Microsoft has long made clear its belief that cyber mercenaries – private sector offensive actors that develop and sell offensive cyber capabilities that fuel a market without legal rules, responsibilities, or repercussions – don’t deserve immunity. Despite measures taken by governments, regulators, and tech companies, the impact of these actors on the security of users continues to increase as the market expands. More must be done.
Building on a previous filing in 2020, Microsoft, Google, along with several industry partners including LinkedIn, GitHub, TrendMicro and Big Cloud Consultants have filed an amicus brief in a legal case brought by the Knight First Amendment Institute at Columbia University against the NSO Group (Dada v. NSO Group). Cyber mercenaries like NSO Group have exploited our technology by attacking our users and we believe that those who have been victimized are entitled to legal recourse even if they are located outside the United States. We must strengthen safeguards for individuals at high risk of targeted cyberattacks by providing avenues for victims to pursue justice and by establishing legal consequences for cyber mercenaries. Combating the threat of cyber mercenaries requires a collective effort and this brief shows the impact we can have when we work together.
Stopping cyber mercenaries from abusing the infrastructure of technology companies
In this new amicus brief, we highlight two important points:
First, the proliferation of commercial spyware developed by cyber mercenaries is a significant national security threat. Spyware and other tools like Pegasus, sold by NSO Group, undermine global security and privacy by enabling unauthorized access to sensitive information, location data, and communications of individuals and organizations around the world. Such intrusions can jeopardize diplomatic relations, military operations, human rights, and democracy.
Second, the US Government has a strong interest in protecting American tech companies from being exploited. Cyber mercenaries, like the NSO Group, enable their clients to access and damage devices and platforms without authorization or exceeding authorized access. By doing so, they compromise the stability, security, and trust of the platforms and services provided by tech companies.
Our longstanding commitment
Over the years, Microsoft has worked with partners in government, industry, and civil society to advocate for limiting state use of cyber mercenary companies. Alongside our partners in the Cybersecurity Tech Accord, we outlined a set of industry principles aimed at limiting the expansion of the market and offensive cyber operations in cyberspace.
Microsoft Threat Intelligence actively tracks cyber mercenaries providing protection against their techniques and notifying our customers of observed activity. We offer AccountGuard, a program that provides advanced threat detection and notification to help protect high-risk users. This work together with our Secure Future Initiative enshrines our commitment to ensure the security of our own products and services, to promote a more secure ecosystem, and contribute to a safer and more resilient digital environment for everyone.
By coming together, we hope to send a powerful message that cyber mercenary practices are not legitimate business models. These entities must face consequences for unlawful behavior. Anyone involved in the development and support of offensive cyber capabilities or for permitting their misuse with full knowledge should be held accountable in US courts.