[BreachExchange] Israeli govt pledges greater oversight of cyber-exports after NSO tools hacked US officials

[Terrell Byrd]

https://www.zdnet.com/article/israeli-govt-pledges-greater-oversight-of-cyber-exports-after-nso-tools-used-to-spy-on-us-officials/

The Israeli government's Defense Exports Control Agency sent out a notice
late on Monday indicating it would be enforcing stricter rules governing
the export of offensive cyber tools. The announcement came days after
multiple outlets revealed that tools from Israeli cyber firm NSO Group were
used to hack into the phones of at least 11 US State Department officials
based in Uganda.

The Jerusalem Post reported on Monday that the agency published a revised
version of its "Final Customer Declaration", which countries will have to
sign before they can get access to powerful spyware technology like the NSO
Group's Pegasus.

The declaration says countries will not use the tools to attack government
critics or "political speech" and will only use it to prevent terrorism and
"serious crimes." Any country that ignores the declaration will lose access
to cyber-tools, according to the document.

The new rules came just days after Reuters, The Wall Street Journal, and
The Washington Post reported that 11 workers at the US Embassy in Uganda
had their phones hacked using Pegasus, which can be delivered to Apple
phones through a text message that doesn't even need to be opened.

Apple has sued NSO Group for creating the tool and said it has already been
used to hack into the devices of US citizens, despite claims from the
company that it is only used for counter-terrorism efforts. Apple has since
patched the vulnerability exploited by Pegasus and now notifies people when
they are being targeted.

The US government sanctioned NSO Group in November after months of reports
showing how the technology was being used widely by dictatorships to hack
into the devices of opponents, human rights activists, other world leaders
and more.

NSO Group continues to face a barrage of bad headlines over how its Pegasus
spyware has been used around the world. Last month, a bombshell report from
the University of Toronto's Citizen Lab and the Associated Press said that
even the Israeli government's own spy agency used the tool to hack the
phones of six Palestinian human rights activists.

That report followed another about the ruler of the UAE using Pegasus to
spy on his ex-wife and her British lawyers.

In July, the "Pegasus Project" used information from Amnesty International,
the University of Toronto's Citizen Lab, and Forbidden Stories to uncover
that the NSO Group's spyware was used to target at least 65 business
executives, 85 human rights activists, 189 journalists, and at least 600
politicians.

Targeted government officials included French President Emmanuel Macron,
South African President Cyril Ramaphosa, and Iraqi President Barham Salih.
Cabinet ministers from dozens of countries, including Egypt and Pakistan,
were also targeted.

Last month, on the heels of the sanctions announcement, several US Congress
members demanded the State Department further investigate how Pegasus and
other spyware is being used to abuse human rights around the world.

John Scott-Railton, senior researcher at Citizen Lab, told ZDNet that the
latest news about Pegasus being used against US officials was years in the
making.

"NSO knew exactly what it was doing by selling this hacking tool and has
known for years that Pegasus is used against diplomats. They are a blinking
national security threat for the United States and a threat to human
rights. That's what earned them the blocklist designation by Congress,"
Scott-Railton said.

Scott-Railton was skeptical of the new rules handed down by the Israeli
government's Defense Exports Control Agency, questioning what good a signed
declaration would do for dictators or repressive governments that have
significant power within their borders.

"I'm puzzled. You are asking a rogues' gallery of dictators to promise they
won't behave badly? This sounds like a distraction, not an effective
regulation. In fact, NSO has apparently made its customers certify that
they wouldn't abuse the tech for years. We've seen just how badly that
fared," he added, noting the wider difficulties countries will face now
that the spyware industry has become so lucrative.

"The problem with mercenary spyware is that it is arriving in the hands of
security services long before there is effective oversight and
accountability. Predictably, companies like NSO are driving the rapid
proliferation of this tech, and the harms can be found wherever you look,"
Scott-Railton added. "Democracies should decide what kind of technological
powers they want to vest in their police services. Citizens of
dictatorships don't have the luxury of a say, and selling spyware to these
regimes will help them stay undemocratic."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20211208/c8bce5e3/attachment.html>