Forms of state power have been changing, not only in alignment with contemporary conflicts but also with the digital age and so-called ‘hybrid threats’. Since 9/11, the US has invested massively in intelligence work as part of the fight against international terrorism, and has gradually stepped up the outsourcing of these services to PMSCs. Tim Shorrock, author of Spies for Hire: The Secret World of Intelligence Outsourcing, states that 70% of the US intelligence budget in 2007 was outsourced to security contractors. A year later, an investigation by The Washington Post found that 1,931 private companies were collaborating on national security, counter-terrorism and intelligence tasks from 10,000 US locations.
Government intelligence agencies contracting from corporations producing surveillance technologies is nothing new. What is unusual is the contracting of specialised staff for intelligence and national security work. The database of the Shock Monitor network records 216 PMSCs, out of a total of 770, providing intelligence services to governments, TNCs and private clients.
These services have evolved with the use of new technologies and now also include threats from cyberspace. Private security contractors supply and maintain software technology and hardware systems; gather data related to national security by intercepting calls, hack mobile phones and IT systems; analyse and systematise data related to national security; produce risk-assessment reports for the military high command; operate reconnaissance drones during protests or in armed conflicts beyond borders; and conduct secret operations that involve illegal activities such as infiltrating social movements or interrogating suspects.
Some PMSCs have also set up their own cybersecurity departments to meet their clients’ new requirements. Booz Allen Hamilton, one of the main US intelligence contractors, offers cybersecurity services that enable it to carry out attacks in the cyber domain. The Russian PMSC RSB Group has specialised in intelligence and cybersecurity since 2016, and the British firm G4S set up a Cyber Consulting and Security Operations Centre in the same year. Other companies, such as the French firm Amarante International, the Danish firm Risk Intelligence, which specialises in maritime security, and the British firm Control Risks, have developed sophisticated big-data tools to produce international security reports that identify specific risks to their clients.
The involvement of PMSCs and private security contractors in data-analysis places them in an ideal position to influence perceptions of the threats faced by their government clients, which means that they can also influence public policies or security plans. The profit motive and their military and technical security approach shape the results of PMSCs’ investigations and their proposals for how to neutralise the identified threats. Ultimately, this approach influences their clients’ perception of insecurity and ignores the social and political dynamics in the situations analysed, side-lining non-military responses involving diplomacy or mediation.
Cyber-espionage has thus become one of the PMSCs’ key services, involving contracting large numbers of hackers – or what the United Nations Working Group on the use of mercenaries calls cyber-mercenaries. The outsourcing of intelligence services to PMSCs reinforces the logic of impunity, diminishes supervision and accountability, and deliberately complicates democratic oversight of these operations, as the researcher Armin Krishnan has pointed out. These services include highly sensitive and controversial work, as PMSCs are used as proxies to evade public scrutiny and meddle in the domestic affairs of other countries.
The Russian military intelligence agency (GRU) used the services of the Internet Research Agency, also known as the Troll Factory, linked to the oligarch Yevgeny V. Prigozhin, to interfere in the 2016 US presidential election by hacking into Democratic Party email accounts and computer networks and spreading disinformation on social media in order to favour Donald Trump’s presidential campaign.
The Troll Factory’s data-hacking activities are not an isolated case. On a lesser scale, numerous PMSCs provide offensive services such as active cyber defence (ACD) or hacking to recover stolen information and disrupt or damage potential enemy infrastructure networks. These hackers also perform tasks remotely, such as using drones to conduct reconnaissance thousands of kilometres away, offensive actions on the internet, or supporting authoritarian governments in actions to repress their citizens. In other words, security contractors are able to act on the frontline of contemporary conflicts from the comfort of their living room. Both situations make it challenging to regulate PMSCs’ cybersecurity activities in terms of applicable jurisdiction and involvement in cyberwarfare.
At the same time, cooperation in the field of intelligence implies that private security contractors have access to sensitive information related to national security and to the databases of government agencies that contain citizens’ personal information. This clearly has an impact on civil and political rights. For example, investigations made by The Intercept revealed shadowy intelligence activities by the PMSC Tiger Swan who gathered data by infiltrating the Standing Rock indigenous and environmental movement protesting against the oil pipeline project of the firm Energy Transfer in North Dakota. The reports produced by Tiger Swan were used by the local police, the FBI and the Department of Homeland Security (DHS) Fusion Centers set up after 9/11 to combat international terrorism.
Such practices like these are also widely used in low- and middle-income countries, where complicity between state security forces, security contractors and hired killers is responsible for the death of numerous human rights defenders, such as the case of Berta Cáceres in Honduras and many more in Colombia and Brazil.
Finally, the privatisation of intelligence has meant that experts from government agencies work for the highest bidder, whether a company, another government or a private tycoon. In 2019, a former NSA agent uncovered the Raven project, an intelligence unit set up by the UAE and staffed by cyber-mercenaries, including some previously hired by US intelligence agencies. The Raven analysts also had a very sophisticated system – of unknown origin – for hacking into iPhones, known as Karma. The Raven project spent years monitoring dissidents and others critical of the Abu Dhabi government, such as the British journalist Rori Donaghy, the Emirati activist Ahmed Mansoor, and Tawakkol Karman, leader of the ‘Arab Spring’ protests in Yemen.