Congress wants to know who is using spyware against the US

On 1 May 2018, the richest man in the world was having a seemingly friendly WhatsApp conversation with Saudi Arabia’s Crown Prince Mohammed bin Salman when an unsolicited file was sent from the crown prince’s phone.

Within hours, a trove of data was exfiltrated from Amazon CEO Jeff Bezos’s phone.

A UN report earlier this year claimed that this exfiltration was was triggered by a mobile surveillance product called Pegasus from NSO Group, although NSO Group refutes this, saying that its technology “cannot be used on US phone numbers”.

That one piece of commercial spyware alone has been linked to at least one assassination and multiple human rights abuses, including allegedly playing a part in the 2018 murder of Washington Post journalist Jamal Khashoggi; a June 2018 spearphishing attack on an Amnesty International staff member; and use by the Mexican government against prominent human rights lawyers, journalists and anti-corruption activists.

Finally, after years of states’ use of this kind of powerful spyware against their rivals and political enemies, the US Congress is planning to order its Director of National Intelligence (DNI) to keep track of the threat this malware poses to the nation, which foreign governments are using it, and for what.

John Scott-Railton, a senior researcher for Citizen Lab, last week spotted a powerful bit of legislation tucked into a draft of the intelligence funding bill for 2021. The Senate bill – which lays out funding for the government’s intelligence operations for next year – would require the DNI to submit a report to Congress on the threat posed by commercial spyware. Scott-Railton called it a “clear signal that [the] Senate is taking [the] National Security threat of commercial spyware very seriously.”

You can read the relevant language in Section 503 of the draft version of the Intelligence Authorization Act for Fiscal Year 2021.

Section 503. SOURCE: Intelligence Authorization Act for Fiscal Year 2021

Researchers at the University of Toronto’s Citizen Lab cybersecurity research laboratory are intimately familiar with Pegasus and other spyware. They’ve been tracking Pegasus for years. In fact, Citizen Lab first revealed Pegasus in August 2016.

Scott-Railton said that for years, every major US tech company has grappled with the threats posed by commercial spyware. The same goes for the nation’s intelligence community and elected officials, including the State Department. Now, in a push led by Senator Ron Wyden, “the issue is going primetime for Congress,” Scott-Railton said.

Section 503 would require inquiry into, and reporting on, the companies that sell commercial spyware, including whether it’s coming from US companies. It also seeks details on which spyware buyers – be they foreign government or other entities – pose the biggest threat to the US and government employees based at home or overseas.

Who's making it and who's using it
Who’s making it and who’s using it IMAGE: Section 503. SOURCE: Intelligence Authorization Act for Fiscal Year 2021

Section 503 requires the government to work with technology companies and telecoms to figure out how to beef up the security of the consumer software and hardware used in the US: technology that’s targeted by intrusion and surveillance software. It suggests actively blocking threat actors by using multiple tools: Export controls, diplomatic pressure and trade agreements.

Scott-Railton provided this TLDR translation:

Commercial spyware has always been a NATSEC threat for the US. This language helps gov move towards action.

Earlier this month, the current draft of the funding bill sailed through the Senate Select Committee on Intelligence with a 14-1 vote. It will be subject to a Senate vote later this summer.