When the whole world is hacking, how does Britain say stop?

LONDON — Late last month, British intelligence, alongside allies like the United States, called out government-linked Chinese companies for a global campaign of cyber attacks. It was the latest step in a decade-long diplomatic dance. Britain only attributes cyber attacks to four countries: Iran, Russia, North Korea and China — known as the “Big Four.” Three are deemed hostile states, and Britain has an uneasy relationship with the latter. But these are not the only countries that hack, sell hacking technology, or turn the other cheek to groups breaching devices and infrastructure in the U.K. Some are allies — but they have their blushes spared.

Calling out allies in public remains a risky move when ministers and officials are in a race to sign trade deals and strengthen relations across the globe. At the same time, Britain is trying to place itself at the forefront of efforts to hold back the spyware arms race, as countries look to buy commercial cyber expertise and technology to hack neighbors, enemies and partners.

A Decade-Long Dance

In 2013, Edward Snowden, a former contractor for America’s National Security Agency (NSA), blew open the previously secretive world of Western digital surveillance and hacking. In leaking thousands of classified documents, he revealed that the Five Eyes intelligence partnership — which includes Britain and America — had spied on allies including France, Germany, the EU and the United Nations.

In the decade since, other nations have been playing catch-up, with tech companies providing the ammunition for states wanting to rival Western nations that had been hacking for years. As the rest of the world started hacking back, Britain's allies took the unprecedented step of calling out those it suspected of committing cyber attacks against them.

The Problem is Not Just State Actors

“That these four are the only ones that are repeatedly attributed is, for me, a real problem,” said James Shires, a cybersecurity academic and researcher. “That means that most of the public conversation implies that those are the only actors, and that's just not the case.”

In fact, close allies make up some of these cyber powers, with leaked information often stepping in to fill the information void. In 2010s, researchers claimed to have traced a piece of malware known as “Babar” back to French intelligence, while a hacking group called Careto was thought to have been linked to the Spanish government.

From State Actors to Private Companies

The big concern from the U.K. is not just cyber operations run directly by states. It's not just which state has developed their own internal capability, but where they are relying on third parties to deliver that for them,” said Shires.

Sophisticated attacks are no longer just the domain of countries with established cyber capability. Britain's NCSC has previously revealed that at least 80 countries have purchased commercial spyware — although it did not name them. Last year, researchers at the Atlantic Council think tank mapped spyware vendors around the world, covering 42 different countries and 435 entities in its data set.

The Pall Mall Process: A Voluntary Scheme

The 24 countries that have signed up to its code of practice do not include Israel, India or nations such as the UAE that have been accused of using spyware irresponsibly. Similarly, none of the major spyware vendors are represented.

A summary report by the organisers ahead of the meeting — emblazoned with “NOT UK/FRANCE GOVERNMENT POLICY” — spoke of the risks of the sector without highlighting any country or company involved in the use of spyware. The same former U.K. intelligence figure quoted earlier said that managing to get two permanent members of the United Nations Security Council to host a major event on the issue is “better than nothing,” but it has proven “very hard to get any country anywhere to act against malicious cyber actors on their own territory.”

A Call for Action from the U.S.

One major signatory, the United States, has also used its economic and diplomatic muscle to go much further than a non-binding declaration of allies. In 2021 the U.S. blacklisted NSO’s Pegasus alongside other Israeli, Russian and Singaporean spyware companies.

In 2023, then-President Joe Biden signed an executive order to ban federal agencies from using spyware which could pose a risk to American security. The U.S. government followed this up a year later by threatening to impose visa restrictions on individuals involved in commercial spyware misuse and sanctions against the Intellexa Consortium.

The U.K.'s Dilemma

“The U.K. could have done all of that, but hasn't. The U.S. is such a big market, so it can move on its own and have a big impact where the U.K. perhaps can’t,” said Shires.

However, the new administration under Donald Trump has rowed back some of these moves, amid a renewed appetite for domestic surveillance tools. Agents with the U.S. Immigration and Customs Enforcement will have access to technology from Israeli company Paragon Solutions, after its contract was halted to comply with U.S. spyware rules.

A Way Forward?

“Right now, the U.K. and the French are being looked at as the leaders in the future, as the new U.S. administration figures out its stance on this policy issue, though we’ve seen some positive signaling, like the U.S. being a signatory on the Pall Mall Process Code of Conduct,” said Jen Roberts, the Atlantic Council.