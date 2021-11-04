Spyware makers are getting reined in
The U.S. government has made its biggest move yet to rein in the shadowy international market for hacking tools, with its ban on the Israeli company NSO Group.
The big question now: Will other nations make similar moves against makers of hacking tools? After all, they've enabled an explosion in sophisticated digital spying by government and law enforcement agencies across the globe.
The ban
The U.S. Commerce Department action effectively blocks NSO from using any U.S.-made technology, Drew Harwell, Ellen Nakashima and Craig Timberg report. That will make NSO’s operations more difficult and could spook potential investors. But it’s unlikely to be enough on its own to put the firm out of business.
The move comes in the wake of extensive reporting by The Post and other media that the company’s Pegasus spyware was routinely used by its government clients to snoop on journalists, dissidents and opposition politicians.
“The U.S. government put a flag in the sand,” John Scott-Railton, a senior researcher at Citizen Lab, which has done extensive research on NSO, told me. “When the U.S. does something other countries pay attention. … Are other governments that suffered problems from NSO going to do the same thing?”
Commerce also effectively banned U.S. exports to Candiru, another Israeli spyware firm with a troubling human rights record.
Roadblocks
U.S. officials have spent years trying to impose international rules of the road on the wild West of cyberspace — and rallied other nations to adopt those rules.
But they had resisted coming out strongly against the private market for hacking tools known as spyware.
- One big barrier: NSO and other companies in the sector claim nations use their tools for legitimate security reasons such as fighting terrorism. That’s likely true in some cases, though the company clearly turned a blind eye while some government clients used the tools to suppress dissent and spy on adversaries.
- Another barrier: NSO is based in Israel, an important U.S. ally. Some other U.S. allies, such as Mexico, are well known clients. The United States is not pursing any action against the Israeli government over NSO, the State Department said.
But the extensive reporting on Pegasus had made it increasingly untenable to stay mum about the company’s abuses.
Results
Here’s how Commerce described the ban: “Part of the Biden-Harris Administration’s efforts to put human rights at the center of U.S. foreign policy, including by working to stem the proliferation of digital tools used for repression.”
The U.S. move will certainly make governments that espouse democratic principles think twice about buying from NSO. But it’s not clear if that’s enough to force changes to the largely unregulated spyware market.
“I do think it sends a message and a warning. Whether that sets a norm is yet to be determined,” Chris Painter, who led the Obama administration’s diplomatic efforts to craft international cyberspace rules, told me.
“Countries that have a rule of law standard and see themselves as democracies will have a hard time using this technology moving forward,” David Kaye, a former United Nations special rapporteur who has called for global restrictions on surveillance technology, told me. “The next step is for the U.S. and other governments to take this rule and say we need to … create globally recognized standards for this industry.”
Dialing it up
Spyware critics already have plans for next steps.
Sen. Ron Wyden (D-Ore.) urged the Biden administration to sanction NSO and Candiru under the Global Magnitsky Act, a 2012 law that blocks companies from the U.S. financial system and freezes any assets they have in U.S. banks.
The digital human rights group Access Now wants U.S. diplomats to urge other nations to pledge not to buy technology from NSO or Candiru. The group’s wish list also includes:
- Sanctions against NSO and Candiru’s owners and affiliates.
- New strict Securities and Exchange Commission rules for firms that provide goods or service related to surveillance.
Access Now General Counsel Peter Micek said in an interview that he’s hopeful this move will push other nations to condemn the most egregious uses of spyware. But he’s also skeptical nations will move swiftly against the sector because its tools are useful for their spying operations.
“With this move, the Biden administration is trying to carve out a penalty box for the truly bad actors and NSO repeatedly fed the referees with reasons to end up in that penalty box,” he told me.
The keys
The U.S. military hijacked a website belonging to a major ransomware group, prompting the group to shut itself down
A foreign government compromised the ransomware gang REvil’s servers. U.S. Cyber Command then blocked access to the site, which “deprived the criminals of the platform they used to extort their victims,” Ellen Nakashima and Dalton Bennett report. REvil shut down after discovering that the servers were compromised.
The operation is a significant development in the U.S. government’s evolving response to ransomware hacks, which have run roughshod over local governments and critical U.S. companies.
REvil was among the worst of the worst. It hacked meat supply giant JBS and Kaseya, an IT firm with thousands of clients. Between 800 and 1,500 small businesses were affected by the Kaseya hack, according to the company.
“The Washington Post previously reported that REvil’s servers had been hacked in the summer, permitting the FBI to have access,” Ellen and Dalton write. “The compromise allowed the FBI, working with the foreign partner, to gain access to the servers and private keys, officials said. The bureau was then able to share that information last month with Cybercom, enabling the hijacking, they said.”
Cyber Command Chief Gen. Paul M. Nakasone passingly addressed the article at an event Wednesday:
A cyberattack affected a “significant quantity” of data belonging to the U.K. Labour Party
The hack targeted “a third party that handles data” for the left-wing political outfit, officials told party members. Labour is the U.K. parliament’s largest opposition party.
The third-party vendor was hit by ransomware, incident responders told Sky News. The hack "resulted in a significant quantity of party data being rendered inaccessible on their systems,” Labour said in a letter to the National Crime Agency. The party first found out about the breach on Oct. 29, it said.
Labour is “urgently” investigating the impact and scope of the incident with the vendor, it said.
Labour is no stranger to cyber incidents. Last year, another third-party vendor Blackbaud told the party it had been hit with ransomware.
The Biden administration is working on an executive order to clarify roles for government cybersecurity officials
The order could arrive within the coming weeks or months, National Cyber Director Chris Inglis told the House Homeland Security Committee. It could assuage concerns in Congress that the administration’s top cybersecurity officials have unclear or overlapping roles, CyberScoop’s Tim Starks writes.
Inglis has previously defended those overlapping responsibilities, saying they’re necessitated by the complexity of cyber threats. He’s also acknowledged that the division of labor could use some fine-tuning.
This “would be the second major cybersecurity executive order of the administration, following on May’s sweeping directive for federal agencies and contractors to improve their digital defenses,” Starks writes.
Hill happenings
Industry plans to push back on cyber regulations at a House Transportation Committee hearing today
Tom Farmer, the Association of American Railroads’s assistant vice president for security, will warn the House Transportation Committee that mandates the Homeland Security Department is planning for rail systems are unnecessary and could undermine industry collaboration with the government, according to testimony shared with The Cybersecurity 202.
From Farmer's testimony: “The announcement of the Security Directives has produced erroneous perceptions that railroads, and rail transit agencies, have not been rigorously and effectively engaged for many years in defending against cyber threats. This false impression could have negative ripple effects if rail customers and the communities in which railroads operate lose confidence in railroads’ ability to operate safely and securely.”
The hearing will stream here at 10 a.m.
A Senate committee advanced a slew of cybersecurity bills
The Senate Homeland Security Committee advanced a swath of key cybersecurity measures to the full Senate, including:
- A bill to ensure that government contractors use artificial intelligence in a way that preserves national security and privacy
- Legislation to promote cyber wargames for U.S. businesses and local governments and to establish a National Cyber Exercise Program at CISA
- A bill aiming to boost cybersecurity of critical U.S. companies and implement recommendations by the Cyberspace Solarium Commission
- A proposal to alleviate the cybersecurity workforce shortage by creating a CISA cybersecurity apprenticeship program and a cybersecurity training program for veterans
The committee held over legislation to boost federal government cloud security because committee chairman Gary Peters (D-Mich.) wants to include the proposal in a mammoth annual defense authorization bill, MeriTalk’s Jordan Smith writes.
Securing the ballot
Daybook
- The House Transportation and Infrastructure Committee holds a hearing on infrastructure cybersecurity today at 10 a.m.
- Keith Alexander, the former director of the National Security Agency and commander of U.S. Cyber Command, discusses cyber threats at a Washington Post Live event on Nov. 8 at 9 a.m.
- Palo Alto Networks chief cloud security officer Matt Chiodi discusses cloud supply chain cyberattacks at a Cyber Threat Alliance event on Nov. 9 at 2 p.m.
- Former undersecretary of defense Michele Flournoy and Shield AI co-founder Brandon Tseng discuss the U.S. military's digital transformation at a Washington Post Live event on Nov. 11 at noon.
