Tech Alone Won't Defeat Advanced Spyware, US Congress ToldMore US Government Action Needed to Fight the Likes of NSO Group
Technical remedies alone will fail to stop the rising proliferation of advanced spyware, members of the U.S. House Intelligence Committee heard today.
Once only a handful of companies worldwide specialized in mobile device malware sophisticated enough to get around security protections built by Apple and Google, said John Scott-Railton, a senior researcher at The Citizen Lab, while testifying before a panel dedicated to threats posed by foreign commercial spyware.
Now "it's totally out of control," he said.
What's needed to stop the wave of advanced spyware, said Scott-Railton, is more government intervention, since there's no way the advent of spyware technology can be undone.
"There is a powerful host of tools, both legislative and in terms of empowering the intelligence community, to disrupt and degrade the capabilities of problem actors," he said.
Google parent Alphabet is aware of more than 30 such vendors worldwide, said Shane Huntley, senior director of the company's Threat Analysis Group. The industry is "unfortunately thriving," he said. The most advanced firms, including Israel-based NSO Group, are capable of infecting a smartphone without the user having to click on a malicious link - forcing defenders to take potentially extreme measures to make devices less vulnerable (see: Apple Lockdown Mode Aims to Prevent State-Sponsored Spyware).
Although putatively intended to track criminals and terrorists, spyware has turned up on the smartphones of journalists, activists and even high-ranking government officials.
U.S. diplomats stationed in Uganda are reportedly among the victims, leading committee Chairman Adam Schiff to warn that other American officials are at risk.
"It is my belief that we are very likely looking at the tip of the iceberg, and that other U.S. government personnel have had their devices compromised, whether by a nation-state using NSO's services or tools offered by one of its lesser known but equally potent competitors," said Schiff, a California Democrat. The United States "must put a greater emphasis on this threat," he added.
Late last year, the federal government added NSO Group and Candiru, also based in Israel, to the Department of Commerce blacklist of companies subject to technology export licensing requirements.
That sent a strong signal to investors, Scott-Railton said, leading credit rating services to warn that NSO Group was in danger of defaulting on its debt. "The company now appears to be in a tailspin."
Britain's The Guardian newspaper earlier this month reported a U.S. defense contractor had broken off talks to acquire NSO after the White House voiced opposition.
The blacklisting should be a first step, Scott-Railton said. Among his recommendations: that the U.S. apply diplomatic pressure to countries offering safe havens to the spyware industry and that the intelligence community counter and disrupt spyware companies.
Just days ago, the committee forwarded to the House floor its annual authorization bill containing some provisions regarding spyware. If those provisions become law, the president would be able to freeze the assets of foreign spyware companies and individuals who materially support them.
The bill would permit the Director of National Intelligence to prohibit intelligence agencies such as the CIA from purchasing foreign spyware or doing business with American companies that supply spyware coded by foreign commercial firms.
Also testifying before the panel was Carine Kanimba, a U.S. citizen targeted with NSO spyware by the government of Rwanda. "I am frightened by what the Rwandan government will do to me and my family next. It keeps me awake that they knew everything I was doing, where I was, who I was speaking with, my private thoughts and actions, at any moment they wanted," she said.
Kanimba advocates for the release of her father, Paul Rusesabagina, who sheltered refugees during the 1994 Rwandan genocide and is now in a Kigali cell for alleged ties to armed groups.