Opinion | The spyware crisis is much bigger than NSO Group

Those international hackers for hire you’ve been hearing so much about? Turns out they do much more. A new report from Facebook parent company Meta, to accompany its enforcement against cyber-mercenaries, hammers home the scope and scale of the world’s private surveillance problem.

Get the full experience.Choose your plan

Spyware has gotten plenty of notice lately, but most of that attention has focused on a single firm: Israel’s NSO Group, which President Biden blacklisted last month. The Post reported recently that a United Arab Emirates agency put NSO’s proprietary spyware Pegasus on the phone of the wife of journalist Jamal Khashoggi months before his murder — despite NSO denying any involvement. Meta’s removal of seven entities in Israel, India, China and North Macedonia, which were alleged to be probing as many as 50,000 people in more than 100 countries, punches another hole in the tired insistence that such operations focus only on criminals and terrorists: The roster of victims runs a gamut, suggesting that the only real selection criterion for these companies is whether a client is willing to pay.

Not only is the cyber-snooping industry much vaster than its most notorious representative, but its activities extend beyond what most think of when they hear the word “spyware”: the moment of exploitation when the privacy-smashing tool is planted on an individual’s device. You can’t plant a bug until you’ve found a way into the house. Surveillants start with reconnaissance that involves hoovering up publicly available information on a target. On Facebook, this often occurs through the creation of fake accounts that can view friends, likes and more. Next comes engagement, which means building trust with or soliciting knowledge from the target or those close to them. Firms will commonly employ fictitious personas and clever social engineering to get the job done. Last comes the download or link that a mark must click to lay their account open to prying eyes or to turn their smartphone into a secret listening device. (The zero-click exploits made infamous by NSO are an even more menacing matter.)

Meta’s report tells regulators worldwide one thing they should already know, which is that spyware is a crisis demanding an international response — with know-your-customer rules and civil liberties assessments required of companies that want to hawk their services all over the globe. Legislation passed by Congress this month to require a State Department list of purveyors with a history of abetting human rights abusers is a start. Yet the investigation also tells these leaders something else: Stopping a hack also involves stopping everything that comes before it.

The Post’s View | About the Editorial Board

Editorials represent the views of The Post as an institution, as determined through debate among members of the Editorial Board, based in the Opinions section and separate from the newsroom.

Members of the Editorial Board and areas of focus: Opinion Editor David Shipley; Deputy Opinion Editor Karen Tumulty; Associate Opinion Editor Stephen Stromberg (national politics and policy); Lee Hockstader (European affairs, based in Paris); David E. Hoffman (global public health); James Hohmann (domestic policy and electoral politics, including the White House, Congress and governors); Charles Lane (foreign affairs, national security, international economics); Heather Long (economics); Associate Editor Ruth Marcus; Mili Mitra (public policy solutions and audience development); Keith B. Richburg (foreign affairs); and Molly Roberts (technology and society).