Pegasus spyware and Kudankulam breach
Union Minister Ravi Shankar Prasad looked outraged as he
declared that the government had sought WhatsApp, owned by Facebook, to explain
the breach. The Indian Express in the morning had reported that Indian
journalists, lawyers and Human Rights activists had been victims of
surveillance, presumably by government agencies.
This came to light when WhatsApp sued the NSO Group, which
developed the spyware Pegasus to plant malware in smartphones. WhatsApp had
first learnt of the malware in May this year, said Facebook which owns
WhatsApp, after being alerted by Citizen Lab in Canada. Investigations had
proven that the malware had affected at least 1,400 WhatsApp users across 45
countries, including India.
When WhatsApp reacted to Prasad’s outburst by pointing out
that it had alerted the Government of India in May, the government spokesmen
claimed that the alert was too technical and too full of jargon to be taken
seriously. This was followed by WhatsApp replying that it had alerted the
Indian government in September as well and had indicated that it had found 121
users in India to have been snooped upon by the spyware.
While the government and WhatsApp engage in a war of words,
National Security Adviser Ajit Doval has not uttered a single word on the
controversy. The NSA may not be an expert on cyber security but his conspicuous
silence on the issue has been baffling. This is not only because of his close
relations with both Isreali establishment as well as several kingdoms in the
Middle East, which seem to be in the middle of this emerging global scandal.
The NSA’s silence is also baffling because of the successful
hacking of the Kudankulam Nuclear Power Plant and the clumsy cover-up by the
government. As reports surfaced about the hacking in the media, Nuclear Power
Corporation Limited (NPCIL) first issued a denial. On the very next day,
however, NPCL took a U-turn and admitted the breach while downplaying it by
claiming that the breach had occurred in a stand-alone computer on the
administrative side.
The incident prompted The Washington Post to carry an expert
opinion that India may not be quite awake to the threats posed by cyber
security.
What is also significant is that none of the victims of
surveillance by WhatsApp, in India at least, seem to be from the establishment.
On the contrary, they all seem to be critics of the government and people who
have been fighting government policies. There is no explanation yet on who else
but government agencies could have been interested in hacking their phones.
Even more significant is that international media have been
reporting on the threat posed by spyware Pegasus since at least 2016 when
Wired.com reported, “These days it seems like every government has a
far-reaching and well-developed digital surveillance operation, complete with
defence, international espionage and offensive components. Smaller nations even
join spy alliances to pool resources. But there are still many nation-states
that for various reasons prefer not to handle their cyber intelligence
development in-house. So, they do what we all do when we need software: they
buy it from a vendor.”
The portal named the NSO Group and mentioned that its
clientele comprised largely governments. The spyware, the report warned, could
even hack through Apple’s iPhones and the malware Pegasus, once placed in the
device, could ‘surveil virtually anything, relaying phone calls, messages,
emails, calendar data, contacts, keystrokes, audio and video feeds, and much
more back to servers anywhere in the world.
The very next year, in 2017, The New York Times reported
that the Mexican government had used the spyware to target some of the most
outspoken critics of the then Mexican President.
In 2018, NYT published results of an investigation and
reported that the NSO Group had sought to impress the United Arab Emirates
(UAE), a prospective client, by offering pricey updates and demonstrating the
capability of Pegasus by hacking the phone of a ‘powerful’ Saudi Prince and the
editor of a London-based Arab newspaper.
Following the brutal and cold-blooded murder of Saudi
dissident Jamal Khashoggi in the Saudi Consulate in Istanbul last year, a
friend of Khashoggi filed a lawsuit charging the Israeli software company of
helping Saudi royalty to track Khashoggi by taking over his smartphone.
The lawsuit, filed in Israel by the Montreal-based Saudi
dissident Omar Abdulaziz, followed similar suits filed by journalists,
activists and others charging that the NSO Group helped governments of Mexico
and the UAE spy on their smartphones even when individuals had no criminal
records and posed no threat of violence.
There have clearly been enough signals in the past few years
to alert the Government of India to the possibility of not just compromising
the safety and privacy of citizens but also of vital installations.
Pegasus, the spyware, does not come cheap and costs millions
of dollars in licensing fees, installation and maintenance. Possibly that is
the reason why the software is primarily sold to governments.
Two years ago, a disgruntled employee had copied the
software and offered to sell it on the Internet for a whopping $50 million or
approximately Rs 350 crore.
But using the spyware is not only illegal under Indian laws,
even by the government, but buying it directly could well leave a money trail
that the government may not be able to hide. That could have been a strong enough
reason for government agencies to have desisted from buying the software. But
nobody is sure.
The possibility of the government facilitating the purchase
of the software by third parties, say private industry, has not been ruled out.
Such industrial entity or entities could then use the software to not only
snoop on their competitors and rivals in the market but also help government
agencies, as and when required, to snoop on political adversaries and critics.
Our digitised brave, new world faces serious cyber threats.
But the government and India’s Computer Emergency Response Team (CERT-IN) are
yet to inspire much confidence in their ability to cope with such threats.
Earlier this year in yet another chilling report, the New
York Times provided a grim picture of what is now widespread as digital
espionage.
“Today even the smallest countries can buy digital espionage
services…corporations that want to scrutinise competitors’ secrets, or a
wealthy individual with a beef against a rival, can also command intelligence
operations for a price, akin to purchasing off-the-shelf elements of the
National Security Agency or the Mossad,” the report stated.
It went on to add, “The Middle East is the epicentre of this
new era of privatised spying. Besides DarkMatter and NSO, there is Black Cube,
a private company run by former Mossad and Israeli military intelligence
operatives…and Psy-Group, an Israeli company specialising in social media
manipulation…”.
It is, therefore, intriguing that the Indian NSA hasn’t yet
spoken on the threats or tried to reassure the country that the government has
zero tolerance to snooping.
Comments
Post a Comment