For years, civil society groups, security researchers, and human rights organizations have been fighting against and warning about the use of commercial spyware to target activists, journalists, dissidents and other vulnerable groups, with limited success. Now, those organizations are asking the United States intelligence community to step in and wield its considerable power to take away the tools mercenary spyware vendors supply to state actors and other customers.
Companies such as NSO Group and Candiru that sell commercial spyware advertise their wares as means to keep tabs on suspected terrorists or criminals and often claim that they do not sell to repressive regimes and control their systems tightly. But researchers and activists have found many examples of these tools being used by governments and private organizations to target dissidents, journalists, and others. Researchers at the Citizen Lab at the University of Toronto’s Munk School have documented the abuses of tools such as NSO Group’s Pegasus for many years, including the targeting of politicians in Catalonia, Poland, Thailand, and elsewhere in recent years.
In a hearing on Wednesday, researchers from Citizen Lab and Google detailed the extent of the use and abuse of these tools for members of the House Select Committee on Intelligence, and said that the companies’ claims of controlling their tools ring false.
“The facts don’t bear this out. Abuse has been a feature of this technology since day one,” John Scott-Railton, a senior researcher at Citizen Lab, said during the hearing. “It is inevitable that nonstate actors will get their hands on these capabilities and cause immeasurable harm.”
That harm was on clear display during the testimony of Carine Kanimba, a U.S. citizen who was born in Rwanda and was targeted by NSO Group’s Pegasus spyware last year. Kanimba’s adoptive father, a permanent U.S. resident and vocal activist for democracy in Rwanda, was kidnapped in Dubai and rendered back to Rwanda, where he was sentenced to 25 years in prison. Forensic analysis of Kanimba’s phone in the months after her father’s kidnapping revealed the presence of Pegaus.
“The reports show that the spyware triggered into operation as I walked with my mother into a meeting with the Belgian Minister of Foreign Affairs. It was active during calls with the US Presidential Envoy for Hostage Affairs team and the U.S. State Department, as well as when speaking with US human rights groups. This surveillance is illegal under U.S. law and allowed the Rwandan government to always stay a step ahead as we fought to keep our father alive and secure his release,” she said in her testimony.
The use of these tools is no secret, and the federal government has taken action recently to limit their use, specifically in the U.S. In November 2021, the Department of Commerce placed NSO Group and Candiru, two prominent Israeli spyware vendors, on the Entity List, effectively prohibiting American companies from doing business with them. And security researchers regularly expose the tools spyware vendors sell, as well as the exploits and vulnerabilities they use. In order to remain effective against modern devices such as iPhones and Android phones, spyware vendors need access to zero day vulnerabilities and exploits, bugs and techniques that have not yet been disclosed publicly. Many vendors have their own teams of internal researchers who look for new vulnerabilities and develop exploits for them, but they also will buy new bugs from outside researchers.
This supply of zero days and exploits is what keeps the trains running for spyware vendors, and Scott-Railton and Shane Huntley, director of Google’s Threat Analysis Group, which tracks state actors and other high-level attackers, said that the efforts of private researchers to limit that supply and its effectiveness can only go so far.
“Taking them on has to be a team sport. We all have our own visibility into this but we do not have some of the capabilities that the intelligence community has and the things they’re authorized to do,” Huntley said.
“There is very good cooperation in this community, and there needs to be, because each of us sees some part of the picture. We can’t let the adversaries take advantage of any disconnection. We have a common enemy here. This is not a competition.”
“If the U.S. intelligence community identified these zero days–and it could–and submitted them to the big tech companies, you could burn their houses down."
The various U.S. intelligence agencies employ some of the top offensive research and attack teams that do their own vulnerability research and exploit development and have the demonstrated means and capabilities to gain access to just about any target they choose. Scott-Railton said that capability could be put to good use in exposing the stockpiles of zero days and exploits spyware vendors maintain.
“If the U.S. intelligence community identified these zero days–and it could–and submitted them to the big tech companies, you could burn their houses down,” he said.
“I’d encourage the intelligence community to identify and disrupt the activities of these companies. Doing business with governments, getting acquired by a U.S. company or even doing business with police departments in the U.S. is the golden prize for spyware companies. I’d encourage Congress to look at all those areas as ways to engage.”
Huntley also suggested that the U.S. and other governments should use their economic and diplomatic power to pressure spyware vendors and the countries in which they operate.
“Additionally, the U.S. government should consider a full ban on Federal procurement of commercial spyware technologies and contemplate imposing further sanctions to limit spyware vendors’ ability to operate in the U.S. and receive U.S. investment. The harms from this industry are amply evident by this point, and we believe they outweigh any benefit to continued use,” Huntley said in his written testimony.
“Finally, we urge the United States to lead a diplomatic effort to work with the governments of the countries who harbor problematic vendors, as well as those who employ these tools, to build support for measures that limit harms caused by this industry. Any one government’s ability to meaningfully impact this market is limited; only through a concerted international effort can this serious risk to online safety be mitigated.”
Also on Wednesday, Microsoft published details about the operations of a vendor in Austria called DSIRF that Microsoft said was responsible for the development and sale of a toolset called Subzero.