Congress is seeking to ramp up U.S. defenses against the evolving threat of foreign spyware following recent incidents exposing its use on government officials, journalists and dissidents.
Last week, the House Intelligence Committee passed the Intelligence Authorization Act, which included a provision authorizing the Director of National Intelligence to prohibit the U.S. intelligence community from buying and using foreign spyware.
The bill would also allow the president to impose sanctions on foreign government officials and firms that target U.S. officials with spyware.
At a Wednesday hearing, Intelligence Chairman Adam Schiff (D-Calif.) shined a light on foreign government use of the Pegasus spyware, which was developed and sold by the Israeli company NSO Group, to monitor domestic and foreign officials, journalists, human rights activists and political opponents.
“This spyware could be used against every member of this committee, every employee of the executive branch, every journalist or political activist,” Schiff said.
“And aside from periodically updating the software on our devices, there’s little you can currently do to protect yourself from being targeted and compromised,” he added.
Schiff also mentioned how a group of news organizations and researchers working last year for the Pegasus Project, which investigated how and where the spyware was deployed, uncovered rampant use by countries around the world, including Mexico, Saudi Arabia, India, Poland and Hungary.
The project also released a leaked list of more than 50,000 phone numbers of individuals targeted by governments using the spyware tool.
“Since that disclosure, a steady stream of disturbing reports has revealed that thousands of journalists, civil society activists, and many others have had their devices compromised by NSO’s tools,” Schiff said.
U.S. officials, including diplomats, have reportedly numbered among the victims of the spyware.
Late last year, Reuters reported that at least nine State Department officials based in Uganda were hacked by an unknown attacker using Pegasus. Sources told Reuters at the time that the hacks took place over several months.
Although the Israeli spyware cannot penetrate phones with U.S. numbers, the hacker was able to get inside the State Department officials’ phones because they were registered with foreign ones
U.S. allies have also been a target of the spyware. In April, it was reported that U.K. Prime Minister Boris Johnson’s office was the target of multiple malware attacks between 2020 and 2021. Although researchers investigating the hacks were unable to identify specific individuals, they linked the attacks to the United Arab Emirates.
This week, a top European Union lawmaker said his phone was likely compromised by Pegasus.
In a letter obtained by Reuters, EU Justice Commissioner Didier Reynders said that Apple informed him last year that his phone had likely been hacked using the Israeli spyware.
The potential hack prompted an investigation of Reydner’s devices as well as phones belonging to other EU employees.
“I believe that these cases are the tip of the iceberg and there are many more yet to be discovered,” said John Scott-Railton, a researcher at the University of Toronto’s Citizen Lab who testified at the hearing.
In November, the Department of Commerce blacklisted NSO Group amid intense scrutiny by the U.S. for facilitating unlawful surveillance.
The White House in June also voiced its own concerns following an attempt by U.S. defense contractor L3Harris to purchase spyware tools from NSO Group.
The Biden administration said at the time that the acquisition of the spyware would “pose a serious counterintelligence and security risk to U.S. personnel and systems.”
L3Harris reportedly ended talks with NSO Group following the White House concerns.
U.S. officials familiar with the matter told The Washington Post that the defense firm “reached out to the U.S. government and said they would not be moving forward” with the acquisition.
“When the United States government added NSO group and another vendor to the entity list, this sent a strong signal which was pretty powerful and it impacted both NSO group’s valuation and investor confidence,” Scott-Railton said.
“Congress should send that signal to all unaccountable players within the industry,” he added.
Scott-Railton also suggested that Congress should direct the intelligence community to use resources available to disrupt firms that sell such spyware, adding that those companies should be prohibited from doing business with U.S. federal agencies.
He also recommended that the U.S. should apply diplomatic pressure to countries “that have become safe havens with these problematic companies.”
Although the Pegasus spyware is now getting global recognition for its unlawful surveillance, it is still advertised by NSO Group as a hacking tool used by law enforcement to catch criminals involved in various activities, including terrorism, drug trafficking and human trafficking, said Mike Sexton, a senior policy advisor for cyber at Third Way’s national security program.
“[The spyware] is being used way more often against people who unambiguously do not pose that kind of threat to law and order,” Sexton said.
He added that the U.S. should develop a legal framework allowing firms to operate without violating human rights.
“I think that these companies can conduct themselves ethically and can play a productive role supporting law enforcement, but I don’t think we’re going to stop hearing about these [abuses] until that is no longer optional,” Sexton said. “It needs to be mandatory.”