US lawmakers call for probe into ‘arrogant’ spyware firm

US representatives have called on the Biden administration to launch an urgent probe into NSO Group, the Israeli spyware manufacturer that has found itself at the centre of a surveillance scandal after investigations linked its Pegasus software to illicit spying on politicians, activists and journalists.

In a statement, lawmakers Tom Malinowski of New Jersey, Katie Porter of California, Joaquin Castro of Texas and Anna Eshoo of California, said the revelations about alleged misuse of the Pegasus spyware by authoritarian regimes demonstrated that the “hacking for hire” industry needed to be bought under control.

“Private companies should not be selling sophisticated cyber-intrusion tools on the open market, and the United States should work with its allies to regulate this trade,” they said. “Companies that sell such incredibly sensitive tools to dictatorships are the A.Q. Khans of the cyber world. They should be sanctioned and, if necessary, shut down.”

The representatives said NSO’s persistent denials that it had sold its product to authoritarian governments, that a list of 50,000 alleged targets of Pegasus users had nothing to do with it, and that it had been the victim of a coordinated media campaign against it, were not credible.

They accused the company of showing an “arrogant disregard” for the concerns of elected officials, human rights activists, journalists and cyber security experts.

“The authoritarian governments purchasing spyware from private companies make no distinction between terrorism and peaceful dissent,” the representatives said. “If they say they are using these tools only against terrorists, any rational person should assume they are also using them against journalists and activists, including inside the United States.

“Selling cyber-intrusion technology to governments like Saudi Arabia, Kazakhstan and Rwanda based on assurances of responsible use is like selling guns to the mafia and believing they will only be used for target practice.”

The group is calling on the US government to: call out private companies that sell cyber-intrusion tools to governments with a history of misusing them; enact legislation or executive orders to hold those that sell such tools to authoritarian states accountable; speed up US accession to the Wassenaar Arrangement’s controls on cyber-intrusion tools; consider adding NSO to the US Commerce Department’s Entity List (the same list that Huawei is on) and consider sanctioning its clients under the Global Magnitsky Act; ensure NSO cannot access US investor funding; and investigate the possible targeting of US citizens, including journalists, aid workers and diplomats, with Pegasus software.

In an interview with the BBC, published late last week, an NSO spokesperson told the BBC that if a drunk driver kills someone, they are held responsible, not the manufacturer of the car they were driving, and that attention should instead be paid to its customers, who would not remain customers if they were found to be abusing the Pegasus spyware product.

An NSO spokesperson told Computer Weekly: “NSO has been fully regulated since its first day and strictly follows the defence export law, in addition to its rigorous internal human rights due diligence processes – pre and post-sale.

“NSO welcomes discussions on regulations for its industry, including ones that include obligations to respect human rights.”