Congress is set to vote on The Intelligence Authorization Act, intended to further punish spyware makers like NSO. It follows evidence that the company’s Pegasus spyware was used to hack iPhones used by American diplomats.
The Commerce Department had already named NSO as a threat to US national security, and banned the import and use of Pegasus, but the bill would take things further …
Background
Our NSO Guide explains the background to this.
NSO Group makes spyware called Pegasus, which is sold to government and law enforcement agencies. The company purchases so-called zero-day vulnerabilities (ones that are unknown to Apple) from hackers, and its software is said to be capable of mounting zero-click exploits – where no user interaction is required by the target.
In particular, it’s reported that simply receiving a particular iMessage – without opening it or interacting with it in any way – can allow an iPhone to be compromised, with personal data exposed.
NSO sells Pegasus only to governments, but its customers include countries with extremely poor human rights records – with political opponents and others targeted. A report by Amnesty International said that Pegasus was being used to mount zero-click attacks against human rights activists and other innocent targets. Since then, many such abuses have been uncovered, throughout the world.
Stronger measures against spyware makers
Cyberscoop reports that Congress now wants to enact additional measures, including sanctions against spyware companies and more funding for investigations.
Congress is waking up to the growing threat of foreign spyware on the heels of several high-profile episodes involving the improper use of the commercial surveillance technology against diplomats and government officials abroad.
The House of Representatives is set to vote on sweeping policy legislation to crack down on and even ban firms that sell the technology from working with the government […]
The Intelligence Authorization Act, which passed the House Intelligence Committee last week with bipartisan support, includes several spyware provisions. In addition to authorizing the Office of the Director of National Intelligence to ban contracts with foreign firms making surveillance tech and allowing the president to impose sanctions on firms targeting the intelligence community (IC) with spyware, the bill also augments funding for investigations into the use of foreign commercial surveillance software.
Cybersecurity experts at the University of Toronto’s Citizen Lab say that US measures have been shown to work, and this next step makes sense.
“Many companies like [Israeli spyware maker NSO Group] see entering the US market as the ultimate prize and what we’ve seen so far is that the US government does have the ability to chill investment interest in bad actors, and that’s really important,” said John Scott-Railton of the University of Toronto’s Citizen Lab, which has conducted extensive research on spyware.
“If we’re casting around looking for ways to sort of pump the brakes on the proliferation, I think these are very promising ways to start doing that,” said Scott-Railton, who will testify at a public House Intelligence hearing on the issue Wednesday.
A spokesperson for the House Intelligence Committee said that the ability to simply buy tools like Pegasus means that any country in the world can now deploy spyware against the US.
“Foreign governments that previously had limited electronic spying capabilities can now purchase a package of tools that may allow them to access, undetected, any information stored on or transiting through a cell phone, tablet or computer connected to the internet,” the spokesperson said. “Nobody is safe from the reach of spyware, and that includes US government officials and Americans.”
FTC: We use income earning auto affiliate links. More.