from the oh-no-no-no-dear-god-no dept
The US defence contractor L3Harris is in talks to take over NSO Group’s surveillance technology, in a possible deal that would give an American company control over one of the world’s most sophisticated and controversial hacking tools.
Multiple sources confirmed that discussions were centred on a sale of the Israeli company’s core technology – or code – as well as a possible transfer of NSO personnel to L3Harris.
If anyone has any objections, speak now or forever… well, actually there are already objections. The US federal government has some, namely the sanctions it placed on NSO Group (and competitor Candiru) last November.
In a statement, a senior White House official said: “Such a transaction, if it were to take place, raises serious counterintelligence and security concerns for the US government.”
Those are still in place and that would seem to suggest L3Harris (the company resulting from the merger of Stingray manufacturer Harris Corporation and defense contractor L3 Technologies) can’t actually make this purchase. Unfortunately, the statement given to the Guardian suggests the White House may not actually be able to stop the purchase from taking place.
This statement, given to Lucas Ropek of Gizmodo, strays even further from a flat statement saying the acquisition would violate the Commerce Department’s sanctions.
In an email to Gizmodo, a senior White House official said that the government “opposes” the circumvention of U.S. sanctions. “The U.S. Government, and the White House specifically, has not been involved in any way in this reported potential transaction,” said the official. “While we can’t speak to this particular report, the U.S. Government opposes efforts by foreign companies to circumvent U.S. export control measures or sanctions, including placement on the U.S. Department of Commerce’s Entity List for malicious cyber activity.”
The White House will oppose this acquisition but there might be an exploitable loophole in the sanctions. Being acquired by an American company won’t remove NSO from the sanctions list, but it would force the federal government to jump through a bunch of hoops (and, presumably, face litigation) to ensure its sanctions are valid and address actual threats to US entities, including other defense contractors whose offerings might be targeted by foreign purchasers of NSO malware.
What might make it less objectionable (and more likely to result in lifted sanctions) is L3Harris’s customer list, which is largely composed of countries and government entities the US government likes, rather than the sprawling list of human rights violators NSO sold to. That could be something that allows the acquisition to take place with the federal government’s tentative blessing, if the company agrees to trim its customers list down to the US government’s preferred customer list.
Even if it may somewhat whitewash NSO’s reputation, this merger shouldn’t be welcomed by anyone. It adds the abuses of cell tower simulator technology to the abuses of powerful cell phone-compromising exploits. When a single product can force phones to connect with it in order to deploy malware, the abuses observed to date are going to look pretty mild.
Beyond the theoretical combinations of phone-targeting tech, there’s no reason an American company should willingly get in bed with a company currently facing sanctions from the US government. But NSO’s powerful malware may be too tempting to ignore, especially when Harris has played fast and loose with export regulations in the past. Hopefully, this acquisition will remain what it is now: merely one of several possible outcomes.