Israeli govt pledges greater oversight of cyber-exports after NSO tools hacked US officials

A government agency said it will force countries to sign a pledge not to use the spyware tools for anything besides "terrorism" and "serious crimes."
Written by Jonathan Greig, Contributor

The Israeli government's Defense Exports Control Agency sent out a notice late on Monday indicating it would be enforcing stricter rules governing the export of offensive cyber tools. The announcement came days after multiple outlets revealed that tools from Israeli cyber firm NSO Group were used to hack into the phones of at least 11 US State Department officials based in Uganda.

The Jerusalem Post reported on Monday that the agency published a revised version of its "Final Customer Declaration", which countries will have to sign before they can get access to powerful spyware technology like the NSO Group's Pegasus

The declaration says countries will not use the tools to attack government critics or "political speech" and will only use it to prevent terrorism and "serious crimes." Any country that ignores the declaration will lose access to cyber-tools, according to the document. 

The new rules came just days after Reuters, The Wall Street Journal, and The Washington Post reported that 11 workers at the US Embassy in Uganda had their phones hacked using Pegasus, which can be delivered to Apple phones through a text message that doesn't even need to be opened. 

Apple has sued NSO Group for creating the tool and said it has already been used to hack into the devices of US citizens, despite claims from the company that it is only used for counter-terrorism efforts. Apple has since patched the vulnerability exploited by Pegasus and now notifies people when they are being targeted. 

The US government sanctioned NSO Group in November after months of reports showing how the technology was being used widely by dictatorships to hack into the devices of opponents, human rights activists, other world leaders and more. 

NSO Group continues to face a barrage of bad headlines over how its Pegasus spyware has been used around the world. Last month, a bombshell report from the University of Toronto's Citizen Lab and the Associated Press said that even the Israeli government's own spy agency used the tool to hack the phones of six Palestinian human rights activists. 

That report followed another about the ruler of the UAE using Pegasus to spy on his ex-wife and her British lawyers. 

In July, the "Pegasus Project" used information from Amnesty International, the University of Toronto's Citizen Lab, and Forbidden Stories to uncover that the NSO Group's spyware was used to target at least 65 business executives, 85 human rights activists, 189 journalists, and at least 600 politicians. 

Targeted government officials included French President Emmanuel Macron, South African President Cyril Ramaphosa, and Iraqi President Barham Salih. Cabinet ministers from dozens of countries, including Egypt and Pakistan, were also targeted. 

Last month, on the heels of the sanctions announcement, several US Congress members demanded the State Department further investigate how Pegasus and other spyware is being used to abuse human rights around the world.

John Scott-Railton, senior researcher at Citizen Lab, told ZDNet that the latest news about Pegasus being used against US officials was years in the making.

"NSO knew exactly what it was doing by selling this hacking tool and has known for years that Pegasus is used against diplomats. They are a blinking national security threat for the United States and a threat to human rights. That's what earned them the blocklist designation by Congress," Scott-Railton said. 

Scott-Railton was skeptical of the new rules handed down by the Israeli government's Defense Exports Control Agency, questioning what good a signed declaration would do for dictators or repressive governments that have significant power within their borders. 

"I'm puzzled. You are asking a rogues' gallery of dictators to promise they won't behave badly? This sounds like a distraction, not an effective regulation. In fact, NSO has apparently made its customers certify that they wouldn't abuse the tech for years. We've seen just how badly that fared," he added, noting the wider difficulties countries will face now that the spyware industry has become so lucrative. 

"The problem with mercenary spyware is that it is arriving in the hands of security services long before there is effective oversight and accountability. Predictably, companies like NSO are driving the rapid proliferation of this tech, and the harms can be found wherever you look," Scott-Railton added. "Democracies should decide what kind of technological powers they want to vest in their police services. Citizens of dictatorships don't have the luxury of a say, and selling spyware to these regimes will help them stay undemocratic."

Editorial standards