Even James Bond at his most devious would have had a hard job competing with the spying prowess of Pegasus. As the FT revealed this week, this surveillance technology developed by the Israeli company NSO has been used to scour sensitive data from a target’s smartphone from halfway around the world.
By exploiting a vulnerability in WhatsApp, NSO’s tool was able to access a smartphone user’s messages and location and to turn on their microphone and camera just by calling their number. The target did not even need to answer.
The sophistication of this latest hacking tool startled many in the security industry. Human rights activists, against whom it was sometimes targeted, were horrified. WhatsApp quickly fixed the flaw, urged its 1.5bn users to update their app, and worked with civil society groups to minimise the harm. Even NSO’s shareholders professed concern and promised to tighten procedures.
But while the dogs bark, the cyber-caravan will almost certainly move on. There is now a big and growing market for exploiting the vulnerabilities of our digital devices and some very smart — and sometimes unscrupulous — players capable of supplying it. Malcolm Taylor, director of cyber security at ITC Secure, describes what is happening as the “privatisation of state-level capabilities”.
What is unusual in the Pegasus case is that governments themselves, rather than criminals, are fuelling this market demand. Not every country’s security service has the cyber capabilities of the US or China. So NSO has made money by selling its spyware to 45 governments, including 21 in the EU.
John Scott-Railton, senior researcher at Citizen Lab at the University of Toronto’s Munk School, says the full scope of cyber-espionage was exposed in 2013 by Edward Snowden, the NSA contractor turned whistleblower: “After Snowden every government said ‘why don’t we have this?’ A small marketplace grew into a very big marketplace.”
Of course, governments have legitimate reasons to use smart surveillance tools. We expect those in power to protect us from terrorists, organised crime, and child pornography rings. But we do not want them to turn such technology against the wife of a murdered journalist and anti-corruption campaigners, as has happened in some countries.
The Israeli company says it has declined business from odious regimes and its sales are licensed by Israeli security officials. A spokesperson for Novalpina, an NSO shareholder, expressed support, saying: “It is unthinkable that those charged with protecting us from terrorism and serious crime should not have the tools to counter the use of encrypted communications by terrorists and criminals.” Nevertheless, Saudi Arabia and Mexico have allegedly used their services to target political opponents. Victims are now pursuing legal claims against NSO in Israel.
Even in law-based, western democracies, the spookier ends of government do not always consider the broader interests of society. For example, few spy agencies are likely to alert tech companies to vulnerabilities they can usefully exploit and will even build so-called backdoors to access data themselves, at the risk of leaving millions of users open to cyber attack. In this respect, governments are the frenemies of civil society, protecting us from exploitation while also leaving us vulnerable — and unlikely to back international regulation.
One way of making life tougher for companies such as NSO is to address market failures. Historically, governments have deterred traders of bad goods, such as sellers of conflict diamonds or clothes made by child labour, by fining or jailing them. There are no signs that Israel is going to pursue that route. NSO was operating openly and legally and Israel sees its cyber security companies as significant assets in its covert diplomatic outreach to countries, such as Saudi Arabia and the United Arab Emirates.
An alternative remedy is to change those market dynamics, rewarding good behaviour over bad. For years, tech companies have paid millions to “white hat” hackers to find the flaws in their software before criminal “black hat” hackers can exploit them.
Microsoft, Google, Apple, Tesla and Facebook all run such schemes, known as “bug bounty”. This has created a small industry of ethical hackers and encouraged the launch of start-ups, such as HackerOne and Bugcrowd. In 2016, HackerOne ran the first Hack the Pentagon event, at which 1,410 white hat hackers identified 200 vulnerabilities within six hours.
If the tech companies want to show how seriously they take cyber threats, they should invest more in bug bounty programs. Maybe they should even buy NSO and use its brilliant engineers to fix, rather than exploit, bugs. At the very least, this would drive up the cost of spyware and reduce demand.
Other levers can be pulled in democracies, too. Campaigners are building public pressure for tougher regulations, tighter international protocols as used to restrict the arms trade, and more responsible corporate practices.
A London-based human rights lawyer who has been targeted by hackers, says we must wake up to the dangers posed to all of society and militate for change. “We should put pressure on these companies to force them to take human rights seriously. It is not just a matter of a loss of privacy. Some people who were targeted, or people related to them, ended up dead.”
The writer is the FT’s innovation editor