House hearing highlights US concerns about Israeli NSO Group spyware
Lawmakers express willingness to withdraw funds from countries that use commercial spyware.
At a House Intelligence Committee hearing on Wednesday, the Committee examined NSO Group, the Israeli tech company responsible for the Pegasus spyware that has been used by governments to spy on activists, journalists, political leaders, and US residents.
The hearing featured testimony from John Scott-Railton, a senior researcher at the University of Toronto's cyber-focused Citizen Lab; Shane Huntley, the head of Google's security unit; and Carine Kanimba, an activist who was targeted with Pegasus while lobbying Rwanda to release her father, activist Paul Rusesabagina.
There was a rare bipartisan agreement among senators that malware and its developers represent grave hazards.
In reaction to Kanimba's comments underscoring Rwanda's reliance on US aid and the fact that foreign aid accounts for a large portion of the country's budget, some senators expressed willingness to leverage money to countries that employ spyware.
“We’re doing this because we’re trying to figure out what our response may be, and you gave me an idea,” Rep. Jim Himes (D-CT) said. “It seems to me that the principle of if you attack our people with these surveillance tools… maybe not just our people, but civilians or anyone else, you will not get one red cent from the American taxpayer.”
Google's Huntley pushed federal officials to work to demonize organizations like NSO.
“Drawing attention where we can to who we consider these threats are… that sends a lot of messages [s],” he said. “I think it is about incentives as well. I think one of the incentives that I’ve been pushing when I’ve been speaking externally is talent. I want to make it so… you really think twice before accepting a job with someone like NSO and you do something more productive with your life.”
Huntley also said he found it “difficult to believe” that NSO does not have access to data collected by its clients, noting the company’s “conflicting claims” that it strictly controls the use of its technology but also has no visibility into its use.
NSO in the US?
NSO, for example, asserts that their software cannot be utilized on devices situated in the United States, although there have been multiple cases when it has been, notably Kanimba.
Scott-Railton submitted a number of policy recommendations to the Committee, including urging the US to increase diplomatic pressure on countries that operate as "safe havens" for spyware corporations, such as "Israel".
“When it comes to Israel, they have an export control authority. That authority has authorized many of the sales that have led to these problematic cases, and so I think there too, there is an opportunity for diplomatic engagement and pressure,” he said.
Scott-Railton also asked the US to take efforts to combat spyware firms, including prohibiting spyware companies from doing business with the US government or being acquired by US institutions, as well as expanding accountability measures in collaboration with allies.
He also hailed the United States' decision to include NSO on the "entities list" of corporations participating in actions that are contrary to US national security and foreign policy. According to Scott-Railton, this decision has scared off potential NSO investors and put the company in a "tailspin".