Pages

10 August 2023

Biden Cracks Down on the Spyware Scourge

Steven Feldstein


On July 18, the U.S. Commerce Department added two European commercial spyware firms—Cytrox and Intellexa—to its export controls blacklist due to privacy violations and other rights abuses. Both entities are controlled by former Israeli intelligence officer Tal Dilian and registered in multiple European jurisdictions, including Greece, Hungary, Ireland, and North Macedonia. They have been implicated in a variety of wrongdoings, including a major scandal in Greece, where Cytrox’s Predator software was used to hack journalists’ and opposition politicians’ phones.

The blacklisting is not a one-off. In fact, it represents a continuing effort by the U.S. government to curb the commercial spyware industry. The designation of the two companies is the first major initiative on spyware since U.S. President Joe Biden signed an executive order in March that limits federal agencies’ use of commercial spyware, and it sends a clear message that selling high-grade surveillance products to abusive governments will have consequences. Cytrox and Intellexa’s designation on the entity list imposes severe licensing requirements on the companies, effectively banning them from transactions with U.S. companies and accessing the U.S. market.

Getting to this point has been a struggle. The global spyware industry is a lucrative business; both governments and private actors have shown an insatiable appetite for targeted surveillance products. According to my research, at least 74 governments around the world have contracted with commercial firms to acquire spyware or data extraction technology.

The web of companies supplying these products is diverse. Although Israeli companies dominate the global export of spyware, European and U.S. companies are active market participants as well. Companies at the top end of the spyware market—such as Cytrox, Intellexa, and NSO Group, the Israeli market leader under U.S. sanctions since 2021—offer cutting-edge tools, including so-called zero-click hacks. These are malware programs that infiltrate devices without the user having to take any action to allow it in, such as opening an email or clicking on a bad link.

Although many of the abuses are linked to authoritarian regimes, such as the Saudi and Emirati governments’ reported use of NSO’s Pegasus malware to track the journalist Jamal Khashoggi before his assassination, democracies do not have clean hands, either. European countries such as Cyprus, Greece, and Spain have deployed spyware against civil society, independent journalists, and opposition politicians, as have illiberal democracies such as Hungary.

That is why U.S. leadership in reining in the spyware industry is such welcome news. Quite simply, few other countries have shown much interest in taking on commercial spyware firms, despite a parade of public scandals revealing major rights violations. The Biden administration started pursuing a measured strategy against spyware violators in 2021, when the Commerce Department put four spyware firms in Israel, Russia, and Singapore on its list of sanctioned entities, including NSO. Then, Biden signed the executive order in March of this year. In parallel, the United States also signed a joint declaration with 10 other countries against the misuse of spyware and establishing procedures to counter malicious cyberactivities. With this month’s blacklisting, the White House is sending another signal that it means business when it comes to reining in spyware abuses.

Yet for Washington’s actions to truly make a dent in the commercial spyware market, it needs other countries to join the fight—starting with Europe. It shouldn’t come as a surprise that the two penalized spyware firms are based there. While most European countries have tough rules on the books to regulate spyware, enforcement has been lax. My research shows that a number of European spyware firms sell intrusive surveillance technology in their home markets and overseas, including Italy’s Memento Labs and Tykelab/RCS Lab, as well as Austria’s DSIRF. Moreover, European governments continue to deploy spyware to unlawfully surveil their citizens. This includes a major scandal in Spain targeting Catalan independence leaders and politicians, as well as reported abuses by Hungarian and Polish authorities. In a draft report submitted by Sophie in ‘t Veld, rapporteur for the European Parliament’s Committee of Inquiry to investigate the use of Pegasus and other spyware (PEGA), she writes that “the abuse of spyware is a severe violation of all the values of the European Union, and it is testing the resilience of the democratic rule of law in Europe.”

So what can be done? First, the European Commission could do far more to address the spyware problem within the EU. Currently, the European Parliament is the only pan-European institution tackling this problem, but it lacks executive power and faces roadblocks at every turn. Very little will change unless the EU undertakes a more serious institutional push to break through obstructionism by EU member states. The commission has so far refrained from pressuring member governments to tighten their policies, highlighting Brussels’s limited ability or interest in fighting the problem. It would make a big difference if the commission sent a clear signal that cracking down on spyware is a priority. There is little reason the EU could not take steps similar to those implemented by the United States.

Second, democracies can be far more stringent when it comes to curbing their own use of spyware. Despite public scandals, democratic governments continue to show interest in acquiring intrusive surveillance tools. A good example is India: Just three days after Biden signed his March executive order on spyware, the Financial Times reported that Modi’s government had released a $120 million bid for new spyware contracts. Notably, Indian officials were concerned about the “PR problem” from NSO’s Pegasus and were looking for alternative companies from which to purchase surveillance capabilities. While preventing autocratic leaders from obtaining spyware is a formidable challenge, there are far fewer excuses for democratic governments to be using these tools, whether that’s in Greece, India, Mexico, or Spain. Citizens in democracies should demand better behavior out of their governments, especially when it comes to unlawfully deploying surveillance tools against journalists and civil society. Also needed is diplomatic pressure against culpable governments. In the case of Intellexa and Cytrox, the United States and its partners may not have significant leverage to wield against Hungary, where one of the Cytrox companies is based, but pressure could be exerted against other countries hosting these firms and their various entities. Already, there are reports that in response to Intellexa’s listing, the company’s Irish auditor has resigned.

Third, it is important not to overlook the Israel angle. Many notorious spyware firms are connected to Israel’s security establishment. Dilian, for example, cut his teeth working as a commander for the Israeli Defense Forces’ Unit 81, a crucible of advanced military technology responsible for developing intelligence products for special operations units and other defense agencies. Israel is a major hub and protector of the spyware industry. When other countries attempt to probe Israeli firms, they are often stonewalled. In July, a Spanish judge investigating the alleged hacking of ministers’ phones with Pegasus spyware was forced to close the court’s inquiry “due to the complete lack of legal cooperation from Israel.” There is no reason the Israeli government cannot follow the United States’ lead and enforce more stringent standards on non-military applications, rein in exports, and crack down on unaccountable companies. Israeli Prime Minister Benjamin Netanyahu’s upcoming visit to the White House is a good opportunity for U.S. officials to have a candid conversation about regulating abusive surveillance practices and the next steps each country can take.

No comments:

Post a Comment