On 1 May 2018, the richest man in the world was having a seemingly friendly WhatsApp conversation with Saudi Arabia’s Crown Prince Mohammed bin Salman when an unsolicited file was sent from the crown prince’s phone.
Within hours, a trove of data was exfiltrated from Amazon CEO Jeff Bezos’s phone.
A UN report earlier this year claimed that this exfiltration was was triggered by a mobile surveillance product called Pegasus from NSO Group, although NSO Group refutes this, saying that its technology “cannot be used on US phone numbers”.
That one piece of commercial spyware alone has been linked to at least one assassination and multiple human rights abuses, including allegedly playing a part in the 2018 murder of Washington Post journalist Jamal Khashoggi; a June 2018 spearphishing attack on an Amnesty International staff member; and use by the Mexican government against prominent human rights lawyers, journalists and anti-corruption activists.
Finally, after years of states’ use of this kind of powerful spyware against their rivals and political enemies, the US Congress is planning to order its Director of National Intelligence (DNI) to keep track of the threat this malware poses to the nation, which foreign governments are using it, and for what.
John Scott-Railton, a senior researcher for Citizen Lab, last week spotted a powerful bit of legislation tucked into a draft of the intelligence funding bill for 2021. The Senate bill – which lays out funding for the government’s intelligence operations for next year – would require the DNI to submit a report to Congress on the threat posed by commercial spyware. Scott-Railton called it a “clear signal that [the] Senate is taking [the] National Security threat of commercial spyware very seriously.”
You can read the relevant language in Section 503 of the draft version of the Intelligence Authorization Act for Fiscal Year 2021.
Researchers at the University of Toronto’s Citizen Lab cybersecurity research laboratory are intimately familiar with Pegasus and other spyware. They’ve been tracking Pegasus for years. In fact, Citizen Lab first revealed Pegasus in August 2016.
Scott-Railton said that for years, every major US tech company has grappled with the threats posed by commercial spyware. The same goes for the nation’s intelligence community and elected officials, including the State Department. Now, in a push led by Senator Ron Wyden, “the issue is going primetime for Congress,” Scott-Railton said.
Section 503 would require inquiry into, and reporting on, the companies that sell commercial spyware, including whether it’s coming from US companies. It also seeks details on which spyware buyers – be they foreign government or other entities – pose the biggest threat to the US and government employees based at home or overseas.
Section 503 requires the government to work with technology companies and telecoms to figure out how to beef up the security of the consumer software and hardware used in the US: technology that’s targeted by intrusion and surveillance software. It suggests actively blocking threat actors by using multiple tools: Export controls, diplomatic pressure and trade agreements.
Scott-Railton provided this TLDR translation:
Commercial spyware has always been a NATSEC threat for the US. This language helps gov move towards action.
Earlier this month, the current draft of the funding bill sailed through the Senate Select Committee on Intelligence with a 14-1 vote. It will be subject to a Senate vote later this summer.
3 comments on “Congress wants to know who is using spyware against the US”
Just a guess by recent history, in order of likelihood; Chinese government, or either Israeli or Russian independent criminals.
I had Disgruntled NSA staff on the list, but removed it as primarily disgruntaled NSA peeps were whistle blowers, and not likely to get journalist murdered. The rest on the list, I doubt wouldn’t give it a second thought.
From the sounds of it, Section 503 is in direct opposition to Congress’ stand of ‘we want back doors to encryption’. The very back doors they want would undoubtedly be used by the cyber intrusion and surveillance technology they are trying to get a handle on. In essence, if they force the issue of back doors, they are allowing foreign actors, state-backed or not, an opening into the very systems they are trying to keep them out of.
To complete the story it should be noted that the descending vote came from Sen. Ron Wyden, D-Ore. In his press release he stated his vote happened, “because the legislation fails to reform a broken, costly declassification system.” He also said that, “Wyden welcomed the passage of whistleblower protection provisions he succeeded in including in the bill” and “Wyden also welcomed the inclusion of a provision requiring a report on the threat posed by the proliferation of commercial spyware” BUT he voted against the bill. Make of it what you will.