AMY HOGAN BURNEY is Vice President and Deputy General Counsel, Microsoft.
Cyber mercenaries are frequently linked to spyware, a field that has garnered significant attention in recent years with revelations surrounding the NSO Group’s notorious Pegasus software. However, the gray market for intrusion capabilities is much larger and poses even greater systemic risks. This market includes the sale of “zero-day” vulnerabilities: unknown technology weaknesses for which no fix or software patch is currently available. Sales of zero-day exploits significantly destabilize the online environment and technology on which critical infrastructure relies. While spyware is primarily targeted at individuals, zero-day vulnerabilities have the potential to impact a much broader range of targets simultaneously as they allow attackers to breach entire systems. It’s imperative to call attention to both malicious uses of technology.
Combating Hack-for-Hire Services
Industry partners can and should work together to strengthen cybersecurity and combat the growing cyber mercenary market. Microsoft is committed to eradicating hack-for-hire services through its Digital Crimes Unit, which drives takedowns and enforcement actions against cyber criminals; its Secure Future Initiative, which ensures that products are secure by design and default, and continue to be throughout their life cycles; and its Bug Bounty Program, which encourages security researchers to identify and report vulnerabilities. Microsoft is also working with others within and beyond industry, recognizing that collaboration and partnership are key to lasting change.
The Cybersecurity Tech Accord, of which Microsoft is a founding member, in 2023 laid out a set of principles on how to limit the activity of cyber mercenaries. Through the accord, more than 100 members have adopted vulnerability disclosure policies to better protect online products, serving as a first line of defense against mercenaries. One recent example of a successful industry collaboration is the legal action led by WhatsApp against the NSO Group’s intrusion services. Technology companies, including Microsoft, supported WhatsApp throughout the process, including by filing several amicus briefs. This lawsuit resulted in a victory for security and privacy and highlighted the industry’s resolve to hold cyber mercenaries accountable.
But these efforts are not enough. Governments must do more to protect people, systems, and infrastructure from mercenaries who seek financial gain by finding and selling these zero-day services. Where there is demand, there will always be supply, and the persistence of an intrusion market that undermines and corrupts peaceful technology for malicious ends is fundamentally at odds with a free, safe, secure, and rights-respecting online world. Industry members must work together with governments to take decisive action. This includes supporting the ongoing Pall Mall Process, which aims to create guardrails around the development, purchase, and use of commercially available cyber intrusion capabilities by establishing guiding principles.
Beyond that, the following are policy actions that governments could consider:
Prohibit the sale of zero-day intrusions: These intrusion capabilities are among the most harmful and pose a significant risk to digital and critical infrastructure stability. Governments should implement a ban on the sale of services related to these zero-day exploits.
Enhance transparency and due diligence measures: Implement transparency measures to ensure that the development, sale, and use of commercial intrusion capabilities are conducted openly and responsibly. Establish due diligence mechanisms for companies involved in the cyber mercenary market, including thorough assessments of suppliers, partners, and customers to ensure they adhere to responsible practices. This will also ensure that one of the biggest threats in the cyber mercenary market—zero-day exploits—is mitigated and cannot be used by cyber criminals.
Establish greater import and export controls: Establish strict import and export controls to regulate the flow of cyber mercenaries across borders. Implement licensing requirements to ensure that these capabilities are only transferred to responsible entities.
Leverage investment controls: Use investment controls to regulate foreign investments in companies that develop or sell commercial intrusion capabilities. Improve corporate transparency requirements—like the United States’ move to compel companies to report their beneficial owners—to increase due diligence and deal review. By scrutinizing and approving investments, governments can ensure that these companies are not influenced or controlled by entities with malicious intent.
Develop regulatory frameworks to restrict sales: Establish clear regulations governing the sale of services by cyber mercenaries. By creating a framework that discourages the black market trade of vulnerabilities, governments can reduce the availability of exploits to malicious actors. These threats are inherently global, necessitating international cooperation to tackle them effectively. Agreeing on what type of behavior is acceptable and taking action against cyber mercenaries who fall outside the norm is the only way to make these actors accountable. With commitment and immediate action, we can collectively restrict the cyber mercenary marketplace, fortify digital ecosystems, and promote peace and security.
Amy Hogan-Burney serves as the Vice President and Deputy General Counsel in Corporate, External, and Legal Affairs, overseeing the Customer Security and Trust (CST) team at Microsoft. Prior to her role leading CST, Hogan-Burney headed the Cybersecurity Policy and Protection Team and played a pivotal role during the implementation of the EU’s General Data Protection Regulation, leading the Privacy Compliance team. Her career at Microsoft began with managing the Law Enforcement and National Security team, ensuring compliance with legal obligations related to law enforcement and national security. Before transitioning to the private sector, Hogan-Burney served as an attorney at the U.S. Department of Justice, Federal Bureau of Investigation.
Carine Kanimba and Dr. Ron Deibert
Spyware’s Human Toll: Cyber Mercenaries Inflict ‘Enormous Harms’ on Their Targets
Q&As with Dr. Ron Deibert and Carine Kanimba
Nathaniel Fick
‘Ground-Game Diplomacy’ Key to Fighting Misuse of Commercial Spyware Globally
A Q&A with Nathaniel Fick
Sophie in’t Veld
An Inquiry on Spyware in the EU Revealed Abuses by Member States. Now What?
Without binding action from the European Commission, recommendations to safeguard the use of spyware and regulate its trade will be ignored—at Europe’s peril.