Impact lead: Johann Ole Willers, Copenhagen Business School
Subproject: Finance and transparency
Context
This impact case focuses on research on the global private surveillance industry and its role in enabling lawful interception, intrusion, and surveillance capabilities. The work sits at the intersection of International Political Economy, Security Studies, Surveillance Studies, Science & Technology Studies, and global governance research. It contributes to ingoing debates on cyber proliferation, economic security, export controls, human rights, surveillance capitalism, and state-market relations in high-tech sectors.
The research examines the rapid growth of private vendors supplying governments around the world with interception, intrusion, and spyware technologies.
These technologies:
- Strengthen intelligence and military capabilities.
- Blur the boundary between lawful interception and offensive cyber operations.
- Enable domestic repression of activists, journalists, and political opposition.
- Raise concerns about strategic proliferation of offensive cyber capabilities to US/NATO adversaries.
Key stakeholders include national security agencies, law enforcement, intelligence services, EU institutions and export-control bodies, US and NATO policymakers, civil society organisations, and technology companies affected by spyware abuse.
The study
The study investigates the opaque and evolving market of private interception, intrusion, and surveillance (PIIS) tools, which has become central to the expansion of global digital surveillance.32 It asks how this market emerged, why regulation has struggled to keep up, how state and market actors interact, and what this reveals about governance in high tech sectors. The findings reveal a globalized industry, the cross border spread of offensive cyber tools, and persistent regulatory gaps driven by the mismatch between static policy tools and fast changing market conditions.
The analysis draws on a new dataset of 5,973 industry presentations across 64 trade fairs (2003-2020) alongside corporate ownership data, industry reports, leaked documents, and 19 in-depth interviews with insiders and policymakers. Moreover, the Atlantic Council report cross-references 107,542 arms-fair exhibitors and 777 ISSWorld sponsors/speakers, identifying 224 overlapping firms active in both domains.
The study conceptualizes the PIIS market as a dynamic assemblage shaped by evolving state-market interactions and technological change. Drawing on political economy, security studies, and surveillance research, it integrates insights from global security assemblage theory, technological governance literature, and international trade scholarship.
It identifies three core dynamics shaping the market:
- Territorialization – shifts in the geographical and organisational scope of the market.
- Technological affordances – evolving infrastructures and tools that expand surveillance capabilities.
- Ordering – changing relationships between vendors, states, intelligence agencies, and military actors.
Together, these dynamics continuously reconfigure market hierarchies, making traditional regulation difficult to sustain.
Collaboration
The case builds on a long-standing research collaboration between Johann Ole Willers from Copenhagen Business School and Lars Gjesvik from the Norwegian Institute of International Affairs, with contributions from Winnona DeSombre from Harvard Belfer Center, and an institutional partnership with the Atlantic Council’s Cyber Statecraft Initiative led by Trey Herr. This partnership developed throughongoing dialogue around earlier Atlantic Council work.
The collaboration thus combined academic analysis with a policy focused platform, enabling faster translation of findings into debates on export controls, cyber proliferation, and democratic governance.
Pathways to impact
Impact pathways were enabled by the combination of original academic research that provides novel empirical insights on a sensitive area of digital politics, and a collaboration with a policy-focused platform that facilitated the targeted dissemination of research insights into key stakeholder groups, including politicians, NGOs, and diplomatic communities.
Societal impact
The main academic output is the article Beyond control? The political economy of private interception, intrusion, and surveillance markets by Lars Gjesvik and Johann Ole Willers,33 published in the highlyranked journal Review of International Political Economy.34
The team also co-authored the Atlantic Council Issue Brief Surveillance Technology at the Fair: Proliferation of Cyber Capabilities in International Arms Markets35. This report generated rapid attention with more than 1,000 downloads within 24 hours. It was featured in MIT Technology Review “A grim outlook”: How cyber surveillance is booming on a global scale,36 including an interview with Johann Ole Willers. The research was also featured in a range of specialized forums and newsletters, including the Risky Biz podcast, which reaches around 20,000 listeners per episode. One co-author was interviewed on Swedish national public television broadcaster SVT and Swedish radio.37
The Issue Brief was subsequently cited by the European Parliamentary Research Service in a study on Countering Spyware Abuse,38 and the EU’s cyber diplomacy initiative Cyber Direct.39
These outcomes highlight the relevance of the findings and their reach into technology and cybersecurity communities as well as broader public debates.
The visibility of the research also supported collaboration with journalists and civil society actors working to hold the surveillance industry accountable. This inlcudes contributions to the Open Society Foundation workshop on Financial Enablers of the Targeted Surveillance Industry on May 25-26, 2023, in Berlin. The workshop brought together journalists, human rights advocates, lawyers, and academics from around the world to share methods and explore how civil society can better address the industry.
Briefings to stakeholders
Targeted dissemination of the Atlantic Council Issue Brief led to engagement with key stakeholders and a series of briefings. These included meetings with Members of the European Parliament, the Norwegian Ministry of Foreign Affairs (export control division), the Norwegian Ministry of Justice, Microsoft, and several NGOs including the Cyber Peace Institute.
In addition, one researcher testified before the U.S.-China Economic and Security Review Commission in February 2022 (USCC, 2022) and the US National Security Council.
Conclusion
The research provides a systematic account of a largely opaque global market, identifies problematic actors, and informs national and international policy debates. It has contributed to high-level security briefings and offers both analytical tools and practical guidance for addressing the governance challenges posed by commercial spyware and surveillance vendors.
More broadly, the case shows how sustained academic research can inform current policy discussions. By combining new data, clear concepts, and academic partnerships, the project translated research insights into actionable recommendations.
References
Broeders, D. and Kavanagh, C. (2023). Shades of Grey: Cyber Intelligence and (Inter)national Security. Policy Brief. EU Cyber Direct. https://eucyberdirect.eu/research/shades-of-grey-cyber-intelligence-and-inter-national-security
Deibert, R. J. (2013). Black code. Surveillance, privacy, and the dark side of the internet. McClelland & Stewart.
Deibert, R. J., & Pauly, L. W. (2019). Mutual entanglement and complex sovereignty in cyberspace. In E. Ruppert, E. Isin, & D. Bigo (Eds.), Data politics. Taylor & Francis.
DeSombre, W., Gjesvik, L., & Willers, J. O. (2021). Surveillance technology at the fair: Proliferation of cyber capabilities in international arms markets. Atlantic Council, Cyber Statecraft Initiative.
https://www.atlanticcouncil.org/in-depth-research-reports/issue-brief/surveillance-technology-at-the-fair/
Gjesvik, L., & Willers, J. O. (2024). Beyond control? The political economy of private interception, intrusion, and surveillance markets. Review of International Political Economy, 31(6), 1840–1864. https://doi.org/10.1080/09692290.2024.2375499
Mildebrath, H. (2022) Europe’s PegasusGate – Countering spyware abuse. EPRS – European Parliamentary Research Service. https://www.europarl.europa.eu/RegData/etudes/STUD/2022/729397/EPRS_STU(2022)729397_EN.pdf
O’Neill, Patrick Howell (2021, November 8). “A grim outlook”: How cyber surveillance is booming on a global scale. MIT Technology Review.
https://www.technologyreview.com/2021/11/08/1039395/grim-outlook-cyber-boom-atlantic-council-report/
Penney, J., McKune, S., Gill, L., & Deibert, R. J. (2018). Advancing human rights-by-design in the dual-use technology industry. Columbia Journal of International Affairs, 71(2), 104.
Risky Business Media. (2021, November 11). Risky Bulletin Newsletter. https://risky.biz/srsly-risky-biz-thursday-november-3a2/
USCC (2022). The U.S.-China Economic and Security Review Commission www.uscc.gov/sites/default/files/2022-02/Winnona_DeSombre_Bio.pdf
| Read more about the subproject |
|---|
| ADD Blogpost (2025): Organizations are saying no to AI – Ole Willers dives into one specific barrier ADD exit-article (2026): Ole Willers: Cybersecurity is no longer only a technical problem – it is a systemic one |