U.S. Blacklists Israeli Firm NSO Group Over Spyware
In a remarkable breach with Israel over one of its most successful technology companies, the Biden administration on Wednesday blacklisted the NSO Group, saying the company knowingly supplied spyware that has been used by foreign governments to “maliciously target” the phones of dissidents, human rights activists, journalists and others.
The firm, and another Israeli company, Candiru, acted “contrary to the national security or foreign policy interests of the United States,” the Commerce Department said, a striking accusation against a business that operates under the direct supervision of the Israeli government.
The ban is the strongest step an American president has taken to curb abuses in the global market for spyware, which has gone largely unregulated. The move by the Commerce Department was driven by NSO’s export around the world of a sophisticated surveillance system known as Pegasus, which can be remotely implanted in smartphones.
NSO’s spyware has been under scrutiny for years for its ability to stealthily, and remotely, extract sound and video recordings, encrypted communications, photos, contacts, location data and text messages from a device — without so much as a single click. Among its targets were confidants of Jamal Khashoggi, the Washington Post columnist who was dismembered by Saudi operatives in Turkey; an array of human rights lawyers, dissidents and journalists in the Emirates and Mexico, and even their family members living in the United States.
After a consortium of media outlets reported over the summer that NSO’s spyware may have targeted smartphones belonging to journalists and world leaders from France, Morocco and elsewhere, a group of House Democrats called for NSO Group to be blacklisted and potentially sanctioned for human rights violations. But it was never clear if those people were on a list of possible targets by NSO clients, or were actually hacked.
The announcement on Wednesday apparently came as a surprise to the Israeli defense ministry, which must approve licenses for the sale of Pegasus software to foreign governments, because it is categorized as a defense technology. While Israeli officials insisted they were unprepared for the move, which prohibits the firm from acquiring American technology, the Israeli government had received a string of official and private warnings from Washington.
The ministry of defense declined to comment on the record on the action. But there was no question that the Commerce Department, by placing the firm on the “Entity List” of blacklisted companies, was striking at the heart of the Israeli intelligence community. NSO’s technology emerged from Unit 8200, Israel’s highly secretive cyberunit, which has partnered with the United States around the globe, including in cyberoperations to disable Iran’s nuclear facilities.
The ban would prohibit American firms from selling technology to NSO Group and its subsidiaries. Dell and Microsoft were alerted earlier that NSO Group would be added to the blacklist, according to two people briefed on the calls but unauthorized to speak publicly about them.
Cristin Goodwin, general manager of Microsoft’s digital security unit, called the rule “a strong step toward addressing the danger these actors pose, and we encourage other countries to adopt similar policies.”
After a series of revelations about NSO in The New York Times and other publications, the Biden administration warned that the surveillance software was being abused by authoritarian nations.
Two weeks ago, the Commerce Department added a new rule requiring U.S. companies to get a license to sell any intrusion software to foreign countries, an effort to curb the sale of surveillance tools to oppressive regimes like Saudi Arabia and the Emirates.
The announcement on Wednesday went one step further, taking direct aim at NSO Group, and signaling to its would-be investors, and acquirers, to stay away. The company had been mulling an initial public offering at a $2 billion valuation.
NSO said in a statement that it was “dismayed by the decision” and would ask for it to be reversed. The company has claimed — especially recently, as investigations proliferated — that it is pulling licenses for its software from governments that are using it to suppress dissent.
“Our technologies support U.S. national security interests and policies by preventing terrorism and crime,” the company said.
The Biden administration concluded exactly the opposite.
Senator Ron Wyden, Democrat of Oregon, and one of the Senate’s most outspoken voices on digital privacy, applauded the administration’s move but argued it should go further.
“President Biden is sending a strong message that the U.S. won’t stand for foreign hacking companies that violate human rights and threaten our national security,” he said. He added that the administration should consider issuing sanctions under the Global Magnitsky Act.
Doing so would effectively freeze NSO’s assets and force its largest investors, including Novalpina Capital, a British private equity firm — and its investors, which include Oregon’s state pension fund — to divest. It could also thwart NSO Group’s plans for a lucrative exit, such as an initial public offering or acquisition.
NSO was one of four companies that were blacklisted on Wednesday.
Candiru, another Israeli firm, was sanctioned based on evidence that it supplied spyware to foreign governments. Positive Technologies of Russia, which was targeted with sanctions last April for its work with Russian intelligence, and Computer Security Initiative Consultancy of Singapore were added to the list for trafficking in hacking tools, according to the Commerce Department’s announcement.
“The United States is committed to aggressively using export controls to hold companies accountable that develop, traffic, or use technologies to conduct malicious activities that threaten the cybersecurity of members of civil society, dissidents, government officials and organizations here and abroad,” Gina Raimondo, the commerce secretary, said in a statement.
NSO has said it only sells its spyware to governments whose human rights records have been vetted, for the purpose of countering terrorism and crime. But its spyware continues to pop up on the phones of journalists, critics of autocratic regimes, even children. Some of NSO’s targets — like Ahmed Mansoor, a critic of the United Arab Emirates — have been imprisoned and held in solitary confinement for years after NSO’s spyware was found on their phones.
Apple has patched its iOS software several times to mitigate vulnerabilities exploited by NSO’s spyware.
Candiru was founded by engineers who left NSO. Last July, Microsoft reported that Candiru’s spyware exploited a pair of Windows vulnerabilities to target the phones, computers, and internet-connected devices of some hundred activists, journalists and dissidents across ten countries.
Both NSO and Candiru were supposed to be under the strict control of Israel’s Ministry of Defense. But the ministry authorized the companies to sell their products to a number of countries with a long history of severe human rights violations, like Saudi Arabia, and continued to approve their sale even after the murder of Mr. Khashoggi and the discovery of spyware on his associates’ phones.
In a brief response to the Times in September, the ministry said in a statement that it applied “even stricter” standards to exports than was required, and that “special emphasis” was placed on adhering to international agreements and protecting human rights.
Whenever the ministry “discovers that the purchased item is being used in contravention of the terms of the license, especially after any violation of human rights, a procedure of cancellation of the defense export license or of enforcing its terms, is initiated,” the ministry said.
The Commerce Department clearly determined otherwise.