Cybersecurity professionals need to ask questions of their vendors on how they detect and protect against spyware, in order for better progress to be made on stopping it’s impact.

Speaking on a panel on spyware at Infosecurity Europe in London, Brian Honan, CEO of BH Consulting, admitted that spyware can be dual purpose - for monitoring of actions of employees and family members, but “in the wrong hands it can be used to track people who can end up being the victim.”

Spyware Economy

Honan said that spyware has become a commercial industry, where the likes of NSO Group and other companies are writing software which aims to monitor phone calls and turn on cameras, and “is a limited market for governments.”

He also pointed that spyware vendors rarely report zero-day vulnerabilities “that can better protect us from a CISO’s point of view.”

Also on the panel, Aude Gery, senior researcher at GEODE, hit out at the investors who invest in the commercial spyware industry and services, and assist the ecosystem behind spyware.

European Factor

Asked by moderator Kevin Poireault if spyware variants are hard to track, Gery pointed that many vendors of spyware are registered in different countries: North Macedonia, Cyprys, Czech Republic, and investment comes from different countries too, “and we don’t know anything about the ecosystem, and it is very complicated to understand the structure of the company.”

Honan said the location within the EU “provides companies with a facade of legitimacy” and allows them to sell to EU companies without restrictions, and being seen as a European company appears that they are adhering to laws such as GDPR, and they “must be doing the right thing.”

The panellists also agreed that the biggest problem with commercial spyware is lack of accountability and transparency, and Honan said governments will not likely step in to stop its use as they have spy agencies, who will use what tools are available. “But they have to operate within the framework to provide accountability and transparency” but that is lacking now.

Gery said that regulatory enforcement is challenging due to a lack of willingness from governments to stop the development of tools, but she did praise the sanctions made by the US Treasury on Intellexa.

Concern for Businesses

Commenting on the impact for businesses as a practitioner, Honan said they have to be confident that employees who are involved in any type of protest is not bringing spyware into the organisation, and is it not in your environment.

“Spyware needs to be better regulated and controlled and governments should be better at it,” Honan said, pointing that there needs to be appropriate accountability and transparency as “pinky promises don’t cut it.”

He concluded by recommending users talking to their endpoint protection vendor, and ask how they protect against malware, and if they detect against spyware. “If we force vendors as an industry and make our voices louder and stronger, governments will listen to us too,” Honan said.

“It is not just a problem for dissidents, journalists and politicians, we are all at risk of misuse of spyware and it is a critical issue and we need to take it seriously.”

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a seasoned B2B journalist with over 20 years of experience, specializing in cybersecurity for the past 15 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes. Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.