U.S.
Biden administration blacklists NSO Group over Pegasus spyware
The Washington Post November 3, 2021
The United States on Wednesday added the Israeli spyware company NSO Group to its "entity list," a federal blacklist prohibiting the company from receiving American technologies, after determining that its phone-hacking tools had been used by foreign governments to "maliciously target" government officials, activists, journalists, academics and embassy workers around the world.
The move is a significant sanction against a company spotlighted in July in an investigation by the global Pegasus Project consortium, which includes The Washington Post and 16 other news organizations worldwide. The consortium published dozens of articles detailing how NSO customers had misused its powerful spyware, Pegasus.
The move could also raise tensions between the United States and Israel, where NSO is a prized technological powerhouse. Exports of NSO's software are regulated by Israel's Ministry of Defense, which must approve them as it would any weapons sale.
"NSO Group could not have operated without Israeli government knowledge and toleration, if not encouragement," said David Kaye, a former United Nations special rapporteur who has called for global restrictions on sales of surveillance technology. "So part of this cannot be seen merely as the U.S. government making a statement about this particular company; it's also a statement about the Israeli government, its export controls and engagement in transnational repression."
Sources in Israel familiar with the issue said Israel and the other implicated countries were only given about an hour's notice that the companies would be listed because of regulatory constraints in Washington. Israel's foreign ministry declined to comment.
The Commerce Department said in a statement that the action is part of the Biden administration's "efforts to put human rights at the center of U.S. foreign policy, including by working to stem the proliferation of digital tools used for repression."
NSO spokesperson Oded Hershkovitz said in a statement that the company is "dismayed" by the decision and will push for its reversal. The company said its "rigorous" human rights policies "are based on the American values we deeply share, which already resulted in multiple terminations of contracts with government agencies that misused our products."
The company has consistently denied the findings of the Pegasus Project, which found that some of NSO's dozens of law enforcement, military and intelligence customers in more than 40 countries target journalists, politicians and human rights workers on a routine basis with Pegasus, which can hack into cellphones. NSO has acknowledged problems with certain customers in the past.
The entity list designation prohibits export from the United States to NSO of any type of hardware or software, severing the company from a vital source of technology. It could also hinder future business arrangements and challenge the firm's ability to work as an international company.
"The impact is broader than just the legal prohibition," said Kevin Wolf, an international trade lawyer at the Akin Gump law firm who previously ran the entity list process. "It's a huge red flag."
It's unclear how much U.S.-originating technology NSO Group uses in its company tools. But the listing could restrict NSO's ability to use top-of-the-line cloud-computing services made by tech giants such as Amazon and Microsoft, or hinder its trade with American researchers who study the kinds of software exploits and vulnerabilities that NSO depends on for infecting phones.
The move comes two weeks after Commerce announced a rule that would bar sales of American hacking software and equipment to any entity overseas known to have engaged in hacking for malign purposes. The "Wassenaar" rule will align the United States with 42 European and other allies that have agreed to set export control policies on military and dual-use technologies.
The Wassenaar rule targets specific technologies but does not name specific companies. Wednesday's move sanctions specific companies but sweeps broadly on the technology and items covered. American-made toilet paper, for instance, would be barred from being sent to NSO Group or any of the other listed companies.
Together, however, they serve as bookends, enabling the United States to apply export controls more aggressively to address human rights abuses associated with hacking tools.
Wednesday's step is Commerce's first high-profile use of the entity listing aimed at curbing human rights abuses on companies outside of China. During the Trump administration, the agency imposed export controls on dozens of Chinese companies found to have supported "China's campaign of repression" against Muslim minorities in the country's northwest province of Xinjiang.
Sen. Ron Wyden, D-Ore., said in a statement Wednesday that "President Biden is sending a strong message that the U.S. won't stand for foreign hacking companies that violate human rights and threaten our national security." He also called for stronger measures, including "cutting them off from the American financial system and investors by issuing sanctions under the Global Magnitsky Act."
Forensic analyses of phones by Amnesty International, which provided technical support for the Pegasus Project investigation, found evidence that NSO's clients had used Amazon Web Services and other Internet service companies to deliver Pegasus malware to targeted phones.
An Amazon spokeswoman told The Post this year that the company "shut down the relevant infrastructure and accounts" when it learned of the activity. (Amazon's executive chairman, Jeff Bezos, owns The Post.)
The blacklisting could also weaken NSO's standing with investors and cast a pall over the company's attempts to rehabilitate its image as a maker of critical surveillance tools that law enforcement needs to catch criminals.
Commerce officials said NSO Group and another Israeli surveillance company, Candiru, had enabled "foreign governments to conduct transnational repression," allowing authoritarian governments to target "dissidents, journalists and activists outside of their sovereign borders to silence dissent."
The research group Citizen Lab, in a July report, found that Candiru markets to governments "untraceable" spyware that may be used for repressive purposes. Working with Microsoft, Citizen Lab found that the spyware was used to target human rights activists, dissidents, journalists and politicians in the Palestinian territories, Iran, Lebanon, Britain, Turkey, Yemen and other countries.
"For years we have been documenting extensive and serial abuses of mercenary spyware sold by companies like NSO Group and Candiru," said Ronald Deibert, director of Citizen Lab at the University of Toronto's Munk School of Global Affairs and Public Policy. Commerce's entity listing "is a very positive first step to bringing some public accountability and order to this otherwise poorly regulated marketplace."
Kaye, the former U.N. special rapporteur, said the listing will have major practical and symbolic implications for NSO Group, which has worked aggressively to attract investors, government clients and positive media coverage.
"They made this real effort to change the conversation about the work they're doing. This shows that attempt has failed," Kaye said. "Who will want to work with a company that's been so publicly sanctioned by the U.S. government? ... Who would invest in a company with this kind of black mark?"
There are hundreds of companies on the entity list, including 10 from Israel. The Trump administration added Huawei and at least 70 other Chinese firms to the list in 2019, citing their alleged involvement in human rights abuses of Uyghurs, a mostly Muslim minority group detained en masse in Chinese "reeducation" camps.
But it is rare for the U.S. government to target companies from U.S. allies.
NSO's addition to the list also marked one of the first times that the U.S. government has cited cyber-surveillance issues as the cause for the penalty.
With a special government license, Commerce officials can permit select U.S. companies to export products to listed companies, though they require all such transactions to be marked with a "red flag" and urge firms to "proceed with caution," federal guidelines state. Other listed entities include Chinese state-owned defense contractors, drone manufacturers and surveillance firms.
Besides NSO and Candiru, two other companies were added to the list: Russia's Positive Technologies and Singapore's Computer Security Initiative Consultancy PTE, with the government saying both firms had trafficked in hacking tools that could threaten "the privacy and security of individuals and organizations worldwide."
While NSO says its spyware tools cannot be used on U.S. phone numbers, the U.S. number of at least one American diplomat was found on the list of numbers that served as a source document for the Pegasus Project investigation. The foreign-registered phone numbers of other U.S. government employees were also on the list. It is not known if any of those phones showed evidence of a Pegasus attack.
NSO spyware was also used to target the phones of two women close to slain Washington Post columnist Jamal Khashoggi: his wife, Hanan Elatr, whose phone was targeted six months before his death; and his fiancee, Hatice Cengiz, whose phone was hacked days after he was killed, forensic analyses show.
After the Pegasus Project investigation, a French government probe found traces of Pegasus spyware on the phones of five cabinet ministers. And last month, a High Court judgment in Britain revealed that the ruler of Dubai had used Pegasus spyware to hack the phones of his estranged wife, Princess Haya, and top members of her legal and security teams.
A top Biden adviser raised concerns about the spyware to his Israeli counterpart during a July meeting at the White House. Members of Congress have also pushed for sanctions, investigations and rules to combat spyware abuse, saying "the hacking for hire industry must be brought under control."
The listing could also prove awkward for the network of Washington attorneys, consultants and other power brokers who have worked with NSO. Rod J. Rosenstein, President Donald Trump's deputy attorney general from 2017 to 2019, is advising the company on its defense of a lawsuit by Facebook-owned messaging service WhatsApp, which has accused NSO Group of targeting its users.
In a statement, WhatsApp spokesman Carl Woog said the company is "grateful to see the U.S. Government stand up for human rights and hope to see more nations act to protect people's ability to have private conversations online."
The Washington Post's Steve Hendrix in Jerusalem contributed to this report.