Washington, DC – In the increasingly infamous surveillance software industry, the Israeli firm NSO Group emerged this year as the undisputed poster child of digital spyware landing in the wrong hands.
In July, the Pegasus Project – a collaboration by Amnesty International and a coalition of media outlets – revealed that NSO’s software was sold to authoritarian governments that used it to spy on political leaders, journalists, executives, and human rights activists, including people close to murdered Saudi journalist Jamal Khashoggi.
It is unclear who directed the attacks. NSO denied its software was used to target Khashoggi or members of his inner circle and pledged to conduct an investigation into its customers. It also said it would cooperate with any government inquiries.
But controversy has surrounded Pegasus spyware for years.
The month before the Pegasus Project bombshells dropped, NSO released a “Transparency and Responsibility Report” in which it said it had taken “concrete steps” to “mitigate and prevent future instances of misuse” of its spyware.
However, by November, US President Joe Biden’s government had taken action. The US Commerce Department added NSO on its “entities” list — a blacklisting that prevents it from accessing US software and services – in an unusual move against an Israeli company. According to a statement from the Commerce Department, the Biden administration accused NSO of “engaging in actions that are antithetical to the United States’ national security or foreign policy interests.”
The Biden administration’s decision “dismayed” NSO, which said its technology “serve US national security objectives and policies by avoiding terrorism and crime,” in a statement at the time.
However, in December, the NSO was once again mired in controversy. According to Reuters, the Israeli firm’s spyware was used to hack at least nine US State Department workers, and a group of US congressmen wrote to the US Treasury and State Department demanding them to prosecute NSO and its top executives under the Global Magnitsky Act.
Bloomberg News reported in mid-month that NSO was considering shutting down its Pegasus unit, citing people familiar with the situation.
And, according to The Washington Post, Pegasus software was used to hack the phone of a member of Jamal Khashoggi’s close circle only months before he was slain, according to a new forensic investigation from Toronto-based CitizenLab.
Despite the fact that NSO continues to make headlines, it is not the only surveillance software company in Washington’s sights.
The Commerce Department added two more foreign spyware firms to its blacklist in November, and US senators pushed the Biden administration to ban United Arab Emirates spyware firm DarkMatter, as well as European espionage firms Nexa Technologies and Trovicor, earlier this month.
However, as the new year approaches, analysts believe the Biden administration should do more to combat the spread of spyware technology, both via official sales and through black market cyber-arms sellers.
Effective to a degree
Winnona DeSombre is a fellow with the Atlantic Council’s Cyber Statecraft Initiative and the principal author of a paper that analysed data from 224 cyber-surveillance companies that sold software at arms shows like Milipol in France, where hacking tools were sold alongside guns and tanks.
“Writing a bit of code is a lot easier than building a tank,” she told news agency. “It’s also a lot easier to make a piece of software that performs mass surveillance without being discovered than it is to make a ballistic missile programme.”
The November blacklisting of NSO and two other spyware companies, according to DeSombre, is successful to some extent since it makes it more difficult for them to do business.
She also pointed out that the majority of the arms fairs that many of these companies attend are held in Europe, allowing the European Union and the United States the opportunity to impose some restrictions on their activities.
However, she claims that penalizing NSO and a few other spyware companies, as well as their executives, under the Global Magnitsky Act would barely scrape the surface.
“Lawmakers must look at enforcing responsible limitations on the dozens of NSO-like firms that still operate in the shadows,” she said.
According to other experts, government intervention is insufficient to eliminate the damage malware poses to human rights.
According to Oona A Hathaway, the founder, and director of Yale Law School’s Center for Global Legal Challenges, the purported Pegasus hack of nine State Department workers’ phones “makes obvious how exposed we all are.”
Governments can only do so much to criminalize and sanction the harmful use of invasive software, according to Hathaway. “To address the problem, a coordinated effort of private and governmental players will be required,” she said.
Spyware abuse is being addressed by the private sector. According to a company statement, Apple filed a lawsuit against NSO Group and its parent business in late November “to hold it accountable for the surveillance and targeting of Apple consumers.” Apple also said it is seeking a permanent injunction to ban NSO Group from using any Apple software, services, or devices “to prevent further abuse and harm to its users”.
Meanwhile, the White House is looking for overseas allies to aid in slowing down the spread of cyber-surveillance technologies. The Biden administration proposed an export control and human rights project to be undertaken by the US, Australia, Denmark, and Norway at the inaugural Summit for Democracy in December.
The countries agreed to collaborate in order to ban the export of surveillance tools and other technologies that authoritarian governments could use to undermine human rights. The effort has received assistance from Canada, France, the Netherlands, and the United Kingdom.
The White House stated that the purpose is to bring “policymakers, technical experts, export control and human rights practitioners together to guarantee that crucial and emerging technologies work for, not against, democratic nations.”
It was a start in the right direction, according to DeSombre, to confront the threat.
“I think that a lot of this is starting to happen, but I haven’t really seen anything come to fruition yet,” she said.
