Cyber tools are growing increasingly sophisticated and, with the rise of AI-driven surveillance and warfare capabilities, even more powerful. What happens when they fall into the wrong hands, and how can this be prevented?

In a new policy memo for the German Council on Foreign Relations, SIS Hurst Senior Professorial Lecturer Claudia Hofmann analyzes how non-state actors—including terrorist organizations, cybercriminal groups, and drug cartels—are increasingly gaining access to commercial cyber intrusion technologies such as spyware, malware, and surveillance tools, and what policies European and US governments can take to prevent such access.

To learn more, we asked Hofmann a few questions about how non-state actors gain access to these technologies, what the risks are to democratic societies, and how Germany and the United States can counter this rising threat.

What are non-state actors, and how are they increasingly gaining access to commercial spyware and surveillance technologies?

Non-state actors are groups not integrated into official state agencies but who pursue their objectives through coercive, disruptive, or even violent means, such as terrorist organizations, criminal syndicates, cyber-mercenary groups, or private companies operating outside government oversight. In recent years, these actors have found it easier to obtain sophisticated spyware and intrusion tools. Why? A booming commercial spyware industry has emerged, with dozens of vendors worldwide now legally selling cyber intrusion tools originally developed for state use. As these surveillance technologies proliferate, the risk increases that they will fall into criminal hands. Simply put, there are more products on the market and more channels through which they can leak out.

Non-state actors are exploiting several pathways to get these tools. In some cases, authoritarian regimes or state insiders deliberately or inadvertently provide spyware to proxy groups. For instance, Hezbollah’s surprisingly advanced cyber capabilities were likely bolstered by Iranian surveillance technology. In some cases, as in Mexico, access is facilitated by money and corruption, so organized criminals can purchase spyware on the gray market or bribe officials to obtain it. A striking example involves more than 20 spyware vendors operating in the country; corrupt officials have been accused of quietly working with cartels, even reselling police surveillance software to drug traffickers.

Additionally, state-developed espionage tools have repeatedly leaked in the past, later being repurposed by cybercriminals or non-state actors. A prime example is the NSA’s EternalBlue exploit, which was stolen and exposed in 2017. It powered the global WannaCry and NotPetya ransomware attacks. More broadly, the Carnegie Endowment notes that the commodification of exploits enables these powerful tools to be adopted by criminal groups, severely lowering the barrier to entry for advanced cyber operations.

What are the risks of this access and what does it mean for democratic societies?

Spyware can covertly infiltrate personal devices, which has dire implications for journalists, activists, and officials in a democracy. Journalists and human rights activists, essential voices in a democracy, have been prime targets of spyware-enabled surveillance across the world. For example, an Amnesty International investigator in Serbia described spyware as “an incredibly effective way to completely discourage communication between people.” Anything you say or do could be monitored and used against you, which is “paralyzing at both personal and professional levels.” This kind of fear creates a chilling effect, deters whistleblowers and activists from speaking out, and undermines the very core of open debate and accountability.

There are also direct political dangers. If opposition politicians, election strategists, or voters can be spied on or blackmailed by malicious actors, the integrity of elections and governance is at stake. A stark example occurred in Poland, where the former government allegedly used Pegasus spyware against opposition figures during the 2019 elections. A parliamentary commission found gross violations of constitutional standards. A Citizen Lab researcher warned that spyware use against an opposition campaign was an “ominous sign of potential election interference” in an era of rising authoritarian threats.

It’s worth noting that even government officials in democracies have been hit by spyware. US diplomats and officials from the U.K., for example, were found to have had their devices infected by commercial spyware. Such incidents raise alarms about national security and sovereignty: Sensitive information or communications could be siphoned off to hostile actors. In sum, the unchecked spread of these spying tools threatens privacy, free expression, fair political competition, and the security of democratic states.

What types of policy recommendations do you suggest for governments or other institutions?

Addressing this challenge requires a comprehensive policy response. Governments should start by tightening oversight and controls on the spyware industry. Recently, at a January 2025 UN Security Council meeting on spyware, officials have called for strengthening export control agreements to prevent the “proliferation of these technologies without guardrails”. Alongside export controls, transparency and accountability must be improved. Spyware vendors could be required to undergo independent audits and certification of their products’ security and human rights impacts. Institutions like national data protection authorities or an international body might review these technologies to evaluate risks to civil society. Companies should also perform due diligence on customers: in other words, verify who the end-user is and what they intend to do with the product before a sale is approved.

Another idea is to implement digital watermarks or licensing keys in spyware to track its usage and prevent it from being transferred illicitly. If a hacking tool shows up in the hands of an unauthorized actor, it could be traced back to the source, enabling enforcement. Governments should back these technical measures with hard legal penalties. Some countries have started doing this: The US Commerce Department blacklisted Israel’s NSO Group and others, cutting them off from US technology exports. But international coordination is key. By late 2024, 23 countries had signed on to a US-led joint statement committing to counter the misuse of commercial spyware. Such continued diplomacy can help establish global standards. The bottom line is that no single policy will fix this. As one research report concluded, stakeholders should pursue a “web of national and international measures” to truly address the proliferation and abuse of commercial spyware.

Your policy memo posits Germany as a potential leader in shaping a more responsible global governance framework for cyber technologies, but what role could the US play in this?

Germany, with its strong privacy laws and diplomatic credibility, could spearhead efforts to create a responsible governance framework for cyber intrusion tech. Germany is well positioned to push the European Union toward stricter regulations and export controls and champion human rights-centric norms on the global stage. For instance, Germany is already supporting initiatives like the Pall Mall Process to develop international principles for commercial spyware. By taking a principled stand and coordinating policy across EU member states, Germany can help set a high bar for ethical cybersecurity practices.

The United States, for its part, brings considerable weight through its diplomatic reach, economic leverage, and intelligence capabilities. It has already taken concrete steps, including sanctions on NSO Group and other vendors, the 2024 Joint Statement on spyware misuse, and the January 2025 UN Security Council meeting, where Ambassador Dorothy Shea called for global action. Together, these actions underscore the United States’ role as an increasingly active player in the international response.

In practical terms, Germany and the US can coordinate their policies so that bad actors have nowhere to hide. If Germany drives strong EU-wide regulations and accountability, and the US uses its global reach to enforce export restrictions and shine a spotlight at the UN, we get a one-two punch. A transatlantic partnership could lead to more unified standards and perhaps even an international treaty to control spyware sales. Ultimately, leadership from both sides of the Atlantic will be crucial to rein in cyber intrusion tools and protect democratic values worldwide.