The U.S. government is putting international spyware companies on notice.
"It's a really big warning to other companies to say, wait a second, if your technology is going to be used in illicit ways by dictators or autocrats or others for harassment, abuses and so forth, you also might be next," Steven Feldstein, a fellow at the Carnegie Endowment, says.
It's put new companies on a list that not only prohibits them from selling their software in the U.S., but also prevents American firms from selling technology to them.
Some of that spyware has also been used to hack U.S. diplomats abroad. But regulating spyware means navigating relationships with a close ally.
"The industry itself is currently unregulated and in its current form, pretty ungovernable. And as a result is starting to create casualties," John Scott-Railton, senior researcher at Citizen Lab, says. "Not just for human rights groups and others, but also to the diplomatic priorities of a close ally. Namely, Israel."
Because that's where the spyware originates.
Today, On Point: Spyware. Accountability. Diplomacy.
Steven Feldstein, senior fellow at the Carnegie Endowment for International Peace. Author of "The Rise of Digital Repression: How Technology is Reshaping Power, Politics, and Resistance." (@SteveJFeldstein)
Yaakov Katz, editor-in-chief of The Jerusalem Post. Author of "Shadow Strike: Inside Israel's Secret Mission to Eliminate Syrian Nuclear Power." (@yaakovkatz)
Transcript: A journalist's account of cyber attack by Pegasus spyware
When cybersecurity is national security, what are the obligations of U.S. allies to protect the U.S. from the threat of cyber attack?
One company newly blacklisted by the Biden administration is called the NSO Group. The company is based in Israel, and reportedly has ties to Israel's legendary intelligence agency Unit 8200, considered equivalent to the NSA here in the U.S.
The NSO Group created the now notorious Pegasus spyware that can be covertly installed on almost any mobile phone. NSO says it sells software to governments, mostly for law enforcement use, to quote 'help them combat terror and crime.'
But the spyware has also been used on human rights activists and journalists. This month, the first known case of Pegasus reportedly used against American officials surfaced in Uganda, where the iPhones of 11 U.S. embassy officials were reportedly hacked.
So what happens when Pegasus spyware worms its way onto a phone?
MEGHNA CHAKRABARTI: Szabolcs Panyi is a Hungarian journalist based in Budapest. In 2019, Panyi was investigating a Russian bank that was relocating to Budapest. The bank may have been a front for Russian intelligence activities. So he was looking into why Hungarian President Viktor Orbán didn't seem to take the potential risk seriously. Though Panyi didn't realize it at the time, he now knows the exact day his phone was hacked.
SZABOLCS PANYI: It was 2019, I think April 4th. And on April 6th I was having a meeting with an American journalist who came to Hungary to investigate the very same institution. It's called the International Investment Bank. And I was having a meeting with this American journalist in Budapest. And on that day, Pegasus was again activated on my phone. And later we also found out that the Hungarian fixer, a photojournalist working for this American reporter ... that the fixer's phone number was also targeted with the Pegasus spyware.
PANYI: By 2019, Pegasus was equipped with what they call a zero-click attack. Meaning that I was not even aware that the spyware has targeted and infiltrated my phone. There were different attacks. One came through iMessage. And basically what happened is that there was either a call or a message coming through iMessage that instantly deleted itself. So, I was not even aware of this contact. But it was enough for the attackers to plant certain files on my phone. My phone was not slower than usual. The battery was not draining faster than usual, so I had no knowledge of this.
PANYI: In a seven-month period, those surveilling me were hacking into my phone multiple times every other week, every other month. And they could have possibly accessed everything on my phone, even my Signal and WhatsApp messages, my calendars, my emails, photos, videos, everything. I was told that basically my whole life — which is, of course, on my phone, as with anyone else — that my whole life was like an open book.
CHAKRABARTI: Panyi did not know he'd been hacked until earlier this year. He was in his newsroom when he got a call from two well-known German investigative reporters. Bastian Obermayer and Frederik Obermaier are the Pulitzer Prize-winning reporters at the heart of the Panama Papers, a series of stories that exposed the dark global system of financial offshoring. They'd been leaked another database, this one with thousands of telephone numbers that had been the target for hacking by the Pegasus spyware.
CHAKRABARTI: The numbers included 14 heads of state, including French President Emmanuel Macron and Pakistan's Prime Minister Imran Khan. There were hundreds of journalists phone numbers, too. Among them, Panyi's. Later on, Amnesty International analyzed his phone and confirmed that it had been infected with Pegasus spyware.
PANYI: My whole year in 2021 was mostly about Pegasus, and I'm still working on stories of other targets. Try to identify other people who were illegally surveilled. And you know, the biggest concern is how? How can I protect my sources after this? And that's the biggest problem because, of course, my privacy was invaded very brutally with this software. But also my right to protect my sources has been infringed.
CHAKRABARTI: Let's recall, Panyi had been investigating Hungarian President Viktor Orbán's lack of urgency around the risks of a Russian bank that had links to Russian intelligence relocating to Budapest. NSO Group, the makers of the Pegasus spyware, has done business with more than three dozen governments around the world. Among them, the Hungarian government. A senior official has admitted that they have purchased Pegasus from the NSO Group.
PANYI: And that's the most concerning. Because those people who risk the most are those who provide us with sensitive information about corruption, and other types of wrongdoings, abuses of power. And if they cannot trust us, if they cannot trust that what they tell us won't get them into trouble, then they will just stop contacting journalists and stop leaking this type of information.
PANYI: So, the chilling effect is real. And I already experienced that, some people just don't want to sit down with me. Some sources that were willing to talk are now just absent, and they just disappeared. But that's life, at least Hungary is still an EU member state ... although a failing one. But the red line of using force against journalists or physically threatening journalists, it has not been crossed yet. So I think I'm lucky.
From The Reading List
Carnegie Endowment: "Governments Are Using Spyware on Citizens. Can They Be Stopped?" — "The Washington Post has started running an investigative series, called the Pegasus Project, that describes the expanded use of digital surveillance by governments worldwide."
This program aired on December 10, 2021.