A Deeper Look Into the WhatsApp Hack and the Complex Cyber Weapons Industry

A Deeper Look Into the WhatsApp Hack and the Complex Cyber Weapons Industry
Author: Phil Zongo and Darren Argyle
Date Published: 21 May 2019

On 13 May, the Financial Times reported the discovery of a major security flaw in the popular messaging app, WhatsApp. The pervasive vulnerability, which affected both Apple and Android devices, allowed malicious actors to inject commercial spyware by ringing up unsuspecting targets using WhatsApp’s VOIP-based call function.

The world is now accustomed to daily data breach news. What makes this threat particularly disturbing, however, is its novelty and deftness. This flaw allowed hackers to break into phones by simply calling a target. The victims didn’t even need to pick up, and the missed calls simply vanished from the logs. Device hacks that don’t require victim participation, such as clicking a weaponized hyperlink, are difficult to fend off and dramatically alter the game.

According to the report, the commercial spyware in question was developed by Israeli cybersecurity firm NSO Group. While NSO has denied the allegations, the incident has nonetheless brought to light the complex, secretive and dangerous world of the cyber arms market, in which companies like NSO operate. Within this industry, governments and other sophisticated groups buy advanced surveillance tools, zero-day vulnerabilities, exploit kits and several other malicious programs from defense contractors or niche malware developers.

These advanced digital munitions are used to debilitate adversary nations’ critical infrastructure, influence elections; jam airwaves to silence opposition; and spy on journalists, dissenters, suspected terrorists and a wide array of targets. According to research, the global cyber weapons market stood at US$406.77 billion in 2016 and is poised to reach a staggering US$524.27 billion by 2022.

When we dig deeper into factors that have spurred the exponential rise in the cyber weapons market, three insightful answers emerge. At the root of this predicament is the rapid shift in defense policies. As geo-political tensions rise, more and more nations are rushing to acquire offensive cyber capabilities. This props up the commercial cyber weapons industry, as governments find it easier and more economical to buy or rent digital arms than to develop their own. As a 2013 article highlighted, “A government or other entity could launch sophisticated attacks against just about any adversary anywhere in the world for a grand total of $6 million. Ease of use is a premium. It’s cyber warfare in a box.”

Back in 2017, US defense chiefs, via a joint statement to the US Senate Armed Services Committee, bemoaned the growing threat from adversary nations exploiting cyber space to steal military secrets, sensitive research and other high-value information. “Many countries view cyber capabilities as a useful foreign policy tool that also is integral to their domestic policy, and will continue to develop these capabilities,” they emphasized.

Secondly, and perhaps the most vexing, is the absence of collective will to curtail the development and acquisition of cyber weapons. As one of the co-authors of this blog post wrote in his book, The Five Anchors of Cyber Resilience, international cooperation between law enforcement agents is non-existent or weak at best. As both geo-political and geo-economic tensions crank up, according to the World Economic Forum Global Risks, the prospects of achieving a binding global cybercriminal justice system invariably pale.

Granted, there have been sporadic efforts to address this void. In 2018, Antonio Guterres, the United Nations chief, issued a withering assessment, saying, “Episodes of cyber warfare between states already exist. What is worse is that there is no regulatory scheme for that type of warfare; it is not clear how the Geneva Convention or international humanitarian law applies to it.”

History also is a guide. At the 2015 G20 summit held in 2015 in Belek, Antalya Province, Turkey, G20 leaders agreed on language pledging not to conduct cyber-enabled economic espionage. But because the G20 communiqué was non-binding, it represented only form, not substance. It did very little to de-escalate rising cyber tensions or alter deep-seated nationalistic motivations. Messy situations demand strong leadership, but as powerful nations have significant stakes in the game, we are likely to see more of the same.

Third, while commercial cyber arms creators may not harbor intentions to sell their wares to repressive regimes or criminal mobs, it’s inevitable that these tools will eventually fall into wrong hands. The NSO Group, for instance, claimed that its program is licensed to authorized government agencies “for the sole purpose of fighting crime and terror.” But once a vendor sells powerful cyber weapons, it has little to no control on how and when that software is used. The 2016 incident in which a ghostly group of hackers infiltrated the Equation Group, a complex hacking enterprise believed to be operated by the NSA, provides a chilling example. The cyber weapons were later repurposed to debilitate several institutions, such as the NHS hospitals in the UK, resulting in billions in damages. Further compounding an already grave situation, insurers are now refusing to pay cyber claims when attacks are deemed “acts of war.”

What’s at stake here is innovation, peace and human development. Hacker incursions into critical infrastructure such as WhatsApp, which connects more than a billion people across more than 180 countries, can negatively alter consumer trust – derailing innovation and human development. As Tim Cook, the CEO of Apple, accentuated in a recent Time article, “Technology has the potential to keep changing the world for the better, but it will never achieve that potential without the full faith and confidence of the people who use it.”

About the authors

Phil Zongo is a director and co-founder of Cyberresilience.com.au, an enterprise that develops the next generation of cyber leaders. He is the Amazon best-selling author of “The Five Anchors of Cyber Resilience,” a practical cyber strategy book for senior business leaders. Zongo has won multiple industry awards, including the respected 2017 ISACA International’s Michael Cangemi Best Book/Article Award, for major contributions in the field of IS audit, control and security.

Darren Argyle is a non-executive director and co-founder of Cyberresilience.com.au, an enterprise that develops the next generation of cyber leaders. He is a former Group Chief Information Security Officer (CISO) at Qantas Airlines. Argyle was named in the top 100 Chief Information Security Officers globally in 2017 and in the top 100 Global IT Security Influencers in 2018 by the SC Magazine. He was recently appointed Ambassador for the Global Cyber Alliance in recognition of his collaborative work advising small businesses on critical measures they can apply to defend against cyberattacks. He has nearly 20 years of experience in international cyber risk and security, with broad expertise in providing hands-on leadership, strategic C-level and board direction, and cybersecurity program execution.

On 13 May, the Financial Times reported the discovery of a major security flaw in the popular messaging app, WhatsApp. The pervasive vulnerability, which affected both Apple and Android devices, allowed malicious actors to inject commercial spyware by ringing up unsuspecting targets using WhatsApp’s VOIP-based call function.

The world is now accustomed to daily data breach news. What makes this threat particularly disturbing, however, is its novelty and deftness. This flaw allowed hackers to break into phones by simply calling a target. The victims didn’t even need to pick up, and the missed calls simply vanished from the logs. Device hacks that don’t require victim participation, such as clicking a weaponized hyperlink, are difficult to fend off and dramatically alter the game.

According to the report, the commercial spyware in question was developed by Israeli cybersecurity firm NSO Group. While NSO has denied the allegations, the incident has nonetheless brought to light the complex, secretive and dangerous world of the cyber arms market, in which companies like NSO operate. Within this industry, governments and other sophisticated groups buy advanced surveillance tools, zero-day vulnerabilities, exploit kits and several other malicious programs from defense contractors or niche malware developers.

These advanced digital munitions are used to debilitate adversary nations’ critical infrastructure, influence elections; jam airwaves to silence opposition; and spy on journalists, dissenters, suspected terrorists and a wide array of targets. According to research, the global cyber weapons market stood at US$406.77 billion in 2016 and is poised to reach a staggering US$524.27 billion by 2022.

When we dig deeper into factors that have spurred the exponential rise in the cyber weapons market, three insightful answers emerge. At the root of this predicament is the rapid shift in defense policies. As geo-political tensions rise, more and more nations are rushing to acquire offensive cyber capabilities. This props up the commercial cyber weapons industry, as governments find it easier and more economical to buy or rent digital arms than to develop their own. As a 2013 article highlighted, “A government or other entity could launch sophisticated attacks against just about any adversary anywhere in the world for a grand total of $6 million. Ease of use is a premium. It’s cyber warfare in a box.”

Back in 2017, US defense chiefs, via a joint statement to the US Senate Armed Services Committee, bemoaned the growing threat from adversary nations exploiting cyber space to steal military secrets, sensitive research and other high-value information. “Many countries view cyber capabilities as a useful foreign policy tool that also is integral to their domestic policy, and will continue to develop these capabilities,” they emphasized.

Secondly, and perhaps the most vexing, is the absence of collective will to curtail the development and acquisition of cyber weapons. As one of the co-authors of this blog post wrote in his book, The Five Anchors of Cyber Resilience, international cooperation between law enforcement agents is non-existent or weak at best. As both geo-political and geo-economic tensions crank up, according to the World Economic Forum Global Risks, the prospects of achieving a binding global cybercriminal justice system invariably pale.

Granted, there have been sporadic efforts to address this void. In 2018, Antonio Guterres, the United Nations chief, issued a withering assessment, saying, “Episodes of cyber warfare between states already exist. What is worse is that there is no regulatory scheme for that type of warfare; it is not clear how the Geneva Convention or international humanitarian law applies to it.”

History also is a guide. At the 2015 G20 summit held in 2015 in Belek, Antalya Province, Turkey, G20 leaders agreed on language pledging not to conduct cyber-enabled economic espionage. But because the G20 communiqué was non-binding, it represented only form, not substance. It did very little to de-escalate rising cyber tensions or alter deep-seated nationalistic motivations. Messy situations demand strong leadership, but as powerful nations have significant stakes in the game, we are likely to see more of the same.

Third, while commercial cyber arms creators may not harbor intentions to sell their wares to repressive regimes or criminal mobs, it’s inevitable that these tools will eventually fall into wrong hands. The NSO Group, for instance, claimed that its program is licensed to authorized government agencies “for the sole purpose of fighting crime and terror.” But once a vendor sells powerful cyber weapons, it has little to no control on how and when that software is used. The 2016 incident in which a ghostly group of hackers infiltrated the Equation Group, a complex hacking enterprise believed to be operated by the NSA, provides a chilling example. The cyber weapons were later repurposed to debilitate several institutions, such as the NHS hospitals in the UK, resulting in billions in damages. Further compounding an already grave situation, insurers are now refusing to pay cyber claims when attacks are deemed “acts of war.”

What’s at stake here is innovation, peace and human development. Hacker incursions into critical infrastructure such as WhatsApp, which connects more than a billion people across more than 180 countries, can negatively alter consumer trust – derailing innovation and human development. As Tim Cook, the CEO of Apple, accentuated in a recent Time article, “Technology has the potential to keep changing the world for the better, but it will never achieve that potential without the full faith and confidence of the people who use it.”

About the authors

Phil Zongo is a director and co-founder of Cyberresilience.com.au, an enterprise that develops the next generation of cyber leaders. He is the Amazon best-selling author of “The Five Anchors of Cyber Resilience,” a practical cyber strategy book for senior business leaders. Zongo has won multiple industry awards, including the respected 2017 ISACA International’s Michael Cangemi Best Book/Article Award, for major contributions in the field of IS audit, control and security.

Darren Argyle is a non-executive director and co-founder of Cyberresilience.com.au, an enterprise that develops the next generation of cyber leaders. He is a former Group Chief Information Security Officer (CISO) at Qantas Airlines. Argyle was named in the top 100 Chief Information Security Officers globally in 2017 and in the top 100 Global IT Security Influencers in 2018 by the SC Magazine. He was recently appointed Ambassador for the Global Cyber Alliance in recognition of his collaborative work advising small businesses on critical measures they can apply to defend against cyberattacks. He has nearly 20 years of experience in international cyber risk and security, with broad expertise in providing hands-on leadership, strategic C-level and board direction, and cybersecurity program execution.