MEPC 40 Under 40 Honoree and Senior Policy Advisor to Third Way’s National Security Program Mike Sexton outlines the threats posed by Middle Eastern Spyware companies, the benefits of regulation, and potential impacts on geopolitical relations in this Expert Explanations.
Q: Many hacking tool companies such as the NSO Group, Candiru, and DarkMatter are located in the Middle East. What are these technologies capable of?
A: NSO, Candiru, and DarkMatter sell remote hacking software, often called “spyware.” This is a computer program, not a physical tool. If this software were developed by criminals instead of registered companies, it would be referred to as “malware;” however, it is functionally no different. These programs can access all the same data as Cellebrite’s Universal Forensics Extraction Device (UFED), in addition to monitoring the device’s usage, camera, and microphone surreptitiously in real-time. The specifications are shrouded in secrecy to the general public. Sometimes these tools require tricking the device owner to open an attachment or click a link; often they do not. NSO’s flagship tool, Pegasus, is even capable of monitoring the target device’s battery and modulating its own data extraction to avoid draining the battery and possibly tipping off the targeted user.
Q: How are these hacking technologies a threat to United States citizens? How are they a threat to the larger U.S. government?
A: These hacking technologies are directly a threat, at least hypothetically, to U.S. citizens who may be spied on by a foreign government. NSO Group maintains that Pegasus cannot be used against U.S. phone numbers, but it has been used against U.S. citizens and government employees with foreign numbers in Lebanon and Uganda. It has also been used to spy on known associates of Jamal Khashoggi, who at the time was using a U.S. phone number, thus obliquely surveilling him in turn. There is overwhelming forensic evidence that Amazon founder Jeff Bezos was targeted by this kind of spyware technology in May 2018, although its exact provenance is not entirely clear.
The U.S. government, as a major customer of commonly available ICT (Information and Communication Technology) products, is about as vulnerable to these tools as private individuals. NSO Group’s Pegasus spyware has been used against U.S. Embassy staff in Uganda.
Q: Do these companies present regional threats within the Middle East?
A: These companies have actually stabilized and warmed relations in the Middle East, in particular between Israel and regional governments like Saudi Arabia, Morocco, and the UAE. Under the Netanyahu administration in Israel, this industry was treated as a diplomatic asset and the Israeli Ministry of Defense largely did not account for human rights concerns in its export licensing decision-making process. As the Biden administration in the U.S. has applied greater scrutiny to this issue, the Bennett administration in Israel has taken a more disinterested stance, declining to defend the companies in question (NSO Group and Candiru).
Q: Are they primarily used by governments, nongovernmental groups/terrorists, or individuals?
A: These tools are used exclusively by governments, though in Mexico there have been documented cases where government corruption seems to have resulted in the tools’ apparent use in service of private corporate interests.
Q: Is there a possibility for the United States to regulate this industry? What would be the benefits of this?
A: The United States has partly regulated the industry through the Wassenaar Arrangement amendments regulating the export of offensive cyber technology. The Biden administration has furthermore blacklisted four firms abroad developing these tools. These are important first steps.
The U.S.’ track record in this sector, however, has been inconsistent and created substantial legal gray areas. Soon after 9/11, the U.S. government facilitated the sale of hacking tools from ex-NSA staff to the UAE through the private firm CyberPoint International. While this export agreement was licensed, approved, and overseen by the U.S. government, the UAE eventually sought greater autonomy for its cyber intelligence unit and established its own private firm – DarkMatter – to undertake the same mission untethered by U.S. law. CyberPoint staff in the UAE were given the option to either continue the mission at DarkMatter or leave the country. Of those who joined DarkMatter, three were later indicted by the Department of Justice for inappropriately proliferating hacking skills developed in a classified environment. They came to an extraordinary deferred prosecution agreement, which will prevent their conviction as long as they abide by several precepts. This is most likely in consideration of the unusual and unique circumstances of their actions.
Greater regulation of this space in the U.S. could counteract the historical tendency of this technology to be used in violation of human rights. It can give American law enforcement and intelligence the tools needed to circumvent encryption and carry out investigations effectively without enabling human rights abuses abroad. Regulatory clarity could encourage responsible investment in this industry while constraining it ethically.
Q: How would you suggest this regulation look in practice?
Permit American-registered companies to apply for hacking tool export licenses, akin to CyberPoint’s initial agreement. Criminalize working directly for foreign firms in this space, like DarkMatter, with higher penalties for former intelligence community employees.
Explicitly incorporate human rights into the decision-making methodology for this licensing regime, and give Congress oversight of the governments exported to.
Undertake randomized audits of targeted individuals by foreign governments through the FISA courts, including the justification for targeting. Investigate countries discovered to be employing surveillance tools against inappropriate targets, with violations risking the revocation of export licenses.
Give the Vulnerabilities Equities Process oversight of the software vulnerabilities held by these firms.
Q: How would regulations on these companies impact U.S.-Middle East relations?
A: These regulations would put some strain on relations between the U.S., Israel, and Arab partners, but most likely would not complicate relations more than the U.S.’ human rights agenda historically has in the region.
Q: If the U.S. were to implement regulations, how would intra-regional conflicts be impacted?
A: Relative to existing governance issues and sociopolitical cleavages in the Middle East, my prediction is that the impact of these policies on intra-region conflict and relationships would be minimal.