Civic Cyber Immunity: A Systemic Response to theUnstoppable Spread of Cyber Proliferation
Tatiana Tylosky, OUSSA: Cyberspies: A Revolution in Espionage?, Oxford 2025
Introduction
In recent years the concept of cyber proliferation, the rapid spread of advanced hacking tools and capabilities across state and non-state actors, has emerged as a defining challenge of the digital era. As outlined in Mythical Beasts and Where to Find Them, commodified surveillance tools like zero-day exploits and spyware are no longer the exclusive domain of state intelligence agencies, but are increasingly accessible through global markets1. This diffusion, combined with the persistent nature of cyber operations, makes outright prevention implausible. As Chesney and Smeets argue, cyber conflict is best understood not as war, but as an ongoing intelligence contest2. One in which the classical security paradigms of denial, deterrence, and defense, have limited utility.
In response, this paper proposes a shift in focus from prevention to what I call Civic Cyber Immunity. This will be defined as a society’s collective capacity to detect, contain, and recover from cyber threats without relying on centralized control or total security. This framing draws from Jarvis’ summer OUSSA lecture on countering cyber proliferation as well as the FOC’s guiding principles3. The pursuit of total security or top-down control often replicates the very dynamics that cyber proliferation exploits such as monoculture, opacity, coercion. I will argue that Civic Cyber Immunity offers a more pluralistic, adaptive, and democratic model of defense, one grounded in systems diversity, public accountability, and cultural resilience.
Detection
The first pillar of Civic Cyber Immunity is detection which will be defined as the ability to recognize and expose cyber threats before they can spread unchecked. Unlike traditional models that rely on secretive intelligence agencies or proprietary vendor alerts, detection in a civic context is increasingly distributed, public, and transparent. Organizations like Citizen Lab have led the charge by identifying spyware infections in over 45 countries, often alerting victims and prompting legal or diplomatic responses4. Similarly, Apple’s threat notification system, launched in 2021, directly informs targeted users including primarily activists, journalists, and diplomats, when state-grade spyware is detected on their devices5.
This kind of exposure is essential to breaking the cycle of cyber abuse. By alerting targets and publicly documenting actors, civic watchdogs pierce the reputational and operational opacity on which commercial spyware vendors depend6. More recently, platforms like surveillancewatch.io have sought to crowdsource commercial spyware tracking, building an ecosystem of civic observers and digital forensics specialists7. The United Nations OHCHR has also emphasized that states must notify victims of surveillance where feasible8. In the logic of Civic Cyber Immunity, detection is not just technical visibility, it’s public witnessing. And by making surveillance visible, these actors activate the rest of the immune response: containment and recovery.
Containment
If detection is the immune system’s sensing mechanism, containment is its capacity to localize threats and prevent their systemic spread. In the digital realm, this means building architectures that resist monoculture, where a single exploit can cascade across billions of devices, and instead favor infrastructural diversity and decentralized governance. As Chesney and Smeets argue, the persistent nature of cyber conflict renders traditional deterrence ineffective; instead, long-term stability requires adaptable systems that can survive inevitable breaches9. This calls for a cyber ecology more akin to digital biodiversity, where diverse platforms, localized protocols, and community-level controls reduce the blast radius of any one exploit.
One example is the Wassenaar Arrangement’s attempt to impose export controls on intrusion software, limiting the reach of offensive tools by shaping the global market10. But beyond state-level policy, civic containment can also emerge from open-source infrastructure, federated technologies, and local-first design. These models resist central points of failure and empower communities to develop their own cyber immune responses. Controlling the proliferation of digital weapons is therefore not about universal denial, but rather limiting harm through layered resilience.
As Schneier argues, surveillance is not simply a set of tools, it is a system, and it must be met with a systems-based response11. In short, containment within Civic Cyber Immunity does not rely on impermeable walls, but on the systemic wisdom to absorb damage without collapse and to degrade gracefully, rather than catastrophically.
Recovery
While detection reveals and containment limits, recovery is the act of responding, legally, politically, and socially, in order to restore integrity and deter future abuse. In the Civic Cyber Immunity model, recovery does not assume full reversibility. Rather, it emphasizes accountability, adaptation, and the redistribution of power away from abusers and toward the public. One of the most prominent tools of recovery is the use of targeted sanctions, as seen in the U.S. Commerce Department’s 2021 blacklisting of spyware firms like NSO Group and Candiru for their role in transnational repression12. These designations disrupted their global business models, froze assets, and triggered reputational collapse.
Legal action also plays a growing role. WhatsApp’s 2019 lawsuit against NSO Group marked a turning point in corporate-led recovery efforts, asserting platform sovereignty and demanding transparency in court13. Civil society efforts, such as coordinated press releases by Citizen Lab and Amnesty International, often accompany legal or policy actions, ensuring that technical discoveries lead to public consequences. Jarvis’ lecture speaks to how these interventions are not endpoints, but part of a feedback loop, where accountability feeds detection and strengthens civic resolve14. International reports, such as the OHCHR’s Privacy in the Digital Age, further call for norm-setting and reparative policy mechanisms as part of systemic cyber response15.
In this way, recovery is not about restoring a false sense of security. It is about transforming harm into precedent, enabling future resilience and embedding justice into the digital immune system.
Conclusion
Cyber proliferation cannot be prevented, but it can be endured. By reframing our response through the lens of Civic Cyber Immunity, we accept the inevitability of intrusion without surrendering to it. This model values not perfect security, but public resilience: detection through transparency, containment through infrastructural diversity, and recovery through accountability. In rejecting the illusion of centralized control, Civic Cyber Immunity reclaims agency at the civic level where networks, not hierarchies, define survival. In an age of accelerating digital threat, it is not total security but democratic adaptability that may prove our greatest defense.
Endnotes
1. (Atlantic Council, 2021)
2. (Chesney and Smeets 2020)
3. (Jarvis’ 2025; Freedom Online Coalition, 2023)
4. (Amnesty International, 2021)
5. (Jarvis, 2025)
6. (Atlantic Council, 2021)
7. (Surveillance Watch, 2025)
8. (UN OHCHR, 2022)
9. (Chesney and Smeets, 2020)
10. (Atlantic Council, 2021)
11. (Schneier, 2015)
12. (Atlantic Council, 2021)
13. (Perlroth, 2021)
14. (Jarvis, 2025)
15. (OHCHR’s Privacy in the Digital Age, 2022)
Bibliography
Atlantic Council. (2021). Mythical Beasts and Where to Find Them: Mapping the Global Spyware Market and its Threats to National Security and Human Rights. https://web.archive.org/web/20250723131027/https://www.atlanticcouncil.org/in-depth-research-reports/report/mythical-beasts-and-where-to-find-them/ [Accessed 22 Jul. 2025].
Chesney, R. & Smeets, M. (2020). Cyber Conflict as an Intelligence Contest. Journal of Strategic Studies, 43(1), 42–72. https://web.archive.org/web/20250723131303/https://tnsr.org/roundtable/policy-roundtable-cyber-conflict-as-an-intelligence-contest/ [Accessed 22 Jul. 2025].
Amnesty International. (2021). Forensic Methodology Report: How to Catch NSO Group’s Pegasus. [Online]. Available at: https://web.archive.org/web/20250723131530/https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/ [Accessed 22 Jul. 2025].
Jarvis, C. (2025). Cyber Proliferation Lecture. Oxford University Summer School for Adults. [Sat 19 Jul 2025 - Sat 26 Jul 2025]. https://web.archive.org/web/20250723135433/https://lifelong-learning.ox.ac.uk/courses/cyberspies-a-revolution-in-espionage
Nye, J.S. (2010). Cyber Power. Belfer Center for Science and International Affairs, Harvard Kennedy School. https://web.archive.org/web/20250723131342/https://www.belfercenter.org/sites/default/files/pantheon_files/files/publication/cyber-power.pdf [Accessed 22 Jul. 2025].
Perlroth, N. (2021). This Is How They Tell Me the World Ends: The Cyberweapons Arms Race. New York: Bloomsbury Publishing. https://www.audible.co.uk/pd/This-Is-How-They-Tell-Me-the-World-Ends-Audiobook/1526633485 [Accessed 22 Jul. 2025].
Schneier, B. (2015). Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World. New York: W.W. Norton & Company. https://archive.org/details/datagoliathhidde0000schn [Accessed 22 Jul. 2025].
United Nations Office of the High Commissioner for Human Rights (OHCHR). (2022). The Right to Privacy in the Digital Age. A/HRC/51/17. https://web.archive.org/web/20250628201734/https://docs.un.org/en/A/HRC/51/17 [Accessed 22 Jul. 2025].
Surveillance Watch. (n.d.). Surveillance Watch: Tracking the global surveillance industry. Retrieved July 23, 2025, from https://web.archive.org/web/20250716165051/https://www.surveillancewatch.io/ [Accessed 22 Jul. 2025].
Freedom Online Coalition. (2023, March). Guiding Principles on Government Use of Surveillance Technologies. https://web.archive.org/web/20250723133003/https://freedomonlinecoalition.com/guiding-principles-on-government-use-of-surveillance-technologies/ [Accessed 22 Jul. 2025].
