U.S. Blacklists Israeli Firm NSO Group Over Spyware
In a remarkable breach with Israel over one of its most
successful technology companies, the Biden administration on Wednesday
blacklisted the NSO Group, saying the company knowingly supplied spyware that
has been used by foreign governments to “maliciously target” the phones of
dissidents, human rights activists, journalists and others.
The firm, and another Israeli company, Candiru, acted
“contrary to the national security or foreign policy interests of the United
States,” the Commerce Department said, a striking accusation against a business
that operates under the direct supervision of the Israeli government.
The ban is the strongest step an American president has
taken to curb abuses in the global market for spyware, which has gone largely
unregulated. The move by the Commerce Department was driven by NSO’s export
around the world of a sophisticated surveillance system known as Pegasus, which
can be remotely implanted in smartphones.
NSO’s spyware has been under scrutiny for years for its
ability to stealthily, and remotely, extract sound and video recordings,
encrypted communications, photos, contacts, location data and text messages
from a device — without so much as a single click. Among its targets were
confidants of Jamal Khashoggi, the Washington Post columnist who was
dismembered by Saudi operatives in Turkey; an array of human rights lawyers,
dissidents and journalists in the Emirates and Mexico, and even their family
members living in the United States.
After a consortium of media outlets reported over the summer
that NSO’s spyware may have targeted smartphones belonging to journalists and
world leaders from France, Morocco and elsewhere, a group of House Democrats
called for NSO Group to be blacklisted and potentially sanctioned for human
rights violations. But it was never clear if those people were on a list of
possible targets by NSO clients, or were actually hacked.
The announcement on Wednesday apparently came as a surprise
to the Israeli defense ministry, which must approve licenses for the sale of
Pegasus software to foreign governments, because it is categorized as a defense
technology. While Israeli officials insisted they were unprepared for the move,
which prohibits the firm from acquiring American technology, the Israeli
government had received a string of official and private warnings from
Washington.
The ministry of defense declined to comment on the record on
the action. But there was no question that the Commerce Department, by placing
the firm on the “Entity List” of blacklisted companies, was striking at the
heart of the Israeli intelligence community. NSO’s technology emerged from Unit
8200, Israel’s highly secretive cyberunit, which has partnered with the United
States around the globe, including in cyberoperations to disable Iran’s nuclear
facilities.
The ban would prohibit American firms from selling
technology to NSO Group and its subsidiaries. Dell and Microsoft were alerted
earlier that NSO Group would be added to the blacklist, according to two people
briefed on the calls but unauthorized to speak publicly about them.
Cristin Goodwin, general manager of Microsoft’s digital
security unit, called the rule “a strong step toward addressing the danger
these actors pose, and we encourage other countries to adopt similar policies.”
After a series of revelations about NSO in The New York
Times and other publications, the Biden administration warned that the
surveillance software was being abused by authoritarian nations.
Two weeks ago, the Commerce Department added a new rule
requiring U.S. companies to get a license to sell any intrusion software to
foreign countries, an effort to curb the sale of surveillance tools to
oppressive regimes like Saudi Arabia and the Emirates.
The announcement on Wednesday went one step further, taking
direct aim at NSO Group, and signaling to its would-be investors, and
acquirers, to stay away. The company had been mulling an initial public offering
at a $2 billion valuation.
NSO said in a statement that it was “dismayed by the
decision” and would ask for it to be reversed. The company has claimed —
especially recently, as investigations proliferated — that it is pulling
licenses for its software from governments that are using it to suppress
dissent.
“Our technologies support U.S. national security interests
and policies by preventing terrorism and crime,” the company said.
The Biden administration concluded exactly the opposite.
Senator Ron Wyden, Democrat of Oregon, and one of the
Senate’s most outspoken voices on digital privacy, applauded the
administration’s move but argued it should go further.
“President Biden is sending a strong message that the U.S.
won’t stand for foreign hacking companies that violate human rights and
threaten our national security,” he said. He added that the administration
should consider issuing sanctions under the Global Magnitsky Act.
Doing so would effectively freeze NSO’s assets and force its
largest investors, including Novalpina Capital, a British private equity firm —
and its investors, which include Oregon’s state pension fund — to divest. It
could also thwart NSO Group’s plans for a lucrative exit, such as an initial
public offering or acquisition.
NSO was one of four companies that were blacklisted on
Wednesday.
Candiru, another Israeli firm, was sanctioned based on
evidence that it supplied spyware to foreign governments. Positive Technologies
of Russia, which was targeted with sanctions last April for its work with
Russian intelligence, and Computer Security Initiative Consultancy of Singapore
were added to the list for trafficking in hacking tools, according to the
Commerce Department’s announcement.
“The United States is committed to aggressively using export
controls to hold companies accountable that develop, traffic, or use
technologies to conduct malicious activities that threaten the cybersecurity of
members of civil society, dissidents, government officials and organizations
here and abroad,” Gina Raimondo, the commerce secretary, said in a statement.
NSO has said it only sells its spyware to governments whose
human rights records have been vetted, for the purpose of countering terrorism
and crime. But its spyware continues to pop up on the phones of journalists,
critics of autocratic regimes, even children. Some of NSO’s targets — like
Ahmed Mansoor, a critic of the United Arab Emirates — have been imprisoned and
held in solitary confinement for years after NSO’s spyware was found on their
phones.
Apple has patched its iOS software several times to mitigate
vulnerabilities exploited by NSO’s spyware.
Candiru was founded by engineers who left NSO. Last July,
Microsoft reported that Candiru’s spyware exploited a pair of Windows
vulnerabilities to target the phones, computers, and internet-connected devices
of some hundred activists, journalists and dissidents across ten countries.
Both NSO and Candiru were supposed to be under the strict
control of Israel’s Ministry of Defense. But the ministry authorized the
companies to sell their products to a number of countries with a long history
of severe human rights violations, like Saudi Arabia, and continued to approve
their sale even after the murder of Mr. Khashoggi and the discovery of spyware
on his associates’ phones.
In a brief response to the Times in September, the ministry
said in a statement that it applied “even stricter” standards to exports than
was required, and that “special emphasis” was placed on adhering to
international agreements and protecting human rights.
Whenever the ministry “discovers that the purchased item is
being used in contravention of the terms of the license, especially after any
violation of human rights, a procedure of cancellation of the defense export
license or of enforcing its terms, is initiated,” the ministry said.
The Commerce Department clearly determined otherwise.
Comments
Post a Comment