Cyberwar and the Private Intelligence Market

The privatisation of intelligence capability is one of the most consequential and least publicly examined structural shifts in the contemporary security landscape. For most of the post-war period, the collection, analysis and weaponisation of intelligence were functions reserved to state agencies operating under legal frameworks, however imperfect, that assigned accountability and constrained misuse. The National Security Agency, GCHQ, the Mossad and their counterparts operated under authorising statutes, oversight committees and classification systems that kept their activities within defined institutional boundaries, even when those boundaries were violated. What has changed since roughly 2010, and accelerated sharply after 2015, is the emergence of a private market offering comparable capabilities to any paying client: governments, corporations, political parties, criminal organisations and individual actors with the financial means to procure them. The market has no oversight framework, no uniform legal accountability structure and no meaningful international governance regime. It is a shadow intelligence industry operating at the intersection of the technology sector, the defence industry and organised crime, and its products are shaping conflicts across the world in ways whose full extent is only beginning to be documented.

The private intelligence sector is not a unified industry with clearly defined boundaries. It is a loosely connected ecosystem of firms ranging from publicly traded defence contractors offering classified cloud computing services to small boutique companies providing targeted surveillance tools for specific clients, from established cybersecurity firms with government contracts to startups developing AI-powered geospatial analysis platforms, and from legitimate open-source intelligence aggregators to companies operating in deliberate legal ambiguity that exploit gaps between national jurisdictions to sell capabilities that would be illegal in many of their clients' home countries.

Several distinct segments of this market are worth understanding separately, because their risk profiles, regulatory exposure and strategic significance differ substantially. The surveillance and monitoring segment, exemplified most prominently by NSO Group's Pegasus spyware, provides offensive capabilities enabling clients to penetrate specific targets' devices without their knowledge. The geospatial intelligence segment, dominated by commercial satellite operators including Planet Labs, Maxar Technologies and Satellogic, provides imagery and analysis that enables monitoring of military movements, infrastructure changes and economic activity at resolutions and revisit rates that would have required dedicated state reconnaissance satellites a decade ago. The cyber operations segment, which includes both defensive cybersecurity and offensive capability development, provides tools for both protecting and attacking digital infrastructure. And the data analytics segment, including firms such as Palantir and a growing range of AI-driven intelligence platforms, provides the processing capacity to turn vast quantities of raw data into actionable intelligence assessments.

No single case better illustrates both the capability and the accountability failure of the private intelligence market than NSO Group's Pegasus spyware. Developed by the Israeli firm and licensed exclusively to government clients, Pegasus is a zero-click mobile surveillance tool capable of penetrating both iOS and Android devices without any user interaction, extracting call logs, messages, emails, photographs, location data and activating the microphone and camera for real-time surveillance. NSO Group has consistently maintained that Pegasus is sold only to vetted government clients for lawful interception purposes in the investigation of serious crime and terrorism, and that the company has no visibility into how its clients use the product.

The Pegasus Project, a consortium of 17 international media organisations that analysed leaked data in 2021, identified over 50,000 phone numbers that had been selected as potential surveillance targets by NSO Group clients, including the numbers of journalists, human rights activists, lawyers, opposition politicians, business executives and at least 10 serving heads of state. The governments identified as clients included Saudi Arabia, the UAE, India, Mexico, Hungary, Azerbaijan and Morocco, among others. The murder of journalist Jamal Khashoggi in 2018 was preceded by Pegasus surveillance of his associates and communications. The scale of documented misuse demonstrates that the "vetted government client" framework through which NSO Group justifies its sales is not a meaningful accountability mechanism. It is a commercial and legal fig leaf that transfers accountability for misuse from the tool manufacturer to the client while preserving the revenue relationship that creates the incentive to sell.

The commercial satellite imagery sector has undergone a transformation in the past decade whose implications for intelligence and conflict are still being fully absorbed. The combination of miniaturised satellite technology, reusable launch vehicles reducing orbital insertion costs and AI-powered analysis platforms has compressed what was previously a capability restricted to a handful of state space programmes into a commercially available service accessible to any organisation willing to pay a subscription fee. Planet Labs operates a constellation of over 200 small satellites capable of imaging any point on earth's surface at least once daily at resolutions of three to five metres. Maxar Technologies, operating larger satellites, provides imagery at resolutions below 50 centimetres, comparable to the classified reconnaissance assets of major military powers.

The Ukraine conflict demonstrated the operational significance of this democratisation of reconnaissance more clearly than any previous event. Commercial satellite imagery from Planet, Maxar and other operators documented Russian military buildups along the Ukrainian border weeks before the February 2022 invasion, providing intelligence that Western governments used to publicly pre-empt Russian denial of aggressive intent and that civil society organisations used to independently verify battlefield events. Throughout the conflict, commercial imagery has been used to document the destruction of Ukrainian cities, track Russian naval movements in the Black Sea, verify claims about specific military incidents and monitor the activity of Wagner Group forces in Africa independently of any government intelligence source. The accountability implications of this transparency are profound: states conducting military operations must now assume that their activities will be documented in near-real time by commercial actors whose products are publicly accessible, regardless of the classification status of any state intelligence agency's own imagery.

The cyber operations segment of the private intelligence market operates under a structural condition that makes it uniquely difficult to govern: the fundamental asymmetry between offence and defence in digital conflict. Attacking a computer system requires finding a single exploitable vulnerability in potentially millions of lines of code. Defending requires protecting every line simultaneously. This asymmetry means that in cyberspace, offensive capability is structurally easier to develop and deploy than defensive capability of equivalent effect, creating a market dynamic in which the demand for offensive tools consistently outpaces the supply of viable defences.

Private companies exploit this asymmetry in multiple ways. Vulnerability research firms discover zero-day exploits, previously unknown software flaws with no available patch, and sell them to the highest bidder. Governments pay premium prices for zero-days to build offensive cyber arsenals. Criminal organisations purchase them for financial fraud. The same zero-day purchased by a Western intelligence agency for counter-terrorism surveillance may later be purchased by an authoritarian government for journalist surveillance or by a criminal group for ransomware deployment. The market does not discriminate between these use cases. It prices capability, not intent. When the vulnerability is eventually discovered by defenders and patched, its former purchasers retain the institutional knowledge of how to find the next one. The offensive capability compounds. The defensive coverage remains persistently incomplete.

The most politically consequential segment of the private intelligence market may not be surveillance or cyber operations but the industrialisation of disinformation. The convergence of social media platforms, large language models, deepfake technology, coordinated inauthentic behaviour networks and professional political consulting firms has created a market for information operations as a service: the ability to shape public opinion, discredit political opponents, amplify social division and manufacture the appearance of popular sentiment at scale, for any client willing to pay the relevant fee.

Cambridge Analytica's harvest of 87 million Facebook profiles for psychographic political micro-targeting, documented in the 2018 investigations, established the template. What has changed since is the scale and the accessibility of the underlying tools. Large language models now make the generation of persuasive, contextually appropriate propaganda content trivially cheap. Deepfake video generation tools allow the creation of convincing synthetic media featuring real public figures at costs that have fallen from hundreds of thousands of dollars to effectively zero for a technically competent operator. Coordinated amplification networks, whether built from compromised accounts, paid followers or bot networks, can be rented commercially through darknet marketplaces for specific campaigns. The result is that conducting an influence operation of the kind that required the institutional resources of a major state intelligence agency in 2016 can now be purchased by a mid-sized company, a well-funded political campaign or a criminal organisation with appropriate connections.

The private intelligence market operates in a regulatory environment characterised by a governance deficit that is structural rather than merely incomplete. The technologies involved are dual-use by nature, simultaneously valuable for legitimate security applications and for abuse. The market is global, with firms incorporated in jurisdictions chosen partly for their regulatory permissiveness and clients operating across national boundaries that limit any single government's jurisdictional reach. The pace of technological development consistently outstrips the pace of regulatory response. And the states most capable of imposing meaningful regulation, the United States, European Union members and Israel, are also the states whose own intelligence agencies depend heavily on private sector partnerships and whose technology sectors have strong commercial incentives to resist restrictions.

The result is a market in which the primary accountability mechanisms are litigation, investigative journalism and periodic public scandal rather than systematic oversight. NSO Group faced consequences for Pegasus not because a regulatory framework identified and sanctioned the misuse but because a consortium of investigative journalists documented it publicly. Cambridge Analytica was exposed not by a data protection regulator but by a whistleblower. The governance deficit is not only a problem for the people whose communications are surveilled or whose elections are manipulated. It is a structural risk for the financial institutions, critical infrastructure operators and government agencies whose systems are targeted by tools first developed and sold in the unregulated private intelligence market before being repurposed by criminal and state adversaries. The invisible war economy is not only a strategic asset. It is a systemic vulnerability whose full costs are distributed across societies that never consented to inhabit it.