a little bit of color to the initial data set, initially we reported on 435 entities in the spyware ecosystem. And this includes vendors, suppliers, holding companies, investors, partners, subsidiaries and individuals. So quite a few. The updated dataset digs into a few things. First, we reexamined all of the existing entities to bring them to present and present year, meaning the end of 2024. And so by this we mean that we sought evidence of activity in 2024 or the absence of evidence of closure to suggest that they are still active, or we sought evidence of legitimate business closures in a few cases. So first we brought everything up to date by a year. And then second, we brought in quite a few new entities, bringing our total up to 561. So to give a little bit of color to this, this includes 4 new vendors, 10 new suppliers, 3 new countries, as well as 20 new US based investors alone. And I'll note that this is a mix of new evidence found in corporate registries and some of the evidence is historical, so maybe it wasn't disclosed previously or we didn't account for it the first time around. And I'm sure we'll dive deeper into this. But a lot of the US Based investment flow is into some of the larger or higher profile spyware vendors, as you mentioned, that listeners might be familiar with, including Paragon, Cognite and Candiru, just to name a few.

Justin Sherman

You referred a couple times to this. And again, as you mentioned, this builds on past work, but there are at least two major developments that you and your co author identified since 2024, and the first of those relates to US investors. The second of those relates to, I should say the role of US Investors in the spyware market and the second major development in the spyware industry in the last year or so relates to resellers and brokers. So we'll take those one at a time here. First, what does the number of US Investors in the global spyware market look like? What is the nature of those investments? When we say investments is that they're putting money into a very early stage company. They're trying to get a return on something that's quickly growing. What does an investment look like? And then how does that represent an evolution over time compared to, if we go back a couple years ago, the role that US investors played in this industry?

Jen Roberts

US investment into spyware really kicked off in 2024. We have the addition of 20 new US based investors that all invested in spyware for the first time in 2024. Specifically, this is a pretty major uptick from the past two years. There's a chart in our report that shows this visually, if you're a more visual person. But if we take years of activity and measure it over time, in 2023 we had five active US investors in spyware, and in 2024 we had 24. So that's quite a big spike in investment. And as Sarah mentioned a little bit earlier, that these investors are investing in firms that are pretty well established, so pretty late. See seed investment here. Specifically, in late 2024, a US company called AE Industrial Partners invested in Paragon Solutions. Paragon Solutions is an Israeli domiciled spyware vendor of graphite and has a US Subsidiary, Paragon Solutions. US Paragon was recently entangled in a scandal with the Italian government that was utilizing this spyware to surveil human rights defenders and other members of civil society. And then in early 2025, another American company, Integrity Partners, invested in Sasiotech Candiro, another name that it historically went by. And Candiro Sasiotec has been on the U.S. commerce Department's entity list since 2021. So what we're seeing here is both a contradiction and a critical enforcement gap between US Policy and US Investment. The US Government over the past couple of years has really sunk a lot of time and energy into cracking down on the proliferation and misuse of this market, including most recently visa restrictions and sanctions against some of these actors. So to see US Investment spike so much this year is quite interesting because there has been sort of a lot of US Policy attention on this issue set, and the investment community and US Policy interests don't necessarily seem to be aligning right now.

Justin Sherman

I'm glad you mentioned the entity list just as an aside, we're going to come back to that later in the episode. But just as you noted, right, of course, the entity list is focused on generally the export of goods and services and technologies, et cetera, to a particular entity, but not necessarily investment. And so that's an interesting point there. So you talked about U.S. investors. Are there this is in some ways a leading question. But, you know, are there other countries besides the United States that are home to some of these investors in the spyware companies? And if so, what are some of those countries where either lots of entities or lots of money is flowing into the spyware sector?

Jen Roberts

Sure. So about 50% of our data set, perhaps even more now, is represented through investors through sort of four main countries. The United States now is the largest one, followed by Israel, then Italy, then UK it's important to note that Israel and Italy are two hubs of the spyware ecosystem in general. In the first report we identify in our first trend is called the three eyes, three jurisdictions where there is a concentration of spyware activity. They all happen to start with I. So it's easy to remember Israel, Italy and India. So two of the biggest investors outside of the US into spyware are also large stakeholders in sort of the market writ large.

Justin Sherman

Interesting, since those are distinct, as we're saying, but they overlap. So the second major development you identified in the Spyware industry from 2023 to today is a greater presence of spyware resellers and, and spyware brokers. So we'll talk about the development itself in a second. But to give us the definitions here, to set the foundation, define that for us, what is a spyware reseller versus a spyware broker? And then how do they differ from other entities that play a role in the spyware industry?

Sarah Graham

This is a really great set of questions because I think that these entities in particular are really tricky to define. And we worked in this report to balance the tension between being really precise in all of our entity definitions, all of these different vendors and suppliers that we've been talking about, but also wanting to still make some space for acknowledging areas where things might be a bit murky. So brokering and reselling entities definitely fall into this latter category. And in the report, we group these under our partners definition. Part of this definition reads that a partner is a company that is connected to a spyware vendor, though the relationship can take a few different forms. For example, and most relevant here is that a partner can be unrelated to the development of spyware itself, but contributes to the technical or business operations of the vendor. And so this is where the brokers and the resellers really come into view. There's two notes to highlight on this. First, how we conceptualize them. We can think of them as intermediaries between buyers and vendors or other suppliers in the supply chain. And, and they facilitate or broker a deal or through the total purchase and then resale of those products. So, for example, we've seen evidence of these entities creating access to regional markets which might not otherwise have strong relationships between prospective buyers and vendors. And overall, these entities are somewhat different from others in the marketplace because of the role they play. They sit very much downstream of the original vendors and play this sort of connective or fluid role. And second, the note that I want to highlight is how we differentiate in identifying them. While a lot of the data that we rely on in this report comes from corporate registries and public information from reporting, for example, the brokering and reselling data comes from a few non standard sources and sort of adds to this murky aspect of it, which is that it tends to come from patchy or uneven data sets, you might say. So hack and leaks that might really focus in on a particular case, or from voluntary transparency disclosures, as is the case, for example, in recent years with the Mexican government or otherwise, from some really high skilled, high focused investigative journalism. So overall, we really only have perhaps a snapshot of the full role of these entities.

Justin Sherman

With those distinctions in mind, then, what did you find vis a vis a greater presence of those resellers and brokers in the market in the last few years? And then what exactly does that mean when you say that they have a greater presence in that market?

Sarah Graham

So in terms of greater presence, I think we can think about this in two ways, in terms of numbers and then the effect that these entities have within the marketplace. So starting with numbers, overall, it is frankly a relatively small slice of the total number of 561 entities. So by the numbers in the first report, only two entities were identified. This was RCS Labs and Vast. And in these cases, their involvement only came to light through the hacked and leaked data, as I mentioned from hackingteam, the Italian spyware vendor that now operates as Memento Labs. In contrast, in our update, we identify seven more entities. So some of these are historical. But throughout our research, we found more evidence pointing us to look at these sorts of regional markets where brokers and resellers are filling a gap between where there might be elsewhere a high vendor concentration, as Jen mentioned, for example, in the three eyes trending areas and then sort of directing into perhaps more regional markets in Latin America or Southeast Asia, for example. So overall the first one here is greater in terms of number, but then the second one we refer to here is greater in terms of effects. So we see these entities having a greater presence in part because of our suspected impact they have on the overall market. And by this I mean that reporting suggests that brokers and resellers really perhaps distort the price of capabilities and the exploits they rely on. And this could really drive up costs and despite that, really introduce more risks to the entire supply chain, therefore constituting a really important but so far relatively understudied force in the market itself.

Justin Sherman

The problem with group insurance is that healthcare isn't a group decision, it's personal. Group insurance means businesses get one carrier and just a few plan options from the whole company, but that doesn't fit everyone's needs. Now a new coverage option called an Ichra or Ichra allows employees to buy any plan from any carrier instead of a one size fits all approach. Plan on something personal plan on an Ichra. Learn more@ambetterhealth.com Ichra.

Madupa Akinola

We all love our pets, but we love to travel too. And sadly they can't always come along for the ride. Don't stress. Trusted House Sitters connects you with verified sitters who will stay in your home and care for your pets, all in exchange for a place to stay on their travels. So while you're off exploring, your pets get to stay safe and happy at home, right where they belong. Find a loving in Home Pet sitter today@trustedhousesitters.com did I talk too much?

Unidentified Advertiser/Host

Can I just let it go?

Justin Sherman

Thank you so much.

Jen Roberts

Take a breath, you're not alone.

Madupa Akinola

Let's talk about what's going on.

Jen Roberts

Counseling helps you sort through the noise with qualified professionals and online therapy makes it convenient. See if it's for you. Visit betterhelp.com randompodcast for 10% off your first month of online therapy and let life feel better.

Unidentified Advertiser/Host

Were most of us pretty numb to it now, but wow, has this been a wild ride. AI is coming for your jobs or it's not? Geopolitical changes are disrupting century old alliances. Or maybe they're not and the market is reacting in ways we've never seen before. Or maybe it's doing just fine. It's no wonder that most of us are buckling down, saving and just looking for ways to protect our futures. And hey, one sure way to do that is life insurance. It's old fashioned. I know. But gosh, you've probably underinsured. I hate to say it, but it's true. You're overpaying and you're underprotected, especially if your policy is through your job. That's why I recommend finding a new life insurance policy with Selectquote for over 40 years, Selectquote has been one of the most trusted brokers in insurance, helping More than 2 million Americans secure over $700 billion in coverage. Their mission is simple to find you the right insurance policy for your unique needs. They shop, you save. Unlike the one size fits all life insurance companies, their licensed agents work for you in as little as 15 minutes. They'll compare policies from top rated carriers to find you the best fit for your health and budget. And it's free. Don't have a medical exam? No problem. They partner with providers offering same day coverage for up to $2 million without needing to visit your doctor. Got high blood pressure, diabetes or heart disease? They have partners with policies designed for many pre existing health conditions so you get the protection you deserve. Head to selectquote.com and a licensed insurance agent will call you right away with the right policy for your life and your budget. Get the right life insurance for you for less and save more than 50%@SelectQuote.com Lawfare you can save more than 50% on term life insurance@SelectQuote.com Lawfair today to get started, that's SelectQuote.com Lawfair I know no one starts a business for the joy of calculating tax withholdings. I have been having a tax withholding nightmare with my poor little substack recently and I wish I had known about Gusto because it takes the stress out of payroll, benefits and HR so that you can focus on why you started your business in the first place, which is writing the substack. Gusto is online payroll and benefits software built for small businesses. It's all in one remote, friendly and incredibly easy to use so you can pay, hire, onboard and support your team from anywhere. Unlimited payroll runs for one monthly price. No hidden fees, no surprises. It's quick and it's simple to switch to Gusto. Just transfer your existing data to get up and running fast. Plus don't pay a cent until you run your first payroll. Try Gusto today at gusto.com lawfair and get three months free when you run your first payroll. That's three months of free payroll at gusto.com lawfair one more time. Gusto.com lawfare.

Justin Sherman

Did your data provide any insights into which entities are actually purchasing spyware, whether from these brokers or resellers or the original vendor and what they might be using the purchase spyware for.

Sarah Graham

We do look into this a little bit, but something that I want to point out is, as Jen laid out up front, we're really focused on the supply chain and really understanding all of the components that go into the spyware ecosystem and not so much on who the ultimate buyers are or for example, what they might be used for, whether these are legitimate uses or potential abuses. And so overall, there's a lot of great work by other organizations that we've relied on and who look a lot more on sort of the effects side of the market, including Citizen Lab and Amnesty Tech, who listeners might be familiar with and want to dig in more there to understand a bit more on sort of the effects side.

Justin Sherman

Got it. That's helpful. So on top of these two major developments, the two of you and your other co author additionally identify six defining characteristics of the spyware industry based on the data and the analysis. So I want to. We're not going to do all six, unfortunately, we don't have. I wish we had more time, but, but we are going to focus on a few that are super, super interesting. So one is that as you alluded to with the three eyes, you found a disproportionate geographic concentration of these spyware entities in Israel, in India and in Italy. And so explain this to us a little bit more. Are there known explanations or hypotheses for why this is the case and what in particular makes the concentration of the spyware entities in these countries, quote, unquote, disproportionate.

Jen Roberts

Sure. So these six trends that we identified, we identified in the first Mythical Beast report and we wanted to include them in this report as well because they have held relatively constant. We didn't see any big swooping changes across these six trends. So this is really exciting as researchers. But I also think for policymakers and folks that are tracking the industry, that the spyware ecosystem, the spyware market, has not evolved at a pace so rapid that policy action and other sort of research cannot be conducted into the shape and scope of it, which is very interesting for folks that are interested in spyware. But diving specifically into why perhaps Israel, India and Italy, I would say two reasons. First, perhaps that's just where the talent is. These countries might just have a larger scale of highly skilled workers who are capable and have the means to sort of to tech up and focus in on these industries. It could be because of defense structures within these ecosystems. It could also be because there are permissive environments that allow sort of companies to have less regulation from the state in these jurisdictions. And what makes these countries quote, unquote disproportionate is just seeing not only are they home to a bunch of spyware vendors that we observe in the global market for spyware, they have quite a large stake of vendors themselves, but they also have, like I mentioned earlier about investors, Israel and Italy have a wide host of investors in the spyware market. So concentration of not only vendors but also other arms of this ecosystem, investors, individuals, suppliers, holding companies and all of the like. So it's not just spyware vendors who are domiciled in these jurisdiction. It's truly a code across the categories that we have defined in the data set. They are present in these three jurisdictions.

Justin Sherman

I just want to add one question here, which is I'm curious if you have a specific opinion because as you say this, I'm thinking, okay, the hypothesis, for example, on they have the talent is compelling to me. In some cases, for example Israel, we certainly here read more than enough about Unit 8200 in Israel and various others that are highly sophisticated in cyber, but but no shade to Italy, for example. But it seems a little strange that for instance, one would have a huge concentration of spyware if it was just based on talent coming out of Italy versus the US or China or something. So not to say, I mean, you study this much more than I do, but I'm just curious if either of you have a particular view on which of those hypotheses or which other hypothesis might be the most compelling.

Jen Roberts

Justin, I agree with you. At first glance I was also sort of surprised to see Italy in this list. But upon revisiting the data and thinking about it a little bit more, an Italian vendor is the first vendor that we observe in the Mythical Beast dataset, which goes back to 1992. So really they're the first comers into this market. And while they might not be be as sort of globally recognized as some of other jurisdictions that we map and Justin, that you listed, they're a notable jurisdiction that's based in the EU and perhaps that is why they have stuck around for so long. You don't have to worry about export control laws if you're sort of selling within the EU like these other states do. And also there might be diversification in terms of specialization. So Italian vendor spyware doesn't look the same as Israeli vendor spyware. So there's sort of this healthy competition that I think is happening across the ecosystem that if you want products that perhaps cost a little bit less, you might go to an Italian vendor versus an Israeli vendor. So that that might be why there's been such preservation of activity coming out of Italy for so long.

Justin Sherman

Interesting. Yeah. And as I said, I certainly don't study this as much, but it's an interesting phenomenon to me. So to move along, you also note in addition to the geographic concentration point, an interesting finding around what you call strategic jurisdiction hopping. What does this mean both literally and then in terms of its broader implications?

Jen Roberts

So strategic jurisdiction hopping is where we observed in the data set that several vendors have appeared to have constructed a subsidiary, a branch, a partnership relationship or the like that crosses sort of strategic jurisdictional bounds. These locations may offer a variety of location specific benefits. I just talked about benefits of having access to the EU market, so opening or having a relationship with an EU domiciled firm to have access to that marketplace. And we do have an example of this happening in quite a few across the data set. But want to highlight one in particular, where in 2017 the Israeli vendor Quadream Inc. Set up a supplier in Reach Technologies limited In Cyprus, which Quadream Inc. Claimed later in a court filing was quote, for the sole purpose of promoting Quadream Inc. S products within the European Union. This happens sort of across the ecosystem, but it's where vendors have a physical presence, sometimes in Europe, sometimes in the US in markets where they really want to sell to.

Justin Sherman

Just to hear about another one of your observations, you also found many efforts by spyware entities to change their names and shift their corporate structures. Can you tell us more about this? Is there any way to measure if this was always happening but just wasn't well detected, if this is happening more frequently now, for some reason, et cetera? What does your research show us?

Jen Roberts

So when it comes to shifting vendor identities, this is the trend where spyware vendors will change their legal names and even shift entire corporate structures to obscure their identity and potentially even manage the impact of negative press reporting. My favorite example of this is, and I've brought it up before, when I was talking about Candiru and sasiotech and I was kind of flipping flopping between the two. Between the years of 2016 and 2020, Candiru changed its name annually. It's now called Stacio Tech ldt. But a lot of people, including myself, sometimes still call it Candiru. This makes it really difficult for researchers and policymakers who are trying to track an entity or A specific spiral render that they don't necessarily want to do business of or think they may have disappeared, but in reality they're just operating under another name. For example, Sarah also talked about this earlier. There's another vendor coming out of Italy called Hackingteam, who is now called Memento Labs. They had around 2015 a wide breadth of information leaked online about their internal offerings. And shortly thereafter they went through some name changes. This is a trend that just shows that these vendors are rebranding, they are changing their names, which makes it harder for researchers and policymakers to keep track of these entities. So that's really interesting for us to observe. I don't think it's siloed in particular to just the spyware industry. We see sort of this observation happening across a variety of different sectors. Money laundering is a good example of one as well.

Justin Sherman

Zooming back out, what are the implications of the spyware industry for US national security as well as US foreign policy broadly?

Jen Roberts

So spyware is a national security threat to the U.S. it's a threat in a few ways. First, it's a counterintelligence risk. The more countries that have capabilities like this open up our doors to being targeted. But it's also a national security risk because a lot of the industry also doesn't necessarily operate within the US and the last part of why it's quite a risk is because for years spyware has been utilized to target American officials and citizens both at home and abroad. In early 2023, several U.S. congress members phones were infected with Predator a spyware developed by members of Intellect consortium. And in 2021, Apple notified around a dozen US officials working in Uganda at the time they were targeted by NSO groups. Pegasus spyware. So these capabilities are being utilized against Americans. They are a counterintelligence risk for American security. And a large part of the industry doesn't necessarily operate within the US parameters. So we have less oversight and and ability to sort of shape this market. That being said, there have been a lot of efforts, and I did mention a few earlier in the podcast that the US has worked on to curb the proliferation and misuse of some of these capabilities. I mentioned earlier visa restrictions and sanctions, but there's also a joint statement on efforts to counter the proliferation and misuse of commercial spyware, where a variety of different countries have signed up and said we want to do something about this issue set. There are also the entity listings which I mentioned earlier and an executive order and right now going through Congress. There's also an amendment to the NDAA to make some of these executive actions codified into law. So it seems that US Policymakers are aware that this is a national security risk and also a human rights risk. But I think that attention is really sort of picked up within the past five years or so.

Justin Sherman

Certainly, as you said, some of the Saudi and other use cases definitely have made way more press, rightfully so, beyond just sort of cyber and technology land. So you mention several times throughout, and we talked about this specifically, that there are a number of spyware investors that seemingly come from the United States. Do you see this as a good thing, a bad thing, something else? Both. And what, if anything, should the US Government do about it?

Jen Roberts

This is a really interesting question because I think it can be seen as both good and bad. And that's sort of the classic answer. There's two sides to every coin. It's bad because there's a disconnection between US policy and US Investment. At least that's the way it seems. The US has been doing so many things to counter the proliferation and misuse of these capabilities. And a spike in US investment over the past year is quite concerning because that doesn't fit the picture of what US Policy is sort of going in the direction of. But it's also a good thing because this means sort of, like I just pointed out, that the US doesn't necessarily have the most control over a market that doesn't operate within its own jurisdictional bounds. Well, US Investment does so, engaging with the investment community and really thinking about ways to increase due diligence efforts and beneficial ownership programs and a whole host of things. There's still a lot that can be done to counter this issue. So it is good that the opportunity.

Justin Sherman

Is there in terms of other countries and what's going on there. And I say that broadly, that could include other countries knowingly seeing companies they're selling to, bad actor, you know, human rights abusers. That could include lots of investment in other countries, permissive export environments. You know, is there anything the US Government should be doing vis a vis those countries to shape or curtail their activities around or tolerance for spyware entities?

Jen Roberts

I think the US has made some steps in the right direction when it comes to this by engaging allies and partners to make this truly a global issue. I just mentioned the joint statement on efforts to counter the Proliferation and Misuse of Commercial Spyware. There are a wide host of a variety of different countries, from Australia to Canada, Costa Rica, Finland, France, Germany, Japan, Lithuania, New Zealand, Norway, Poland, the Republic of Korea, Slovenia, Sweden, just to name a few that are signatories to this joint statement. And it is my understanding that this joint statement is sort of an evolving list over time, so I haven't seen it in addition quite recently, but it seems that we are actively engaging allies and partners on this topic set already, including a UK French led process called Pall Mall, of which the US is a signatory, which has a different sort of set of signatories and doesn't necessarily just focus on spyware, but the commercial cyber intrusion industry writ large. So the US is showing up to conversations and it's engaging with countries on this issue set. If they should be putting any pressure on specific countries outside of the ones that are cooperating, I would focus on the three I countries, the countries that have the greatest concentration of activity in this marketplace, which are Israel, Italy and India.

Justin Sherman

Lastly, you note for all the change that has occurred in the market in the last couple of years and since the last iteration of your spyware market study, there are also a number of consistencies. You flagged this already in the market in terms of how firms are operating, where they're operating, who's funding, and so forth. So how should policymakers on the whole think about both the developments, changes and the consistencies in the market? And then what, if any, action do you think US policymakers should be taking as this market evolves into the future?

Sarah Graham

I would approach this consistency that we've been talking about somewhat positively, that the shape and the scope of the market are relatively stable in terms of looking ahead and how this might look in the future. We would love to come back to you in a few years with some built year on year data that might inform this directionality a bit more. But in the absence of this, what our sample of the marketplace tells us from the transition of 2023-2024 is that there hasn't been a huge amount of movement. These six trends that we outlined in the report are observable even with the addition of over over 100 new entities, which as an aside is a bit ironic actually, that we're seeing trends of consistency of entities doing something somewhat inconsistent. They're changing names or jurisdictions and all of these different things. But overall we're seeing consistency in that behavior, which is at least a positive thing for researchers and policymakers and other partners to be able to understand a somewhat sort of stable snapshot of what's going on. So I would really just hone in on quite a bit of the current policy action that Jen is talking about in terms of the joint statement and other international efforts to counter the proliferation and misuse of spyware, the Pall Mall process. To say that these sorts of efforts and really showing up to engage and move the needle should certainly continue.

Justin Sherman

That's all the time we have. Jen Sarah, thanks again for joining us.

Sarah Graham

Thanks so much.

Justin Sherman

The Lawfare Podcast is produced in cooperation with the Brookings Institution. You can get ad free versions of this and other Lawfare Podcasts by becoming a LawFair material supporter through our website, lawfaremedia.org support. You'll also get access to special events and other content available only to our supporters. Please rate and review us wherever you get your podcasts. Look out for our other podcasts including Rational Security, Allies, the Aftermath and Escalation, our latest Lawfare Presents podcast series about the war in Ukraine. Check out our written work@lawfaremedia.org the podcast is edited by Jen Patya and our audio engineer this episode was Kara Schillen of Goat Rodeo. Our theme song is from Alibi Music. As always, thank you for listening.

Madupa Akinola

We all love our pets, but we love to travel too, and sadly, they can't always come along for the ride. Don't stress. Trusted House Sitters connects you with verified sitters who'll stay in your home and care for your pets, all in exchange for a place to stay on their travels. So while you're off exploring, your pets get to stay safe and happy at home, right where they belong. Find a loving in Home Pet Sitter today at trustedhousesitters. Com.