Call for inputs: report on the provision of military and security cyber products and services by ‘cyber mercenaries’ and its human rights impact
12 February 2021
Working Group on the use of mercenaries
To inform the WG's annual thematic report to be presented to the General Assembly at its 76th session in October 2021
Twice a year, the Working Group on the use of mercenaries issues calls for inputs to inform its thematic studies to be presented at the Human Rights Council in its September session and at the General Assembly in October.
Objectives of the report
The Working Group on the use of mercenaries has identified “cyber mercenaries” as one category of actors that can generate mercenary-related activities. This entails a wide range of military and security services provided in cyberspace, including data collection and espionage. Private actors can be engaged by States and non-State actors in various proxy relationships to conduct offensive or defensive operations, to protect their own networks and infrastructure, as well as to carry out cyber operations to weaken the military capacities and capabilities of enemy armed forces, or to undermine the integrity of another State’s territory. Individuals carrying out cyberattacks can cause damage remotely, across various jurisdictions. As such, they can be considered as undertaking a mercenary-related activity, or even a mercenary activity if all the qualifying criteria are met.
This thematic study on
the provision of military and security products and services in cyber space by cyber mercenaries and related actors and its human rights impact aims to explore how mercenaries and private actors make profit from developing, maintaining and operating cyber capabilities, which might be used in the conduct of hostilities and in non-conflict settings to violate human rights, including the right of peoples to self-determination.
Scope of study and key questions
The Working Group welcomes submissions from States, civil society organizations, academics, international and inter-governmental organizations, national human rights institutions, private companies, individuals and any other concerned actors.
Access the questionnaire in
The Working Group welcomes any information deemed pertinent to the issue, and is particularly interested in the below mentioned areas. While addressing the questions, please provide
examples, good practices and recommendations to the extent available that you consider important in the context of this questionnaire, as well as any
analysis on future developments in this area.
Current trends and developments
- Who are the clients and/or beneficiaries of cyber-capabilities and operations?
Clients and beneficiaries can include for instance both State and non-State actors who contract “cyber mercenaries” and other actors operating alone or through private military and security companies (PMSCs) to acquire cyber-capabilities, including military and security services and products.
- What is the role of actors, operating alone or through PMSCs, in a) developing, b) maintaining, c) selling, d) delivering cyber-capabilities (incl. military or security products or services in cyber space) to third parties, or e) carrying out cyber espionage?
- What are the motivational factors and strategic intentions of a) clients to recruit “cyber mercenaries” and the type of relationships they may have with them; and b) “cyber mercenaries” and other actors operating alone or through PMSCs in cyber space?
Motivational factors can include for instance private gain, material compensation, ideological and other reasons.
- What are the types of cyber-services and products available (e.g., spyware/malware, AI), including their intended purpose in both conflict and non-conflict settings?
- What role do new technologies play in causing harm remotely in the context of cyber operations, and what are the risks involved? How would you define “directly participating in cyber operations”?
Regulatory frameworks and their application
- Please provide information on existing national, regional or international legislative, policy and regulatory frameworks, or other initiatives, regarding conduct in cyber space and their application (e.g., transparency, responsible behavior, prevention of prohibited conduct).
- Please provide information on specific national or regional norms and/or regulations governing the provision of security products and services in cyber space by actors operating alone or though PMSCs and other relevant actors.
- Please provide information on existing national, regional or international frameworks and mechanisms to investigate, and hold individuals, groups, States or companies accountable for abuses in cyber space, including for espionage, cyber-operations, illegal services or products, and their effectiveness.
Human rights and IHL impacts of cyber-capabilities and operations conducted by actors operating alone or through PMSCs
- Please describe how the development and use of cyber-capabilities, operations and services (e.g., attacks on digital/physical infrastructure and data, surveillance of individuals) by actors operating alone or through PMSCs can cause and contribute to human rights abuses and violations in non-conflict settings.
This includes for instance the rights to life, physical and mental integrity, self-determination, privacy, health, vote, freedom of movement, assembly and association that could be affecting individuals or groups, such as human rights defenders, opposition leaders, or journalists.
- Please describe how the development and use of cyber-capabilities, operations and services by actors operating alone or through PMSCs can cause and contribute to breaches of international humanitarian law during armed conflicts and its impact on civilian populations.
All substantive submissions received are published below, unless the submitter clearly indicated that they did not wish to have their input be made publicly available when submitting their response.