When the whole world is hacking, how does Britain say stop?

LONDON — Late last month, British intelligence, alongside allies like the United States, called out government-linked Chinese companies for a global campaign of cyber attacks.

It was the latest step in a decade-long diplomatic dance.

Britain only attributes cyber attacks to four countries: Iran, Russia, North Korea and China — known as the “Big Four.” Three are deemed hostile states, and Britain has an uneasy relationship with the latter.

But these are are not the only countries that hack, sell hacking technology, or turn the other cheek to groups breaching devices and infrastructure in the U.K. Some are allies — but they have their blushes spared.

Calling out allies in public remains a risky move when ministers and officials are in a race to sign trade deals and strengthen relations across the globe.

At the same time, Britain is trying to place itself at the forefront of efforts to hold back the spyware arms race, as countries look to buy commercial cyber expertise and technology to hack neighbors, enemies and partners. This leaves Britain increasingly at odds with the U.S., which is now looking to utilize spyware it had previously blocked.

POLITICO spoke to cybersecurity and intelligence figures from inside the U.K. government and the private sector to map which of Britain’s strategic allies are involved in the proliferation of cyber attacks — and how the U.K. is struggling to clamp down on a lucrative global industry.

Some were granted anonymity to speak about sensitive national security matters.

Floodgates open

In 2013, Edward Snowden, a former contractor for America’s National Security Agency (NSA), blew open the previously secretive world of Western digital surveillance and hacking. In leaking thousands of classified documents, he revealed that the Five Eyes intelligence partnership — which includes Britain and America — had spied on allies including France, Germany, the EU and the United Nations.

In the decade since, other nations have been playing catch-up, with tech companies providing the ammunition for states wanting to rival Western nations that had been hacking for years.

As the rest of the world started hacking back, Britain’s allies took the unprecedented step of calling out those it suspected of committing cyber attacks against them. In 2014, the Barack Obama administration in the U.S. put its head over the parapet to attribute a cyber attack to China.

“The first time we were told about the U.S. attribution of 2014, privately the British government thought the Americans had gone mad and that it was really risky,” one former senior intelligence official told POLITICO.

“[It was thought] it wouldn’t achieve anything and it might get us into trouble and that they [China] might start arresting people. As it turns out, the Americans were right and we were wrong,” they said, adding: “I don’t think there’s a shred of evidence that any Western country has come to any harm as a result of attribution.”

It took Britain until 2018 to start pointing the finger publicly — this time at Russia — while countries such as France did not take this step until earlier this year.

The U.K.’s process for attribution involves a two-step judgment, whereby intelligence officials prepare an assessment for a minister when a cyber attack is thought, to a very high degree of confidence, to have come from a nation threat. It is then up to the minister to publicly call out the activity or not.

The rationale for naming the origin of an attack is, in part, a comms exercise: “If you’re representing the British government in public and there’s been a major nation state cyber attack, and you’re not prepared to say who it was, then you look either incompetent or duplicitous,” the same former intelligence official said.

They noted that although the Russians “don’t seem to care” whether Britain publicly calls them out, China does. “Let’s say, for example, that things were pretty tense with China, and we wanted to de-escalate — we might choose not to do an attribution purely for policy reasons.”

Earlier this year in Manchester, officials from Britain’s National Cyber Security Centre (NCSC) — an arm of the GCHQ digital intelligence agency — were asked in a briefing whether there are nation state threats outside of the Big Four that Britain now sees as a developing threat.

After a deep pause, one senior NCSC official replied in the affirmative. “Obviously states do procure capability and there are other state threats out there,” they said. “It would be odd if I said there weren’t.”

They declined, however, to name any of these states.

‘Everyone’s pretty sure it exists’

Though cyber activity from the Big Four is thought to make up the majority of hostile activity in Britain, it’s not the full picture.

“That these four are the only ones that are repeatedly attributed is, for me, a real problem,” said James Shires, a cybersecurity academic and researcher, adding: “That means that most of the public conversation implies that those are the only actors, and that’s just not the case.”

In fact, close allies make up some of these cyber powers, with leaked information often stepping in to fill the information void. In the 2010s, researchers claimed to have traced a piece of malware known as “Babar” back to French intelligence, while a hacking group called Careto was thought to have been linked to the Spanish government.

“When you have allied, friendly, non-intelligence partnership states that you have good diplomatic relations with doing this kind of activity, there’s no way they’re going to be publicly outed,” Shires added.

Hacking and cyber intrusion has uses for the Big Four beyond simply snooping on Britain and its allies. Backdoors into government and commercial networks can provide key information about dissidents, activists and political opponents who have fled a regime — and these four states are not the only ones with overseas critics.

India, though a sometimes close ally of Britain, has been called out for its cyber activity by Canada, Britain’s intelligence partner in the Five Eyes partnership. Last year, Canada’s spy agency accused India of tracking and surveilling activists and dissidents, as well as stepping up attacks against government networks. This year it went further and accused India of foreign interference.

Britain’s approach to India has been different, choosing diplomacy with joint schemes like a Technology Security Initiative. Lindy Cameron — the former head of the NCSC — has been placed as the British High Commissioner to India.

In the Middle East, Israel has become one of the most prominent players in international espionage, with cyber a core component of its intelligence arsenal. 

Though it has long avoided admitting it has conducted offensive cyber operations, researchers have suggested Israel played a role in hacking the venue for Iran’s nuclear negotiations. More recently, the conflict with Iran has given the world a glimpse into the capabilities of the Israeli state and state-aligned hacktivist groups.

“For Israeli cyber espionage in the U.K., it’s one of those things where everyone’s pretty sure it exists, but there’s no clear indication of it,” Shires said.

The same former intelligence official quoted previously said that “even in the current circumstances” of tricky relations with Israel, it would be “improbable to foresee a British government attributing a cyber operation” to them. They added that though Canada accused India of interference, Britain would have to “judge that case and its merits” for any similar activity in U.K. cyberspace.

Despite the emergence of new top-level cyber nations, experts told POLITICO that the main driver for future threats to the security of U.K. citizens and infrastructure comes from the private sector, through the selling of sophisticated spyware technology.

Shires said: “The big concern from the U.K. is not just cyber operations run directly by states. It’s not just which state has developed their own internal capability, but where they are relying on third parties to deliver that for them.”

He noted that spyware companies have given rise to a “far wider set of states having access to capabilities because they don’t need to make the investment to develop their own internal capabilities, they can buy in a point, click and compromise service that they can then use to target whoever they want.”

Melissa DeOrio, who leads cyber threat intelligence at cybersecurity and corporate intelligence consultancy S-RM, added: “It is very challenging to know exactly what capabilities lie in what countries, which are independent actors hacking of their own volition for financial opportunity, versus what activity is done either in favor of the state or ignored by the state and enabled by them in some way.”

Point, click, compromise

An explosion in hacking technology from private companies with explicit or implied state backing means the threat to countries — including Britain — can be harder to pinpoint.

Sophisticated attacks are no longer just the domain of countries with established cyber capability. Britain’s NCSC has previously revealed that at least 80 countries have purchased commercial spyware — although it did not name them.

Last year, researchers at the Atlantic Council think tank mapped spyware vendors around the world, covering 42 different countries and 435 entities in its data set. They identified three major clusters in Israel, India and Italy.

Jen Roberts, associate director of the Cyber Statecraft Initiative at the Atlantic Council, told POLITICO: “All three of these jurisdictions have pretty permissive environments with more or less state involvement in some fashion. The Indian cluster is the most common for a ‘hack-for-hire’ market. The Italian cluster has the oldest history of spyware. The Israeli cluster is the biggest chunk and probably the most well known, and most capable.

“The U.S. and the U.K. are two of the largest investors into this market, but a lot of these firms often target diplomats and citizens of the U.S. and the U.K.”

Nayana Prakash, a research fellow at the Chatham House think tank, said a “large pool of very talented tech professionals, very low labor costs and big underground market for hacking services” has meant that “there’s loads of things in India that you can get done if you know the right people.”

“For groups to thrive in a country like India, or Russia, there has to be some level of the state being somewhat lax in enforcing certain laws,” she added.

Shires added: “These companies would say their technology is always for national security, law enforcement and serious crime purposes. Their opponents will say this generally turns out to be journalists, dissidents and political opposition.”

A 2022 report by the Citizen Lab research centre in Canada claimed that between 2020 and 2021 there were multiple infections of “Pegasus” spyware — created and sold by the Israeli company NSO Group — on U.K. government devices. These included people in both Downing Street and the Foreign Office, with operators of the spyware linked to the UAE, India, Cyprus and Jordan. The Council of Europe said Pegasus is known to have been sold to at least 14 EU countries.

It took Britain until 2023 to call this out. “There’s a lot of hesitance against attribution, because it’s such a big step, and because it throws your cards on the table,” Chatham House’s Prakash said.

NSO has long asserted that its technology is sold “for the sole purpose of fighting crime and terror.”

Stopping the arms race

In February, France and Britain convened a high-level meeting in Paris.

It was the second such meeting to discuss the Pall Mall Process — an international effort led by the two nations which aimed at clamping down on the “proliferation and irresponsible use” of spyware and other commercial cyber intrusion capabilities.

It established a code of practice and a joint declaration for countries that signed up to it — but it remains a voluntary scheme with limited engagement from the same threats it is seeking to curtail.

The 24 countries that have signed up to its code of practice do not include Israel, India or nations such as the UAE that have been accused of using spyware irresponsibly. Similarly, none of the major spyware vendors are represented.

A summary report by the organisers ahead of the meeting — emblazoned with “NOT UK/FRANCE GOVERNMENT POLICY” — spoke of the risks of the sector without highlighting any country or company involved in the use of spyware.

The same former U.K. intelligence figure quoted earlier said that managing to get two permanent members of the United Nations Security Council to host a major event on the issue is “better than nothing,” but it has proven “very hard to get any country anywhere to act against malicious cyber actors on their own territory.”

James Shires said the optics of having major players in cyber espionage dictating what other countries can do has likely limited participation in the initiative. “You have these major states that not only have their own domestic capabilities, but also have a commercial industry, and they want to control access to that industry around the world.”

One major signatory, the United States, has also used its economic and diplomatic muscle to go much further than a non-binding declaration of allies.

In 2021 the U.S. blacklisted NSO’s Pegasus alongside other Israeli, Russian and Singaporean spyware companies. In 2023, then-President Joe Biden signed an executive order to ban federal agencies from using spyware which could pose a risk to American security. The U.S. government followed this up a year later by threatening to impose visa restrictions on individuals involved in commercial spyware misuse and sanctions against the Intellexa Consortium.

“These are all pretty blunt, effective actions,” Shires said. “The U.K. could have done all of that, but hasn’t. The U.S. is such a big market, so it can move on its own and have a big impact where the U.K. perhaps can’t.”

However, the new administration under Donald Trump has rowed back some of these moves, amid a renewed appetite for domestic surveillance tools. Agents with the U.S. Immigration and Customs Enforcement will have access to technology from Israeli company Paragon Solutions, after its contract was halted to comply with U.S. spyware rules. Paragon has previously come under scrutiny by the Italian government. 

The Atlantic Council’s Jen Roberts said: “Right now, the U.K. and the French are being looked at as the leaders in the future, as the new U.S. administration figures out its stance on this policy issue, though we’ve seen some positive signaling, like the U.S. being a signatory on the Pall Mall Process Code of Conduct.”

GHCQ and NCSC were contacted to contribute to this piece. The U.K. government has a long-standing policy of not commenting on intelligence matters.