New Delhi: Four well-known Democratic lawmakers have called companies like the Israeli NSO Group, which sells Pegasus spyware to governments, the “A.Q. Khans of the cyber world” and demanded that they should be shut down or at least sanctioned.
On Monday, Democrat Congress members Tom Malinowski, Katie Porter, Joaquin Castro and Anna G. Eshoo stated that the recent media reports about the usage of Pegasus spyware has shown that there was eminent need for the industry to be brought under strict regulations.
“Enough is enough. The recent revelations regarding misuse of the NSO Group’s software reinforce our conviction that the hacking for hire industry must be brought under control,” said the statement released by the office of Malinowski.
From July 18, 16 media companies had started to release names of individuals who were listed in a database of over 50,000 phone numbers which had been compiled by clients of the Israeli spyware firm, NSO Group. The list of phone numbers had been accessed by the Paris-based journalism non-profit, Forbidden Stories, and international human rights advocacy group, Amnesty International.
The company has always maintained that it only sells its highly intrusive spyware, Pegasus, to government firms. In multiple statements, the company has denied the allegations that the list has anything to do with Pegasus infections.
The international consortium which investigated the database comprised of publications like The Washington Post, The Guardian, Le Monde, Süddeutsche Zeitung and The Wire. The media partners have maintained that the list is a compilation of persons of interest to the NSO client. An actual infection can only be verified by forensic examination which has been conducted on 67 phones belonging to individuals on the list.
The statement from the US lawmakers said that the US should be working with its allies to regulate this trade. “Companies that sell such incredibly sensitive tools to dictatorships are the A.Q. Khans of the cyber world. They should be sanctioned, and if necessary, shut down,” it said.
Describing the NSO Group’s denials as “not credible”, the lawmakers stated that it showed an “arrogant disregard for concerns that elected officials, human rights activists, journalists, and cyber-security experts have repeatedly raised”.
In India, The Wire had released the names of around 140 individuals who were on the list, ranging from the principal opposition leader, government ministers, security officials to human rights activists and journalists. The Indian government has termed the release as a move to “malign Indian democracy”.
“The authoritarian governments purchasing spyware from private companies make no distinction between terrorism and peaceful dissent; if they say they are using these tools only against terrorists, any rational person should assume they are also using them against journalists and activists, including inside the United States. Selling cyber-intrusion technology to governments like Saudi Arabia, Kazakhstan, and Rwanda based on assurances of responsible use is like selling guns to the mafia and believing they will only be used for target practice,” said the statement.
The Pegasus Project, as it is known, has disclosed that the women closest to Saudi dissident Jamal Khashoggi were targeted with the spyware around the time that he was killed inside the Istanbul consulate of Saudi Arabia. It has also named a galaxy of world leaders, including French President Emmanuel Macron, who were selected by NSO’s government clients for possible targeting.
The US lawmakers listed out six steps that the US government should do urgently, which included inclusion of the NSO Group in an ‘Entity list’ administered by the US commerce department to establish rules to order sanctions against individuals that sell these cyber tools to authoritarian states.
They also called on the US government to finalise “accession to the Wassenaar Arrangement’s limited controls on cyber-intrusion tools, lead a multilateral initiative to impose strengthened controls with transparent human rights assessments on items with surveillance capabilities, and consider SEC regulations requiring companies to publicly disclose exports of technologies with surveillance capabilities and to carry out published human rights due diligence for any such exports”.
The lawmakers pointed out that while US and allies often partner with private companies on sensitive security technologies, they would not tolerate such companies developing drone or missile technology that sells in open markets to governments that might use it against Americans.
The NSO Group has claimed that it is not technically possible to target US phone numbers with their spyware, but that does not mean that US nationals cannot be put on a list with other numbers.
The statement also called on the US government to probe and asses all the possible targeting of American journalists, aid workers, diplomats and others with NSO’s Pegasus spyware “and take steps to protect all Americans, including federal employees, from the threat posed by the growing mercenary spyware industry”.