Blacklisting of NSO Group shakes up spyware debate

 The Commerce Department’s decision to blacklist Israeli company NSO Group made waves on Wednesday across the spyware industry, placing a spotlight on firms profiting off foreign governments surveilling dissidents.

NSO Group is a key provider of the spyware foreign governments have used for years to go after journalists, academics, and others raising concerns about regimes, and marks a turning point in the nation’s approach to human rights in cyberspace. 

“This sends a really powerful signal,” James Lewis, senior vice president and director of the Center for Strategic and International Studies’s Strategic Technology Program, told The Hill. “This is not going to go away, because there is too much demand for it…but it sends a powerful message.”

NSO Group was added to the Commerce Department’s “entity list” Wednesday along with Israeli group Candiru, Russian group Positive Technologies and Singapore’s Computer Security Initiative Consultancy, over concerns around their involvement in malicious cyber activity. 

“Investigative information has shown that the Israeli companies NSO Group and Candiru developed and supplied spyware to foreign governments that used this tool to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers,” the Commerce Department order reads. 

The NSO Group has become a poster child in recent years for increasing concerns around cyber surveillance. The company’s Pegasus spyware is able to hack phones to steal information, turn on cameras, record calls, and other activities, often without the user knowing. 

WhatsApp in 2019 sued NSO Group over allegations that its spyware had used the platform to target more than 1,400 individuals in almost two dozen countries, The New York Times reported at the time. 

The Guardian reported in July on a data leak that revealed a list of 50,000 individuals who may have been targeted by Pegasus spyware since 2016, including activists, journalists and politicians, with at least ten governments implicated as customers.

Apple issued emergency updates for many of its products in September after Citizen Lab discovered what were described as “zero day, zero click” vulnerabilities that were being exploited by NSO Group. Citizen Lab discovered the vulnerability while examining the phone of a Saudi Arabian activist who had been targeted. 

Citizen Lab also tipped off Microsoft about malware being used by Candiru to target victims worldwide, including human activists and journalists, with Microsoft then taking steps to disrupt the group. 

“If you are a dissident or a human rights defender or a government critic, even a member of a diplomatic core or work for a government right now, you have almost no guarantee, almost no way of knowing if your device has been hacked by NSO,” John Scott-Railton, senior researcher for Citizen Lab at the University of Toronto’s Munk School, told The Hill on Wednesday. 

“The business model of companies like NSO is to sell almost any government entity they can find sophisticated hacking spyware that can access everything you have on your phone,” Scott-Railton added. 

NSO Group strenuously pushed back against the Commerce Department’s allegations, with a spokesperson telling The Hill in an emailed statement that “we will advocate for this decision to be reversed.”

“We look forward to presenting the full information regarding how we have the world’s most rigorous compliance and human rights programs that are based on the American values we deeply share, which already resulted in multiple terminations of contacts with government agencies that misused our products,” the spokesperson said. 

The action against NSO Group and Candiru highlight wider concerns over a largely unregulated industry, in which companies sell cyber tools that could be used for nefarious purposes. 

“Of course there is going to be a market demand for the tools that let you continue to do surveillance, and that’s what drives this,” said Lewis. “The demand is there, and that’s why even if NSO goes away, something else will come along.”

Congress has taken notice, with the House Intelligence Committee taking steps to rein in NSO Group and similar organizations through provisions in the proposed 2022 Intelligence Authorization Act. 

Rep. Tom Malinowski (D-N.J.), who pushed for NSO Group to be added to the entity list earlier this year, told The Hill that the company “deserved to be blacklisted,” but called on the Biden administration to take additional action.

“Entity listing alone ignores the complicity of American investment funds in the NSO Group’s financial success—If the administration is serious about limiting the power of dangerous companies like NSO, it must signal that it will consider sanctions for companies and individuals that sell these types of hack-for-hire tools to abusive governments,” Malinowski said. 

Beyond rousing attention on Capitol Hill, the move is not likely to bolster U.S.-Israel relations, though the State Department put out a statement stressing that the Biden administration does not intend to take “action against countries or governments where the entities are located.”

The Washington Post reported Wednesday that Israeli officials were only told an hour before the announcement of the blacklisting was made. The Israeli Embassy in Washington, D.C. did not respond to The Hill’s request for comment on the Commerce Department move. 

But while Israel could view the move negatively, Lewis emphasized that the country has greater priorities, including promoting a relationship between President Biden and Israeli Prime Minister Naftali Bennett, who took office earlier this year. 

“They want to make sure that the US is their biggest ally,” Lewis said. “They may not like it, they may complain in private, but you are not going to see a big effect.”

While there may be more to do on addressing the use of spyware by foreign governments, and the impacts on human rights, experts stressed that it was essential to take a firm stand against this activity. 

“Players like NSO, driven by profit, are really ruining our collective cybersecurity,” Scott-Railton said. “Fortunately, it’s not too late to do something about it, but like climate change or asbestos or the tobacco industry, if we wait, the problem will only compound.”

-Updated at 9:13 a.m.