The Advent of the “Digital Mercenaries”

Kiril Avramov

The topic of use and role of private military contractors in modern warfare periodically gains the intensive focus of public attention and scholarly scrutiny. It happens so, due either to highly publicized lobbying efforts of the proponents of private military and security companies’ (PMSC) wider implementation in long-running conflicts, such as the recent “Prince plan” for Afghanistan, or highly publicized operations of increasingly assertive non-Western PMSC’s, such as the likes of the Russian “Wagner”. The scrutiny focus and intensity are justified and rightfully so, as the expanding role of the private military contractors represents a key feature of the rapidly evolving nature of modern warfare. However, while the public attention tends to captured mainly by the kinetic operations performed by the modern day “condottieri”, a new type of modern “soldiers of fortune” emerges center stage. Namely, the ascent of a new breed, one that could be best described as “digital mercenaries”. The advent of these new professionals is of no less importance than their “traditional” counterparts who provide muscle and boots on the ground in distant and difficult environments. Provided the current state of accelerated technological development, relentless international race for artificial intelligence dominance coupled with profound global uncertainty marked by increasing “gray zone” cyber activities intensity renders their rise to prominence, as an inevitable. In fact, these new “cyber soldiers and spies” for hire and their respective operations in benefit of their clients will probably become the permanent new norm, rather than a series of occasional and fairly rare episodes of obscure nature. They will also certainly make a profound mark in the field of traditional nation-state intelligence performance and cooperation, as well. The existing global structural preconditions certainly provide a fertile environment for such privatized actors to proliferate and gain even further importance. The process of their expansion, however, raises virtually similar ethical, political, economic and regulatory issues and concerns comparable to their “traditional” PMSC’s counterparts.

Hackers for Hire

These problems are best illustrated by the recent revelations stemming from the excellent Reuters investigation regarding the so-called “Project Raven” in support of the expanding UAE signals intelligence efforts via employment of American ex-NSA personnel. It could be argued that this particular case of hiring of the new type of “digital mercenaries” is an industry inflection point. It also exhibits all of the spectrum of issues of concern, while serving as a precursor of the upcoming trends in the cyber contracting trade. While the transfer of cutting-edge “defensive” cyber and surveillance technology and hardware to well-resourced nation-states in process of defense and intelligence capacity building is not a new phenomenon, the transfer of skills and personnel definitely is. Especially, when it comes to provision of intelligence training and actual application of personnel skills and technology in benefit of foreign intelligence services. And yet, this is precisely what the initial “Project Raven” and subsequent “DarkMatter” projects were all about, where U.S. personnel was allegedly tasked with helping their Emirati colleagues and managers in their efforts of surveillance of governments, militants and dissidents deemed dangerous by the UAE ruling class. After at least five years of cooperation between an American based company and UAE’s National Electronic Security Authority, the whistle was blown after an American employee of the contractor raised her concerns about the practice of targeting of U.S. persons designated by the Emirati project management. In essence, the “thin, red line” was crossed, when the American ex-government intelligence employees were troubled to discover that the ever-expanding list of targets supplied by the Emirati management was not limited to foreign governments and terrorist-related individuals and groups only. It allegedly also included a separate “white category” designated for American citizens, besides the already existing country “color” categories, such as Iran and Yemen. Apparently, the target list has featured the designation of other Westerners, in addition to prominent Emirati human rights activists.

Venturing into the DarkMatter

It should be noted, this particular case is not isolated in terms of highly-intrusive surveillance and targeting technology transfer and implementation from the West to other governments worldwide, as the recent research of University of Toronto’s Citizen Lab demonstrates, where the Israeli NSO company’s Pegasus flagship product was tracked in use by multiple governments with less-then-stellar human rights records with quite significant geographical reach. Similar was the story of the FinFisher toolset sold by the British-German Gamma International, as well as the one of their Italian rivals of “Hacking team” with their Remote Control System spyware. Despite these companies’ denials regarding the intent of use of their respective products and services, namely defensive purposes, the evidence points out that they are overwhelmingly used in offensive operations that routinely target civil society among various other targets. These stories are a vivid illustration of the fact, that in the field of contemporary cyber warfare it becomes increasingly hard to clearly distinguish between offensive and purely defensive operations, as they frequently overlap in similar to traditional PMSC’s operations fashion. They also illustrate the potential political problems that the use of regular and cyber contractors creates in regard with respective national foreign policy objectives different governments pursue. While the general overlap of Western and client governments’ objectives, such as tracking and neutralizing terror groups for instance, renders the contractors of both kinds as beneficial assets, the diverging internal policy agenda of authoritarian regimes turns the foreign hires into liabilities for their home governments. While the general overlap exists, when the number of suppliers increase and diversifies, there is no iron-clad guarantee that at certain point the service providers will not cross knowingly or involuntarily the policies of their home governments, as they cannot exercise control over the agenda of their hosts, as visible in the case of “Project Raven”. In similar vein, it also offers ample international criticism “munition” to all kinds of different state and non-state actors and groups motivated to scrutinize and object the Western foreign and security policies agenda. In addition, in the case of the “digital spies” for hire, inevitably the host institution or government will be inclined to tap into the hired personnel’s specific knowledge, professional networks and familiarity with classified information in their previous line of government duty. In worst case scenario, the hosts will seek to gain leverage over the hired personnel for own respective purpose. As the pace of digital innovation frantically speeds up, it becomes rather obvious that the suppliers’ market overcrowds and not every vendor will be able to sell its digital products and services only to its own respective government. Ample evidence in this regard is supplied by the issues surrounding the exports by some of the industry leaders, such as the leading companies from the Israeli cyber sector. The relentless pursuit of profit coupled with the inability to overcome home market monopsony leads scores of these companies to sell their products and services directly or via intermediaries to governments and agencies previously designated, as off-limits. Open question remains if and when the beneficial end-users decide to use the technology supplied for purposes different than anti-terror, in pursuit of commercial competitive advantage for home-grown champions or industrial espionage against their competitors for instance. Last but not least come the regulatory concerns regarding the licensing and effective control execution by the U.S. and other Western governments dealing with such “digital mercenary” operations that are not confined to technology transfer alone, but also involve employment of former national intelligence personnel overseas.

Again, as the situational complexity surrounding this novel trend of employing foreign hired intelligence personnel is rather high. Despite the existence of well-developed American legal corpus dealing with export and transfer of military goods and services abroad, the incidents involving licensing of cyber know-how and capabilities in benefit of foreign intelligence service suggest that there might be gaps or at least a room for improvement in the existing legal base. Same seems to apply for the other respective Western governments that deal with such cyber outfits that operate in foreign environments. Indeed, the complexity and context vary widely, as the burgeoning private sector demand for specific skills and services pertaining to intrusion and influence operations is clearly on a rise. Such conclusion could be inferred by the cases of the now-defunct third party intelligence operators, such as Cambridge Analytica and PSY Group that have employed certain amount of cyber and traditional tradecraft in benefit to their private clients with significant amount of loud public controversy.

Finally, in parallel to the myriad of issues and problems in the past twenty-five years that have surrounded the emergence and subsequent maturity of the private military industry worldwide, the advent of the new kind of private digital warriors and spies closely mirrors these traditional concerns. For governments and regulators concerned, it would probably be best, if the lessons learned in the process of standardization of the PMSC industry be applied and thus some of the worst failures avoided in timely fashion.