The Access-as-a-Service industry role in the proliferation of offensive cyber capabilities
"Countering cyber proliferation: Zeroing in on Access-as-a-Service", 1 March 2021
Executive summary
The proliferation of offensive cyber capabilities (OCC)—the combination of tools; vulnerabilities; and skills, including technical, organizational, and individual capacities used to conduct offensive cyber operations—presents an expanding set of risks to states and challenges commitments to protect openness, security, and stability in cyberspace. As these capabilities become more prolific, their regulation through formal international norms and export controls is increasingly ineffective... This report profiles the “Access-as-a-Service” (AaaS) industry, a significant vector for the proliferation of OCC, as a means of both illustrating the character of this proliferation and investigating policies to counter it.
AaaS firms offer various forms of “access” to target data or systems, and through these business practices are creating and selling OCC at an alarming rate. These companies advertise their wares to myriad groups, mostly states, who would not otherwise be able to develop such capabilities themselves. AaaS products and services vary in form, but share foundations that can be categorized under five “pillars” of OCC: Vulnerability Research and Exploitation, Malware Payload Development, Technical Command and Control, Operational Management, and Training and Support.
Framed along these pillars, the authors present three case studies (the NSO Group, ENFER, and DarkMatter) to illustrate the complexity of the overlapping activities within the self- and semi-regulated markets of the AaaS industry. These companies operate within a semi-regulated market, functioning openly and legally under the jurisdiction of their country of operation. Together, their activities cover the full spectrum of OCC development described in five pillars below...
To better understand this proliferation, states should create “know your vendor” laws requiring AaaS firms to identify all their vendors and customers before selling their services to governments. To more effectively shape behavior, the report recommends states widen the scope of selective disclosure to include the capabilities developed and sold by selected AaaS firms and ban vendors that fail to adhere to “know your vendor laws.” States should also implement contracting preferences for those which adhere to these laws, and develop standards on which firms can map self-regulatory schemes, including ethics committees. Finally, where states see an overriding national security need to limit the proliferation of OCC through these firms, they can introduce more rigorous post-employment reporting for certain intelligence and cybersecurity-specific roles in the public sector. Additionally, they can work with firms to impose technical limitations on OCC, like geofencing and registered customer lists.