Chasing Shadows in the World of Mercenary Spyware
BOOK REVIEW: Chasing Shadows: Cyber Espionage, Subversion, and the Global Fight for Democracy
by Ronald J. Deibert. / Simon & Schuster Canada edition
Reviewed by: Jean-Thomas Nicole
The Reviewer — Jean-Thomas Nicole is a Policy Advisor with Public Safety Canada. The opinions expressed are those of the author and do not reflect the official policies or positions of Public Safety Canada or the Canadian government.
Review — Ronald J. Deibert, (OOnt, PhD, University of British Columbia) is Professor of Political Science, and Director of the Citizen Lab at the Munk School of Global Affairs & Public Policy, University of Toronto.
Quite unique and singular, the Citizen Lab is a Canadian interdisciplinary laboratory focusing on research, development, and high-level strategic policy and legal engagement at the intersection of information and communication technologies, human rights, and global security.
As Director of the Citizen Lab, Deibert has overseen and been a contributing author to more than 120 reports covering path breaking research on cyber espionage, commercial spyware, Internet censorship, and human rights.
These reports include the landmark Tracking Ghostnet report (which uncovered an espionage operation that infiltrated the computer networks of hundreds of government offices, NGOs, and other organizations, including those of the Dalai Lama), China’s Great Cannon (an offensive tool used to hijack digital traffic through Distributed Denial of Service attacks), the Kingdom Came to Canada (an investigation of a Canadian permanent resident, Saudi dissident, and Khashoggi colleague who was targeted with commercial spyware), and the Reckless Series (an investigation into the abuse of commercial spyware to target journalists, anti-corruption advocates, and public health officials in Mexico).
These reports have been cited widely in global media, garnering 25 front page exclusives in the New York Times, Washington Post, and other leading outlets, and have been cited by policymakers, academics, and civil society as foundational to the understanding of digital technologies, human rights, and global security.
To paraphrase Deibert himself, reading Chasing Shadows feels as though the reader is observing in near real time, piecing the puzzle together, wandering into the pages of a spy novel, except this investigation is not a work of fiction. It is the real deal: a kind of geopolitical voyeurism. It is exhilarating as it is bloody scary.
In other words, as former threat analyst at the Citizen Lab, Seth Hardy, put it metaphorically: “It’s one thing to know they exist. It’s an entirely different thing to have one crash into your backyard.”
The Cipher Brief Honors Dinner is on April 18th in Washington D.C. Apply now for your seat at the most glamorous spy dinner of the year. Find out more about this invite-only event at cipherbriefhonors.com
Going down memory lane, Deibert tells the stories of how the Lab exposed the world’s preeminent cyber-mercenary firm, Israel-based NSO Group – the creators of Pegasus – in a series of human rights abuses, from domestic spying scandals in Spain, Poland, Hungary, and Greece to its implication in the murder of Washington Post journalist and Saudi dissident Jamal Khashoggi in 2018.
Deibert’s book thus offers an enlightening and terrifying glimpse into the ubiquitous and murky world of mercenary spyware and digital transnational repression, a core focus of the author’s work at the Citizen Lab for twenty-four years and counting; it is indeed an unaccountable sector featuring irresponsible entrepreneurs who enrich themselves by empowering autocrats and dictators to carry out their dirty deeds.
Concretely, what does it mean? It means, according to Deibert, first and foremost, waking up to its risks: a massive, largely unregulated industry has emerged and proliferated globally that gives government spies the ability to snoop on digital devices anywhere in the world. The latest versions can do so silently, vacuuming up unsuspecting targets’ entire private life, following them around, reading their emails and texts, and turning on their camera and microphone. Autocrats, despots, police, and intelligence agencies have gobbled up this technology and used it for all sorts of nefarious purposes, from harassment and extortion to targeted murder.
What makes that industry thrive so much is the internet’s open secret: it is riddled with software flaws. Thousands of individuals around the world routinely scrutinize those millions of lines of code, spot the errors, and act on them.
Some do it in the public interest, to find vulnerabilities and disclose them so the relevant companies can patch the flaws. Others do it for mischief. But some do it for criminal purposes or more sinister reasons. Mercenary firms like NSO Group and the spies they serve exploit these insecurities in the digital ecosystem to “find, fix, and finish” their adversaries.
At the Citizen Lab, Mr. Deibert’s team does the opposite, acting as counterintelligence for civil society, lifting the lid on the internet and exposing wrongdoing in the digital realm.
Drawing on the skills of some of the most dogged and talented investigators, the Citizen Lab specializes in using careful tools, methods, and open-source investigative techniques – network scanning, field research, forensics, reverse engineering, access to information requests, and corporate document analysis – to gather the incriminating evidence that bad actors inevitably leave behind them. They then write it up in their well-known reports, publish widely, and try to disrupt their machinations. The Citizen Lab mission is therefore, as Mr. Deibert puts it, to serve the public interest, not subvert it.
Of course, the director of the Citizen Lab is most keenly aware of the underlying irony behind his work. Speaking about one of his most high-profile cases, he writes plainly: “We were undertaking a kind of online surveillance of our own, but with a twist. All these sources and techniques were for us a means to an end, but those means were carefully controlled to meet the highest ethical standards. We were trying to save lives, not destroy them”.
Everyone needs a good nightcap. Ours happens to come in the form of a M-F newsletter that provides the best way to unwind while staying up to speed on national security. (And this Nightcap promises no hangover or weight gain.) Sign up today.
If we follow Deibert’s reasoning, in the era of privatization, the Israeli state openly encourages security firms like NSO Group. That explains why many of the world’s leading surveillance, facial recognition, and cellphone- cracking companies happen to be headquartered in or originate from Israel. For him, this commercialization of state intelligence practices is a profound development for world politics: it’s nothing short of despotism as a service.
Furthermore, a sampling of NSO Group’s past investors and associates reveals a rogues’ gallery of some of the best-known scoundrels of our times, most of them associated, near or far, with the first Trump administration. And then there are NSO Group’s government clients: Rwanda’s autocratic president, Paul Kagame, known for his dispatch of death squads; Saudi Arabia’s Mohammed bin Salman, or MBS as he’s called, a ruler who approved the brutal execution of journalist Jamal Khashoggi in broad daylight; and Sheikh Mohammed bin Rashid al- Maktoum of the United Arab Emirates, who has used Pegasus to hunt human rights activists and oversee their torture and electrocution in UAE prisons.
Yet NSO Group is only one among scores of such companies selling to government clients. There are Russian, Chinese, French, German, Swiss, Spanish, Italian, and other cyber mercenaries too. The market is exploding. What’s worse is that the industry is now expanding its client base beyond governments to other private businesses, oligarchs, and organized criminal groups.
At the end of the book, Mr. Deibert offers its concluding thoughts wrapped in a somber perspective for the short term. That being said, hope is on the horizon and shall never die: It is daunting to contemplate the future, considering the deteriorating political condition and the numerous weapons in the arsenal of those who conduct digital transnational repression. It is our collective mission to push back against tyrants and to resist the tidal wave of despotism with rigorous, evidence-based public interest research. The future may be bleak, but who’s to say you cannot fight the future?
Chasing Shadows : Cyber Espionage, Subversion, and the Global Fight for Democracy earns a prestigious 4 out of 4 trench coats
The Cipher Brief participates in the Amazon Affiliate program and may make a small commission from purchases made via links.
Interested in submitting a book review? Send an email to [email protected] with your idea.
Sign up for our free Undercover newsletter to make sure you stay on top of all of the new releases and expert reviews.
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief because National Security is Everyone’s Business.