December 27, 2021
“Cybertranquillity” is the motto. Cy4gate responds to endless virtual threats by offering its customers defence services to ensure security and protection. The marketing campaign seems effective: the company’s financials are rather solid. Its launch on the AIM (the stock market for small and medium enterprises) listing, which dates back to 24 June 2020, was a success. Its shares rose by 28% on the first day of trading and 110% over the following six months. The initial public offer went better than expected, and Cy4gate won the first prize “for the best strategy in use of the capital market in the fundraising section on the AIM Market of Borsa Italiana for the year 2020”. Today, however, their performance is not as impressive and, according to TeleBorsa’s analysis, its shares, due to their volatility, “are the object of attention especially of ‘risk on’ investors”. The company’s balance sheet, however, is still strong: in 2020, Cy4gate recorded revenues for €12.5 million, an increase of approximately 69% over the previous year.
Founded as a joint venture between Elettronica Group and Expert System in 2014, Cy4gate is the first Italian company that combines cybersecurity, wiretapping services for international police, and broad-spectrum intelligence, defined by Cy4gate as Continuous Intelligence.
Elettronica is a company that sells onboard equipment in the military, from the navy to aviation, technologies for “electronic warfare” such as anti-traffic tools, systems for the detection of threats, and for communications surveillance. Expert System, on the other hand, is active in the field of artificial intelligence and develops a software, COGITO, able to analyze and understand the information contained in text.
The investigation in a nutshell
- Cy4gate’s revenues amounted to €12.5 million in 2020, an increase of almost 69% over the previous year. The firm’s goal is to challenge its two main competitors, NSO and Palantir. The companies are known for the abusive use of their technologies by authoritarian regimes and the use of social media monitoring tools.
- Cy4gate has signed contracts globally: in the United Arab Emirates, Saudi Arabia, Pakistan, Qatar, Central Asia (not specifying where), Latin America (at least Argentina and Mexico). It also provides services to NATO and European partners. Many of these countries have already been involved in cases of abuse of surveillance technologies in the past.
- D-SINT is Cy4gate’s platform aimed at challenging Palantir: a system that monitors social media and other databases to extract information using artificial intelligence algorithms, including facial and object recognition algorithms, and thus make decisions supported by data.
- Epeius is the wiretapping system Cy4gate has developed to take on the NSO. The system is apparently able to take control of smartphones and extract private information. However, Cy4gate has already experienced some difficulties with Epeius: the Public Prosecutor’s Office of Naples has, in fact, suspended the use of the system due to some disruptions.
- Cy4gate, NSO and Palantir have spotted an opportunity in the COVID-19 pandemic to expand their market: all three have offered systems either for contact tracing or to help data analysis related to the pandemic. In many cases, these operations have resulted in scandals.
In Italy, Cy4gate has no competitors: no one is able to offer such a wide range of services and products. Abroad, however, its major competitors – whose turnover is still not even comparable with that of the Italian company – are Palantir and NSO Group. Cy4gate itself recognizes them as both competitors and reference points, including them in presentations and talking about them in interviews. The first is an American company whose name is inextricably linked to the American military sector: Peter Thiel, one of the founders, was a major donor to Donald Trump. The second is the Israeli group that created Pegasus, the spyware that infected the phones of politicians, activists, and journalists from around the world. Its use was exposed in the Pegasus Project investigation, which led the United States to blacklist the NSO.
Cy4gate relies on two products to challenge NSO and Palantir, respectively: a software for interceptions, Epeius, and a platform capable of collecting and analysing information already online or collected directly from electronic and digital devices, D-SINT.
In an interview to the specialized Youtube channel Vivere di dividendi, published in December 2020, the then CEO Eugenio Santagata – currently working for Telsy, a company that deals with security of telecommunications infrastructures belonging to the Telecom group – specified that for some offensive cyber intelligence activities (those requiring the authorizations of the judiciary and governments) – “we stand by the side of those who do ethical hacking, and, therefore, on the side of the good guys”. With this in mind, Santagata seems to combine two different Cy4gate products: on the one hand, the collection of online public information, on the other hand, the interception of spyware on behalf of investigative bodies. The latter is the sector where the most significant abuse was carried out, in the context of the ever-expanding surveillance market. Italian companies have often been in the eye of the storm, such as the former Hacking Team (now known as Memento Labs), Area SpA, and RCS, accused of malfunctions of their technologies, alleged export violations, or abuses.
Cy4gate's sales geography
Cy4gate’s 2019 turnover consists of 30% of sales abroad and 70% of sales in the Italian market. The company’s goal is to achieve perfect balance between the two markets over the next few years. In Italy, institutional clients range from the Ministry of Justice to the Court of Auditors, from the Prime Minister’s Office to the Carabinieri Corps, and, lastly, the Army and Naval Armaments Directorate of the Italian Ministry of Defence.
In 2016, two years after its birth, Cy4gate started exporting its products to the Middle East and Asia; exports further increased between 2018 and 2019. In 2017, exports have resulted in €4 million revenues. The countries of destination are not specified. The presentations often do not mention specific countries, but provide vague geographical indications. Among the few countries mentioned are Pakistan, Qatar, Saudi Arabia, the United Arab Emirates, and the Emirates Cabinet, the Emirates federal government executive; the latter is currently led by Dubai Sheikh Mohammed bin Rashid Al Maktoum, who serves as the Prime Minister and Minister of Defence of the entire federation of the seven emirates. Other big companies in the sector have often been involved in scandals in these countries.
Over the past two years, Cy4gate has secured a $110 million contract with NATO’s Center of Excellence; it has entered into agreements with the North American and Gulf Navy government agencies for both cyber intelligence and cybersecurity technologies, worth a total of 3 million; designed a 600,000 dollar cyber intelligence platform for a Latin American government (and filed the trademark in Mexico); sold a 300,000 euro cyber intelligence solution for a Central Asian government; and signed research and development contracts with a European aerospace and defence company.
Cy4gate also takes part in European projects, such as GalilEO for EU DEfence (GEODE), in its quality as a member of a consortium of companies whose aim is promoting the development of military capabilities in the EU based on Galileo, a civil positioning and satellite navigation system developed in Europe. And contracts and activities with NATO in the field of cyber defence. NATO itself has selected Cy4gate as the official supplier of government or defence agencies belonging to the NATO Codification System, a sort of register of suppliers officially recognised by NATO.
Where no direct contract has been entered into, the company has relied on contracts signed by its majority shareholder and parent company Elettronica, as reported in the listing document provided to AIM. In 2019, for example, activities were carried out based on several contracts awarded by Elettronica: six of them concern Italian or foreign customers, with Cy4gate as a subcontractor; in addition, (again, as reported in the document), a collaboration for the provision of an intelligence platform to two foreign customers and two more in the military relating to cybersecurity has been established.
In other cases, it carries out «incisive business development and sales actions» as stated in the 2018 financial statements. These actions concern: «Latin America (Argentina and Mexico), the Gulf countries (in addition to UAE, Saudi Arabia, Kuwait, Qatar), Asia (Pakistan, China, and Indonesia), Africa (Algeria, Nigeria) very often in coordination with the initiatives and sales force of Elettronica».
Palantir: the competitor
D-SINT (short for Digital Signal Intelligence) is the Cy4Gate software intended to challenge Palantir in the field of intelligence platforms. It collects, processes, and links data with different format and origin: from social media images to dark web information. «The right information, at the right time, to the right people, in the right way», the company states in a presentation brochure. The analysis is facilitated by the use of COGITO software, developed by Expert System (one of the two founding companies of Cy4gate), and by facial and object recognition software developed by iCTLab, a University of Catania spin-off. The integration – according to a 2019 presentation – will allow, for example, to search information about individual subjects in texts, image databases, or on Twitter, and the same applies to objects.
The two companies were also developing a voice recognition option “related to possible wiretapping or audio files collected in databases or from portable devices”. In the same presentation, however, the two companies underline a criticality in the use of this type of algorithms for recognition: «Given the increasing focus on the issue of privacy, this area will be a critical factor for the use of the data collected and analysed».
Screenshot taken from the presentation held during the workshop “AI for Cybersecurity” on 18 March 2019 at Auditorium della Tecnica Congress Center. The presentation revolves around some D-SINT platform features, also allowing to use facial and object recognition algorithms developed by iCTLab
This is a niche market: the market of intelligence platforms such as D-SINT, able to analyse a multiplicity of data from any type of source, be it public, published on the web, or private databases. In recent years, the Palantir Technologies Group has stood out, although not always in positive terms. According to a Bloomberg article of 2018, its software is able to «find out everything about you».
Palantir was founded in 2003 by venture capitalist Peter Thiel, one of the co-founders of PayPal, who in 2016, according to Buzzfeed, tried to transform himself into the philanthropic financier of the American alt-right, the subversive right-wing galaxy – which mixes conspiracies, traits of anti-capitalism, and white supremacy – strongly supporting former POTUS Donald Trump. Since its foundation, Palantir has cooperated with the CIA and the Pentagon in Afghanistan and Iraq, receiving funding from In-Q-Tel, the non-profit investment company linked to the CIA itself, which promotes innovation in the technological sector. Palantir does not directly perform interceptions but allows to analyze the data already collected, providing analysis and showing links: this simplifies decision making.
In addition to military applications, the software produced by Palantir was used by the United States Immigration and Customs Enforcement (ICE), the US federal agency responsible for border control, to identify and deport illegal immigrants. Palantir has also provided predictive police software to Los Angeles City law enforcement agencies to monitor, identify, and track suspects: some analysis of the software operation already seems to indicate that racially motivated biases exert significant influence on decisions. However, other shadows seem to loom over Palantir. According to Intelligencer, a section of the New York Magazine, former army members and intelligence officers have stressed how Palantir’s success is more linked to its clean and simple interface allowing it to view data than to the actual use of advanced technology.
As the pandemic continues, both Cy4gate and Palantir have tried to enter the European healthcare market. In the first few months of the health crisis, Cy4gate announced the creation of the HITS, Human Interaction Tracking System, a system for tracking coronavirus infections. Hits had also been proposed to the government (which, however, ended up choosing Immuni), unlike other private companies that have adopted the Cy4gate software.
Palantir managed to establish contacts with national healthcare systems. The new contracts related to the pandemic are among the reasons for a +49% in the cash flow reported by the company in Q2 2021. The Greek Government has signed a secret agreement to share population health data with Palantir; following the subsequent scandal, the Greek Privacy Authority opened an inquiry and the Government has apparently terminated any cooperation and had the data deleted. A similar agreement also existed in the UK with the National Health Service (NHS), where two court cases, initiated by civil society organisations, openDemocracy and Foxglove, prompted the UK government to promise to terminate the agreement with Palantir. Similarly, agreement transparency and the use of collected data projected Palantir in the spotlight of political attention also in the US.
Screenshot taken from the slides of the presentation for AIM’s Virtual Conference dated 27 May 2021. In the photo, you can see the competitors selected by Cy4gate in their respective market sectors. In addition to Palantir and NSO, other recurring names of the Italian scene appear, as IPS, RCS, and SIO, all operating in the field of interceptions for Prosecutor’s Offices
NSO Group – the Israeli company protagonist of the Pegasus Project, which collaborates with intelligence agencies around the world – has tried to develop software for contact tracing during the pandemic. The software called Fleming has had a hard life since its launch, though. The company was accused of using the personal data of thirty thousand real people during the launch: these people were unaware that their movement data was used in the presentations of the products. This amounts to a privacy breach. Its poor performance in terms of tracking risks turning into economic loss, since the indicators have already prompted rating company Moody’s to downgrade its creditworthiness to B3 in May 2021.
Interception Software Competition
NSO is a point of reference especially for interceptions and police surveillance activities. Cy4gate offers three systems in the field: Epeius, Hydra and Gens.AI. Epeius is a spyware that can be installed on people’s smartphones and devices to monitor their activities and extract, for example, copies of their chats and photos, location data, and emails. Hydra, on the other hand, allows to monitor online browsing, identify the applications used and the websites visited, and ascertain whether VPN or Tor Browser (two technologies that allow to safely browse hiding one’s identity) have been used. The use of Epeius and Hydra is «reserved for Police Forces and Italian and foreign Intelligence Agencies», reads a Cy4gate document.
Gens.AI, on the other hand, allows to create and manage false profiles to be used on social networks, facilitating investigation activities: in this way, agents can interact with people without arousing suspicion.
The first public traces of Epeius emerged in connection with Italy, according to an article published on Motherboard in February 2021 that revealed the presence of a fake WhatsApp page in Italian allegedly allowing the installation of a module inoculating Epeius. The purpose of the page is not clear: it has not been ascertained whether it was used for Italian intelligence activities or interception during police investigations. What is certain, however, is that the company already has problems with Italian prosecutors: the Public Prosecutor’s Office of Naples has, in fact, suspended the use of spyware managed by SIO and attributable to Cy4gate due to «serious disruptions».
In fact, Cy4gate signed an agreement in March 2020 with company SIO S.p.A., one of the Italian companies renting interception equipment to Public Prosecutor’s Offices. The agreement, whose details are reported in the AIM listing document, grants SIO «the exclusive use of the Epeius computer sensor». Cy4gate will receive the «total amount paid by Prosecutor’s Offices using Epeius for the correct ‘infection’ of a device (remotely or on site)» and a percentage of the annual turnover of SIO generated by Epeius. This percentage will amount to 50% if the turnover is above 4 million euros, or 60% if lower.
According to Cy4gate estimates, the agreement with SIO allows access to about 70 new Prosecutor’s Offices and covers a 70% share of the market of police wiretapping, which is estimated by the company itself to be worth around €36.3M.
In a press release dated 10 February 2021, Cy4gate confirmed that the disruptions of the Public Prosecutor’s Office of Naples are due to malfunctions and that, in the specific case, the situation «has been promptly identified and subjected to rigorous analysis». According to sources interviewed by Motherboard, in some cases the software for interceptions caused a notification to appear on the screen of the suspect, arousing suspicions.
NSO, a point of reference despite all the trouble
On 3 November, the U.S. Department of Commerce included NSO in a blacklist that includes companies whose software was used to «deliberately target government officials, journalists, businessmen, activists, academics, and embassy employees», as declared in the same statement. Organisations included in the list can no longer buy technology from US companies, which, in turn, are obviously prohibited from selling to the companies on the list. The initiative was taken by the Department of Commerce following the revelations contained in the Pegasus Project.
Though increasingly debated over and controversial, NSO Group remains a reference point in the industry. Cy4gate is no exception: «Our main competitors in the government sector are Israeli and they are also a point of reference, because we have learned a lot from them over time», Eugenio Santagata – then CEO of Cy4gate – said in the December 2020 interview with Vivere di dividendi.
As the contracts entered into by Cy4gate show, the company is active in controversial markets, competing with companies involved in scandals due to contracts with law enforcement authorities of authoritarian regimes. A similar story as NSO’s, which is, in fact, involved in two important cases connected, specifically, to the United Arab Emirates, a country where Cy4gate is also very active. In early October 2021, a British court confirmed that the Emirates Prime Minister, Sheikh Mohammed bin Rashid al-Maktoum, had his former wife and lawyers’ smartphone spied on using Pegasus software. NSO had terminated the contract for the use of its software after becoming aware of the incident.
The other case, however, concerns the engineer, blogger, and activist Ahmed Mansoor, who over the years has been the target of attacks carried out with three different softwares: in 2011 by FinFisher, in 2012 by Hacking Team, and in 2016 by NSO, exploiting a vulnerability whose price is estimated at around one million dollars. In all three cases, the technologies are linked with the actions of the Emirates government. Mansoor was arrested in 2017 and handed a 10-year sentence following an unfair trial based on fictitious charges, according to Human Rights Watch.
Due to the shadows that surround the two competitors (NSO and Palantir) Cy4gate told IrpiMedia that they condemn «any form of misuse or illegitimate use of products that were created with a clear, specific and exclusive purpose: to support the authorities in charge of the prevention and repression of heinous crimes». In addition, «Cy4Gate operates exclusively within the framework of current national and international standards, and makes its technology available to law enforcement agencies. Its aim is contributing to the prevention and repression of crimes, in the exclusive interest of communities. Our products’ users are the main guardians of these very communities», said a company spokeswoman.
In the case of another NSO, would Europe be able to stop it?
The scandals on the export of surveillance technologies have always involved Italy. From the case of Area SpA in Syria to the abuses of Hacking Team‘s technologies, the export sector seems to constantly circumvent every rule and control, in the almost total silence of the monitoring Authorities. Recently, a case involving the Pegasus Project has emerged due to the work of Forbidden Stories, a consortium of journalists. The case has highlighted how this spyware can end up being used even in Europe.
With the update of European regulations on the export of dual-use technologies, adopted by the European Parliament in March 2021, the EU has tried to remedy the situation by introducing stronger obligations in terms of transparency for individual Member States concerning the granting of export licenses. In addition, broader categories have been included such as technologies for cyber surveillance and biometric technologies. Human rights associations, such as Access Now, Amnesty International, Committee to Protect Journalists, FIDH (International Federation for Human Rights), Human Rights Watch, Privacy International, Reporters Without Borders (RSF) have immediately stressed, however, that this regulation risks to prove still inadequate.
They reiterated, for example, that the term cyber-surveillance should also include every previously regulated system, such as probes to intercept communications on the Internet and software for intrusions into devices. In addition, the associations have requested that the national authorities responsible for export licences publish monthly reports on the applications received. Above all, they hope that the authorities will take into account the provisions of the Charter of Fundamental Rights of the European Union, the guidance developed by the Court of Justice of the European Union and the European Court of Human Rights in the assessment phases.
It is unclear, however, whether the Member States intend to apply these suggestions and keep an eye on the surveillance technologies market, which appears to be increasingly taking up a role as a strategic asset in the geopolitical field.
Despite recent faux pas with the Italian Prosecutor’s Offices, the rise of Cy4gate appears to be unstoppable. In June 2021, the company attended the ISS World Middle East and Africa conference, an event that is part of a series of annual conferences taking place around the world where surveillance companies, governments, and security and intelligence experts meet. The archived copy of the event agenda states that Cy4gate would hold two sessions: one on Gens.AI and the other on the cyber intelligence platform and «how to control and combine in real-time all the information retrieved from the target under surveillance, leveraging on multiple classes of active and passive sensors». The next appointment is with ISS World Europe, which will take place in Prague in December.