The US is now the largest investor in commercial spyware

61 comments

·September 11, 2025

dadrian

This is an unserious article.

1) If you're counting investment, you should count it in dollars, not number of investors or corporate entity locations.

2) This is missing at least two extremely well-known CNE vendors, which makes me doubt its accuracy.

3) The takeaway from the graph on Mythical Beasts [1] should be that the industry is _very small_, not that it's very big.

4) Americans should be happy that the US government is the biggest player. Would you prefer to have China or Russia or the Middle East be the biggest player? Get a warrant -> own a phone is a very straightforward process that fits into existing models of civil liberties in the US.

[1]: https://mythicalbeasts.atlanticcouncil.org/

dogleash

>Would you prefer to have China or Russia or the Middle East be the biggest player?

If the absolute value of China + Russia + ME was the same, but US went down? Yeah, probably. Doubly so if sales going down meant less R&D investment and therefore lower quality software.

serial_dev

> Would you prefer to have China or Russia or the Middle East be the biggest player?

I was thinking about this (almost this, adjacent) lately, and I’m actually still undecided.

If I could choose who swoops up all my data, would I prefer it to be my own country, an “ally”, or an adversary? State or commercial entity?

What if I were to criticize my own government? Run for office? Participate somehow in an NGO? Start my political podcast / talk show? In all those cases, the worst people to spy on you are the ones who can also knock on your door at 4 AM, put you in prison and make up bogus charges.

I mean it’s all hypothetical, I can’t choose who spies on me, and I am okay only observing the world and navigating it as well as I can.

tptacek

This data set is missing even several pretty well-known CNE vendors.

The bigger question is: why would you expect the US not to be the largest investor? CNE vendors are tech companies. The US is the largest investor in tech companies.

bigyabai

> why would you expect the US not to be the largest investor?

Mostly because $FAV_TECH_COMPANY constantly tells me they love privacy. They fight backdoors in court, they rush out security patches and closely coordinate with the government to ensure I'm safe. Every advertisement seems to reinforce the idea that they cared about my security, I guess I put too much faith in the principles of private enterprise.

tptacek

What would that have to do with anything I just said?

simoncion

> What would that have to do with anything I just said?

It's a direct answer to the question you posed, which was email-quoted in the first line of the comment.

It relates the point of view of someone who's substantially tech-ignorant and -in part because they simply don't have time or energy to think much on the topic- entirely unaware of how the intelligence and infosec world works. People like that make up a somewhat-surprising fraction of the US population. Sometimes folks who work in computers are a member of this subset of the population!

bigyabai

It might help inform you, if you're unfamiliar with the sentiment Americans hold towards security?

Don't take my word for it, though. Scroll through the rest of the comments in this thread, I counted all of three unique users that took this article at face-value. The fact that we see this cognitive dissonance on HN should really reinforce how unimportant online security is to Silicon Valley.

nycdatasci

You can find a graph showing the relationships between investors and entities here: https://staging--atlantic-council-spyware.netlify.app/

The headline can't be taken at face value. "Largest" is based on the number of investing entities (including individuals), not something more objective like dollars invested. Also, the US is not making these decisions as the headline implies.

hparadiz

Aka enterprise security solutions

tptacek

Enterprises are generally not customers of serious CNE vendors.

ta12653421

Cloud-based Enterprise Security Solution, thats important! ;-)

reactordev

Centralized, Single-pane-of-glass, Cloud-based Enterprise Security Solution.

evanjrowley

This is a big step beyond just enterprise EDR/MDM

OutOfHere

Hacking personal devices goes way beyond enterprise security. It is cybercriminal behavior.

cramcgrab

According to ars.

esalman

The former number one, and current number two, is anyone's guess.

My home country does not have formal diplomatic ties with them, yet we purchased and deployed surveillance tech from this country.

We live in a truly dystopian nightmare.

mensetmanusman

Google and FB are commercial spyware.

reactordev

Microsoft Teams and O365 suite are as well.

bamboozled

“Freedomware”

OutOfHere

I see multiple ex-employers listed at https://staging--atlantic-council-spyware.netlify.app/ | https://mythicalbeasts.dfrlab.org/. I strongly advise avoiding all prospective employers that use these services as they're practically guaranteed to hack your phone.

Report: https://www.atlanticcouncil.org/in-depth-research-reports/re...

Dataset: https://github.com/ac-csi/mythical-beasts

dadrian

It is illegal for an employer to hack your phone.

OutOfHere

It is why the employer contracts the hacking firm to do it all for them. Meanwhile, the employer has deniability. The employer receives reports of your data and activities as accessed by the firm. That is the whole point. It's a legal gray area. Being naive about it doesn't help.

dadrian

No, that is also illegal.

tptacek

Sounds made up.

Group_B

Gotta love the good old US of A. I feel like we have the worst of both worlds; dystopian surveillance, yet massive crime issues still. An amazing world we live in.

generalizations

I suspect that in the very near future, the latter will dramatically decrease and the former dramatically increase. I wonder how that tradeoff will be perceived.

bregma

As surveillance increases the definition of crime will expand.

Consider the incentives. Surveillance is costly. The only way to justify increasing surveillance costs is to demonstrate increasing intervention in criminal activity. If traditional crime is reduced, new crimes need to be introduced.

Once all the enemies of the state have been eliminated, it becomes mandatory to introduce new enemies of the state so they, too, can be rounded up. Eventually there will be no one left to come for and the surveillance technology will go unmonitored.

jrochkind1

Don't worry, the crime wont' actually decrease either.

hansvm

Maybe. If we use our powers too capriciously then they'll deter behaviors other than criminal behaviors. Like that boat of alleged drug traffickers we recently blew up -- that looks more likely to discourage boating within 1000 miles of the US than any particular crime.

null

[deleted]

falcor84

What do you mean? What would lead to government surveillance decreasing?

wil421

No he means crime will dramatically decrease and surveillance will increase. I’d be inclined to agree.

corimaith

The increase in crime is purely political problem emerging from the demands of a certain segment of middle and upper middle classes, not the government or working class.

roughly

> I feel like we have the worst of both worlds; dystopian surveillance, yet massive crime issues still.

One might be tempted towards the conclusion that dystopian surveillance doesn't materially impact crime rates and that if we want to solve the latter, we need a different solution than the former.

mrtesthah

The problem is that when laws no longer apply to certain individuals in our government, we no longer have rule of law at all, because a law is inherently universal. The US is rotting from the head.

kubb

At least you have freedom… in some sense.

null

[deleted]

decremental

[dead]

howmayiannoyyou

Good. I want my tax dollars allocated to penetrating every and any system my country's adversaries may use to undermine our interests or threaten our people. And, I want maximum penalties, civil and criminal, for any person or company who misuses these systems for personal or political gain. Also, I'd like to see mandatory statutory civil damages for any vendor creating and/or selling/providing these systems who does so in a negligent or malicious manner, same as we provide for other high risk products and services.

vkou

Well, you're definitely not going to get the latter two, and the only guarantee about the first one is that they will definitely be used against enemies of the state.

Whether there's any overlap between them and enemies of the people will heavily depend on the latter's ability to steer towards good governance. The track record for the past few decades hasn't been great.

ChainnChompp

Nailed it - well said. Going to take some serious work for the populace to start steering the ship again, unfortunately.

RianAtheer

Wow, didn’t know the U.S. is now the top investor in commercial spyware clearly a big push for cyber defense and global intelligence edge. Essentially, it’s about maintaining an edge in cyber operations and national security. The U.S likely sees commercial spyware not just as a tool for spying, but as a strategic investment to keep up with global cyber threats.

linkregister

Investment in these firms does not equate to improved national security. Existing US government programs exceed the capabilities of these firms. A purpose for contracting with these firms is to evade the significant legal oversight present in the NSA, CIA, and FBI computer network exploitation programs.

OutOfHere

US and Israel are the the global cyber threat.

SilverElfin

What about China? Salt typhoon was just one among many actual attacks, not just threats, connected back to the Chinese state.

soperj

What attacks from the US have you heard of?

OutOfHere

Yes, but with rare exceptions, China doesn't exercise much power to lock up someone, or to disempower someone, at least so long as you don't visit China. Meanwhile, the US and Israel are well known to target individuals both domestically and around the world irrespective of their affiliation.

corimaith

According to https://www.ox.ac.uk/news/2024-04-10-world-first-cybercrime-..., Russia (58), Ukraine (36), China (27) and then USA (25) top the list, with Israel (2.51) at a measly rank 16.

So no, and I'm not sure why OP decided to single out Israel here given it is a order of magnitude less than the others and there are so many other nations, unless if they have a specific agenda to push here.