Commerce Department Issues New Export Guidelines To Limit Sales Of Phone-Hacking Tech
from the end-result-of-NSO-fueling-the-fire-currently-consuming-it dept
Shortly after leaked data showed Israeli malware merchant NSO Group’s spyware was being deployed against journalists, activists, religious leaders, government officials, and dissidents, four Congressional reps issued a statement in response to the unsettling revelations.
Reps Tom Malinowski, Katie Porter, Joaquin Castro, and Anna Eshoo had this to say about the spyware maker and its powerful Pegasus phone exploit:
?Enough is enough. The recent revelations regarding misuse of the NSO Group?s software reinforce our conviction that the hacking for hire industry must be brought under control. Private companies should not be selling sophisticated cyber-intrusion tools on the open market, and the United States should work with its allies to regulate this trade. Companies that sell such incredibly sensitive tools to dictatorships are the A.Q. Khans of the cyber world. They should be sanctioned, and if necessary, shut down.
The NSO Group?s denials are not credible, and show an arrogant disregard for concerns that elected officials, human rights activists, journalists, and cyber-security experts have repeatedly raised. The authoritarian governments purchasing spyware from private companies make no distinction between terrorism and peaceful dissent; if they say they are using these tools only against terrorists, any rational person should assume they are also using them against journalists and activists, including inside the United States. Selling cyber-intrusion technology to governments like Saudi Arabia, Kazakhstan, and Rwanda based on assurances of responsible use is like selling guns to the mafia and believing they will only be used for target practice.”
The joint statement also called for the finalization of the United States’ participation in the Wassenaar Arrangement — a joint agreement on export limitations that has been in the works since 1996. The United States has been a part of this consortium for years, but its own export controls aren’t quite aligned with those enforced by other countries.
Until now. The revelations about the misuse of NSO spyware, as well as its apparent willingness to sell to countries with long histories of human rights violations, has finally pushed the US government to issue new export control rules that would indirectly affect NSO’s products, as well as directly affecting malware developed by US companies.
The [Commerce Department] on Wednesday announced an interim final rule that defines when an export license will be required to distribute what is basically commercial spyware, in order to align US policy with the 1996 Wassenaar Arrangement, an international arms control regime.
The rule [PDF] ? which spans 65 pages ? aims to prevent the distribution of surveillance tools, like NSO Group’s Pegasus, to countries subject to arms controls, like China and Russia, while allowing legitimate security research and transactions to continue. Made available for public comment over the next 45 days, the rule is scheduled to be finalized in 90 days.
This rule would only affect US companies or foreign companies with US offices. NSO Group denies it has a US base of operations but it did run attacks through Facebook servers located in California. Whether or not this is enough to allow the rules to govern distribution of NSO products is unclear. But it does show NSO malware can traverse countries that NSO itself says are off-limits to make use of US-based attack vectors.
The rule set has been in the works for more than a half-decade, partially because the Commerce Department wanted to ensure its guidelines would not adversely affect cyberthreat responses or security research work. But it seems far from coincidental that new export guidelines are being published mere months after the exposure of NSO Group’s contribution to acts of oppression by its customers.
