Blacklist and Bankrupt Abusive Spyware Makers, Researchers Tell Congress

Blacklist and Bankrupt Abusive Spyware Makers, Researchers Tell Congress
Adam Schiff, Chair of the House Select Committee on Intelligence. (Photo: Brandon Bell, Getty Images)

Members of Congress — you know, the people who can’t seem to do anything — are taking their considerable talents to the fight against digital threats. On Wednesday, the House Intelligence Committee held a public hearing to address the threat of “commercial cyber surveillance,” otherwise known as the spyware industry.

Experts and victims told lawmakers to blacklist abusive spyware makers from doing business in the U.S., thereby bankrupting them.

“Federal agencies should be prevented from doing business with identified problem companies,” one digital forensics researcher told Congress. “Getting federal contracts is the ultimate prize for any defence contractor, and their investors. Removing this opportunity would have an immediate impact.”

Companies like the NSO Group — Israel’s well-known spyware dealer — have made a killing by selling powerful surveillance tools that can infiltrate the most intimate of digital spaces. While these companies claim that their products are only used in legitimate law enforcement investigations, time and time again, evidence shows that they’re actually being used to snoop on journalists, lawyers, political activists, and high-level politicians. While NSO is probably the most notorious company in the industry, it is far from the only one. It’s also broke.

New victims of spyware abuses are popping up with increasing regularity. Indeed, news just broke this afternoon that a senior member of the European Union and several high-ranking staff of the European Parliament may have been targeted with sophisticated spyware last year. Here’s a brief rundown of what happened at Wednesday’s hearing.

“Terrifying:” NSO Spyware Victim Shares Details

The most compelling part of Wednesday’s hearing was testimony provided by a target of spyware surveillance, Rwandan activist Carine Kanimba, who discovered last summer that her phone had been infected with malware for an entire year.

Carine Kanimba speaks in front of Congress.  (Screenshot: Lucas Ropek/YouTube)Carine Kanimba speaks in front of Congress. (Screenshot: Lucas Ropek/YouTube)

Kanimba is the daughter of Paul Rusesabagina, the former manager of Hôtel des Mille Collines, which housed war refugees during the Rwandan genocide (Rusesabagina’s story was adapted in the 2004 movie Hotel Rwanda). After Kanimba’s biological parents were killed during the genocide, she and her sister were adopted by Rusesabagina and his wife and, after the war, the family moved to the U.S., where Rusesabagina has been an outspoken critic of the Rwandan government ever since.

In the summer of 2020, Rusesabagina was kidnapped and renditioned back to Rwanda, where he was tortured, tried, and sentenced to 25 years in prison for alleged connections to a terrorist group.

Kanimba subsequently launched a campaign to free her father, but, unbeknownst to her, she quickly came under surveillance via Pegasus — the NSO Group’s powerful spyware that can track nearly every move someone makes on a smartphone and in the physical world via location data. A digital forensics investigation last summer revealed that Kanimba’s phone had been infected with the malware for over a year. On Wednesday, Kanimba said that her ordeal with being tracked had been “terrifying” and that she had “lost all sense of security” in her “private actions and physical surroundings.” She went on:

“I am frightened by what the Rwandan government will do to me and my family next. It is horrifying to me that they knew everything I was doing, precisely where I was, who I was speaking with, my private thoughts and actions, at any moment they desired.”

Kanimba added that she felt Americans were at risk if legislative action was not taken: “Unless there are consequences for countries and their enablers which abuse this technology, none of us are safe,” she said.

Suggestions: Go After the Money

Over the course of the hearing, experts called to testify before Congress made several suggestions about how to address the spyware threat. Most of potential solutions were provided by John Scott-Railton, a researcher with the University of Toronto’s Citizen Lab, which has been at the forefront of investigation into the spyware industry’s abuses. According to Railton, going after spyware firms’ financial backing has been the surest way to curb their bad behaviour — and he urged Congress to do something.

John Scott-Railton speaks in front of Congress.  (Screenshot: Lucas Ropek/YouTube)John Scott-Railton speaks in front of Congress. (Screenshot: Lucas Ropek/YouTube)

“If NSO Group goes bankrupt tomorrow, there are other companies, perhaps seeded with U.S. venture capital, that will attempt to step in to fill the gap. As long as U.S. investors see the mercenary spyware industry as a growth market, the U.S. financial sector is poised to turbocharge the problem and set fire to our collective cybersecurity and privacy.”

Scott-Railton suggested that troublesome companies should be treated similarly to the NSO Group, which has been financially struggling ever since it was blacklisted by the U.S. government for its connection to abusive clients. Last November, the company was placed on the U.S. Export Administration Regulation (EAR) “Entity List” — an inventory of foreign companies that have been deemed as working “contrary to U.S. national security and/or foreign policy interests.” U.S. companies are forbidden from providing services to the blacklisted company without acquiring a special licence to do so. The decision to shut out NSO — along with another Israeli spyware firm, Candiru — has led to serious financial trouble for both businesses.

It’s unclear on whether Congress plans to act on any of Scott-Railton’s suggestions, or what legislation to protect against the spyware industry’s most toxic offenders might look like.