Is the US crackdown on spyware firms just getting started?
The Biden administration blacklisted Israeli spyware firm NSO in November, but experts say more needs to be done.
Washington, DC – In the increasingly infamous surveillance software industry, the Israeli firm NSO Group emerged this year as the undisputed poster child of digital spyware landing in the wrong hands.
In July, the Pegasus Project – a collaboration by Amnesty International and a coalition of media outlets – revealed that NSO’s software was sold to authoritarian governments that used it to spy on political leaders, journalists, executives and human rights activists, including people close to murdered Saudi journalist Jamal Khashoggi.
It is unclear who directed the attacks. NSO denied its software was used to target Khashoggi or members of his inner circle and pledged to conduct an investigation into its customers. It also said it would cooperate with any government inquiries.
But controversy has surrounded Pegasus spyware for years.
The month before the Pegasus Project bombshells dropped, NSO released a “Transparency and Responsibility Report” in which it said it had taken “concrete steps” to “mitigate and prevent future instances of misuse” of its spyware.
By November though, the administration of United States President Joe Biden took action. In an unusual move against an Israeli firm, the US Commerce Department added NSO to its “entities” list – a blacklisting that bars it from acquiring US software and services. The Biden administration accused NSO of “engaging in activities that are contrary to the national security or foreign policy interests of the United States”, according to a statement by the Commerce Department.
NSO issued a statement at the time saying it was “dismayed” by the Biden administration’s decision and that its technologies “support US national security interests and policies by preventing terrorism and crime”.
But in December, controversy engulfed NSO yet again. Reuters news agency reported that at least nine US State Department employees had been hacked using the Israeli firm’s spyware, while a group of US lawmakers sent a letter to the US Treasury and the State Department urging them to sanction NSO and its top executives under the Global Magnitsky Act.
By mid-month, Bloomberg News reported that NSO was mulling shutting down its Pegasus unit, citing people familiar with the matter.
And this week, The Washington Post reported that a new forensic analysis from Toronto-based CitizenLab found Pegasus software had been used to hack the phone of a member of Jamal Khashoggi’s inner circle only months before he was killed.
Though NSO keeps making headlines, it is not the only surveillance software firm in Washington’s crosshairs.
In November, the Commerce Department added two other foreign spyware firms to its blacklist, while US lawmakers this month also urged the Biden administration to blacklist United Arab Emirates spyware firm DarkMatter, and European surveillance firms Nexa Technologies and Trovicor.
But with a new year approaching, experts say the Biden administration can do more to address the proliferation of spyware technology – both through legitimate sales and black market cyber-arms dealers.
Effective to a degree
Winnona DeSombre is a fellow with the Atlantic Council’s Cyber Statecraft Initiative and lead author of a report that mined 20 years of data from 224 cyber-surveillance companies that peddled software at arms fairs, such as France’s Milipol, where hacking tools were offered side-by-side with guns and tanks.
“It’s a lot easier to write a piece of code than it is to create a tank,” she told Al Jazeera. “And it’s much easier to create a piece of software that does mass surveillance, without being caught than it is to create a ballistic missile programme.”
DeSombre said the November blacklisting of NSO and two other spyware firms are effective to a degree because it makes it harder for them to do business.
She also noted that a majority of the arms fairs that many of these companies attend are in Europe, giving the European Union and the US the opportunity to constrain some of their conduct.
But she says sanctioning NSO and a handful of other spyware firms and their executives under the Global Magnitsky Act would still only scratch the surface.
“Lawmakers must look at enforcing responsible limitations on the dozens of NSO-like firms that still operate in the shadows,” she said.
Other experts say that government action alone is insufficient for rooting out the threat spyware poses to human rights.
The reported Pegasus hack of the nine State Department employees’ phones “makes clear how vulnerable we all are”, said Oona A Hathaway, the founder and director of the Center for Global Legal Challenges at Yale Law School.
Hathaway told Al Jazeera that governments can only do so much to criminalise and sanction the malicious use of invasive software. “It’s ultimately going to take a collaborative effort of private and public actors to address the problem,” she said.
The private sector is making moves to curb spyware abuses. In late November, Apple filed a lawsuit against NSO Group and its parent company “to hold it accountable for the surveillance and targeting of Apple users”, according to a company statement. Apple also said it is seeking a permanent injunction to ban NSO Group from using any Apple software, services or devices “to prevent further abuse and harm to its users”.
Meanwhile, the White House is seeking international partners to help slow the proliferation of cyber-surveillance technologies. At the inaugural Summit for Democracy in December, the Biden administration announced an export control and human rights initiative to be undertaken by the US, Australia, Denmark and Norway.
The countries pledged to work together to limit exports of surveillance tools and other technologies that authoritarian governments can use to suppress human rights. Canada, France, the Netherlands, and the United Kingdom expressed support for the initiative.
The goal, the White House said, is to bring “together policymakers, technical experts, and export control and human rights practitioners to ensure that critical and emerging technologies work for, and not against, democratic societies”.
It was a step towards what DeSombre says is necessary to combat the threat.
“I think that a lot of this is starting to happen, but I haven’t really seen anything come to fruition yet,” she said.