The recent report emphasizes the significant yet often overlooked role of resellers and brokers in the spyware supply chain, describing this group as “a notably under-researched set of actors.” These intermediaries are said to obscure the relationships among vendors, suppliers, and buyers, frequently facilitating connections to emerging regional markets.
Sarah Graham, a co-author of the report, explained that this dynamic results in a complex and unclear spyware supply chain, complicating corporate structures and jurisdictional accountability measures. “This complexity creates substantial challenges for oversight,” she told WIRED.
Graham noted that despite the rising prominence of resellers and brokers, they currently remain absent from policy responses aimed at regulating spyware activities.
The study also reveals the addition of three countries—Japan, Malaysia, and Panama—identified as new players in the spyware landscape. Notably, Japan participates in several international agreements, such as the Joint Statement on Efforts to Counter the Proliferation and Misuse of Commercial Spyware, aimed at combating spyware misuse. This involvement raises concerns about potential conflicts between international commitments and market practices, particularly in jurisdictions where regulations may be lax, as Graham pointed out.
While the Biden administration has initiated various measures to limit the spyware market, including an executive order and trade restrictions, the industry continues to operate largely uninhibited. According to Jen Roberts from the Atlantic Council, there is a crucial gap between policymakers and U.S. investors, allowing funds to flow into entities that the government seeks to regulate effectively.
For instance, Saito Tech, a spyware vendor listed on the U.S. Commerce Department’s Entity List since 2021, received new investment from a U.S. firm in 2024, indicating that current government signals have not sufficiently deterred investment. This trend underscores a broader lack of public awareness regarding how consumer funds may inadvertently support the proliferation of spyware.
The report highlights specific financial ties, revealing that U.S. pension funds have supported companies involved in spyware development, providing a significant source of capital for projects that could reach substantial valuations. Roberts emphasizes the need for greater public understanding of how these financial contributions can ultimately enable harmful technologies.
Looking ahead, the Atlantic Council stresses the importance of refining the existing policies to address U.S. investments in spyware. Recommendations include expanding the scope of current executive orders to include notification requirements for investments in spyware along with other national security technologies.
Given the ongoing discussions, including potential revisions to existing executive orders, maintaining regulatory frameworks that leverage U.S. purchasing power will be essential in shaping the global spyware market. This consideration is vital for protecting American citizens against the misuse of such technologies.
As the landscape of spyware evolves, it will be crucial for businesses to stay informed about these developments and consider their broader implications for cybersecurity practices, facilitating a more informed dialogue around investment and oversight within the industry.
