'Not one red cent:' US lawmaker floats withholding aid to countries using spyware
A US lawmaker has said that aid should be withheld from countries using spyware to target opponents, a move that would potentially broaden legislation working its way through Congress aimed at hacking groups.
“It seems to me that the principle of, if you attack our people with these surveillance tools… maybe not just our people, but civilians or anyone else, you will not get one red cent from the American taxpayer,” Democratic Congressman Jim Himes said.
Himes made the remarks at a House Intelligence Committee hearing on Wednesday where the activities of Israeli spyware company NSO came under scrutiny.
Rwandan activist Carine Kanimba told lawmakers she was “mortified” after learning that she had been targeted with Pegasus spyware as she lobbied the Rwandan government to release her father, jailed activist Paul Rusesabagina.
“I am frightened by what the Rwandan government will do to me and my family next. It is horrifying to me that they knew everything I was doing, precisely where I was, who I was speaking with, my private thoughts and actions, at any moment they desired,” she said.
NSO sparked international outrage after a series of investigations in 2021 - under the coordination of Forbidden Stories - showed how Pegasus, the Israeli company's flagship product, was used by governments to spy on activists, journalists and political dissidents.
Wednesday’s hearing comes after the House Intelligence Committee last week passed the Intelligence Authorization Act.
The act would allow the president to impose sanctions on companies that target the intelligence community with spyware, allocate more funding for investigations into the use of foreign commercial spyware, and authorise the Office of the Director of National Intelligence to ban contracts with foreign firms producing surveillance software.
John Scott-Railton, a senior researcher at the University of Toronto’s cyber-focused Citizen Lab, who testified at the hearing, said more needed to be done to put diplomatic pressure on countries that act as “safe havens” for spyware firms.
“When it comes to Israel, they have an export control authority. That authority has authorized many of the sales that have led to these problematic cases, and so I think there too, there is an opportunity for diplomatic engagement and pressure,” he said.
'Turbocharging the spyware'
NSO was placed on a blacklist last year by the US Commerce Department, barring it from American technologies crucial to maintaining its operations.
The Commerce Department said its decision was based on evidence that the NSO group and Candiru, another Israeli spyware company, developed and supplied spyware to foreign governments who in turn used it "to maliciously target government officials, journalists, business people, activists, academics, and embassy workers”.
NSO is also enmeshed in a series of legal battles. WhatsApp’s parent company, Facebook, now called Meta, sued NSO in 2019 for allegedly targeting some 1,400 users of its encrypted messaging service with highly sophisticated spyware. It is trying to block NSO from Facebook platforms and servers.
NSO has been plagued by financial difficulties since allegations of its spyware usage emerged. The company is at risk of defaulting on its $500m debts and saw sales drop after the US blacklisting. Revenue at the firm has been declining since 2020.
Scott-Railton said that there are several other companies that could easily take NSO's place, given the lucrative nature of the work.
“If NSO Group goes bankrupt tomorrow, there are other companies, perhaps seeded with US venture capital, that will attempt to step in to fill the gap. As long as US investors see the mercenary spyware industry as a growth market, the US financial sector is poised to turbocharge the problem and set fire to our collective cybersecurity and privacy.”
A host of spyware firms have proliferated in recent years. Earlier this month, Avast Threat Labs, a global cybersecurity company, attributed a new series of attacks on journalists in the Middle East to the Tel Aviv-based spyware vendor commonly known as Candiru.
Candiru was sanctioned in November 2021 by the US Commerce Department for engaging in activities contrary to US national security.
Last year online security firm ESET revealed that Middle East Eye was targeted by the hacking for hire group in April 2020.