NSO Group – the Israeli-based maker of the notorious, military-grade Pegasus spyware that’s been linked to cyber-attacks against dissidents, activists & NGOs (& murders of journalists) at the hands of repressive regimes – has been blacklisted by the US.
NSO Group plans to fight the trade ban, saying it is “dismayed” & that its tools actually help to prevent terrorism & crime.
4 Spyware Developers
NSO Group is 1 of 4 spyware developers or traffickers that the US Commerce Department added to its “Entity List” on Wed., effectively banning trade with the company. The list is used to restrict those considered to pose a risk to the country’s national security or foreign policy.
Also added was Israeli company Candiru – aka Sourgum, Grindavik, Saito Tech or Taveta – which allegedly sells the Devils Tongue surveillance malware to govts. around the world & which was founded by engineers who left NSO.
Foreign Govts.
The US State Department stated that both NSO Group & Candiru were added because they “developed & supplied spyware to foreign govts. that used this tool to maliciously target govt. officials, journalists, businesspeople, activists, academics & embassy workers.”
The 3rd entity added to the trade-ban was Russia’s Positive Technologies, which was sanctioned in April for its work with Russian intelligence.
Singaporean
Finally, also blacklisted was the Singaporean security company Computer Security Initiative Consultancy (COSEINC), which the State Department stated was added to the list for trafficking in malicious cyber-tools :-
“used to gain unauthorised access to information systems in ways that are contrary to the national security or foreign policy of the US, threatening the privacy & security of individuals & organisations worldwide.”
Companies placed on the Entity List are subject to trading restrictions: They cannot purchase US technology or goods without explicit permission from the Commerce Department, which they are not likely to secure, since the rules do not allow license exceptions for exports.
NSO’s Business Plan
NSO Group’s blacklisting is the least surprising of the 4 new Entity List entries, given the history of its spyware repeatedly being used to target civil society & govt. officials.
It is not just the targeting that got NSO banned. Jake Williams, co-founder & CTO at incident response firm Breach Quest, speculated that it is the fact that NSO’s tools have allegedly been used to go after targets the US likes.
Unfriendly to the US
“It isn’t just the targeting of these individuals that got NSO in hot water, it’s that entities unfriendly to the US used NSO tools to target friendly journalists, activists, etc. That’s never a winning business plan.”
It is not surprising to see Positive Technologies on the list either, Williams commented. The addition of COSEINC is the most surprising, he stated, given that for the most part, it’s flown under the public radar until now, though it was identified as a zero-day vendor in 2018.
NSO Says It is ‘Dismayed’
According to a statement that NSO sent to media outlets on Wed., the company was “dismayed” by the US decision & claimed that its tools actually help to prevent terrorism and crime.
It is going to call for the US to reverse the ban, NSO explained, holding to its often-repeated claim that it has the “world’s most rigorous” human rights & compliance systems.
The Full Statement:
‘NSO Group is dismayed by the decision given that our technologies support US national security interests & policies by preventing terrorism and crime, & thus we will advocate for this decision to be reversed.
We look forward to presenting the full information regarding how we have the world’s most rigorous compliance & human rights programs that are based on the American values we deeply share, which already resulted in multiple terminations of contacts with govt. agencies that misused our products.’
Phones of Journalists
As the New York Times reported, regardless of NSO Group’s claims, its spyware keeps appearing “on the phones of journalists, critics of autocratic regimes, even children. Some of NSO’s targets — like Ahmed Mansoor, a critic of the United Arab Emirates — have been imprisoned and held in solitary confinement for years after NSO’s spyware was found on their phones.”
The ban is a 1st: The Entity List has not historically included technology companies. Rather, the blacklist is typically reserved for abusers of human rights or others that the US thinks deserve the rating of “worst enemy.”
So far in 2021, the US Biden administration has added Myanmar entities in response to the country’s military coup as well as entities in Russia, Switzerland & Germany. China and Venezuela are also included in the list.
President Emmanuel Macron
The addition of the tech companies to the list reveals the US’s heightened concern with spyware as it relates to national security.
It is apparently right to be concerned: Besides all of the journalists & activists who have allegedly been spied on by foreign govts. using NSO’s spyware, the mobile phone of a senior US diplomat, Robert Malley, was also found on a leaked list of individuals selected as potential targets of surveillance by NSO’s clients, as The Guardian has reported.
So too was a list of French officials that reached all the way up to President Emmanuel Macron.
‘Hitting Puddles With Sledgehammers’
Bill Lawrence, CISO of the risk-management acceleration platform vendor Security Gate, suggested that the ban on spyware will put some economic hurt on the blacklisted companies, but such economic measures can feel “like hitting puddles with sledgehammers” as they reform in other ways.
Oliver Tavakoli, CTO at cyber-security company Vectra AI, agreed, saying that these sanctions, for the most part, represent “a speed bump” for the surveillance companies.
Appropriate Use
Contracts have language that can be flexibly interpreted when it comes to what constitutes “appropriate use” of such tools, Tavakoli said.
“The murky business of supplying offensive cyber-capabilities to governments across the world invariably leads these companies to make a judgment on what constitutes ‘appropriate use’ of the technologies & whether their clients can be trusted to honour the spirit of constraints – often expressed in vague terms referring to ‘threats’ & ‘security’ – written into contracts,” he outlined.
Ignore Constraints
Tavakoli continued: “It’s pretty clear that most govts ignore those constraints & do what they believe to be in the self-interest of the govt. & its current leader, though the companies can then claim plausible deniability.”
The ban, while being a good step, would be even better if the US would itself stop “trying to get ‘back doors’ installed in its own citizens’ electronics,” Lawrence suggested. One example is the FBI’s repeated attempts to compel Apple to install backdoors.
https://www.cybernewsgroup.co.uk/virtual-conference-november-2021/