Lawmakers want to make mercenary spyware a riskier investment

The spread of sophisticated commercial spyware may be impossible to stop, researchers told U.S. lawmakers in testimony Wednesday during a hearing on private vendors of digital surveillance tools. However, one way to slow the trade of such tools to governments and other buyers who may use them to abuse human rights, they argued, is to make it less lucrative.

For years, civil society and private sector researchers have raised the alarm about increasingly sophisticated surveillance tools offering capabilities once only available to a handful of well-funded intelligence agencies as essentially plug-and-play operations for any government willing to pay for them. 

Lawmakers have taken notice.

“This spyware could be used against every Member of this committee, every employee of the executive branch, every journalist or political activist,” House Intelligence Committee Chairman Adam Schiff (D-CA), said in opening remarks. “And aside from periodically updating the software on our devices, there’s little you can currently do to protect yourself from being targeted and compromised.”

The threat is likely to continue to trickle down, experts warned. 

“I see the threat of proliferation here as inevitable,” John Scott-Railton, a longtime researcher at University of Toronto’s Citizen Lab, said in testimony before the Committee. That proliferation will extend to “non-state actors” like transnational criminal groups — perhaps including those currently perpetrating ransomware attacks, he added. 

Making this market less profitable, Scott-Railton said, was one way Congress could fight back: 

“Right now, doing business with the federal government, getting acquired by a US company, or even doing business with an American police department, is the golden prize for many in the spyware industry – as long as that remains as a possibility for problematic actors, they’re going to get support from investors because that is the prize. If we can chill that, if we can make it clear that the door closes then we can accomplish a lot.”

Lawmakers are already pushing for some economic blowback.  

Last week, the House Intelligence Committee passed a version of the The Intelligence Authorization Act for Fiscal Year 2023 with new provisions aimed at the mercenary spyware market, including authority for the Director of National Intelligence to bar contracting with foreign firms who sell such tech and for the President to place sanctions on firms selling spyware used to target U.S. officials. 

Ranking member Congressman Michael Turner (R-OH) referenced the Committee’s recent votes in his opening remarks, noting the “growing counterintelligence concerns about the potential targeting of U.S. citizens” by mercenary spyware tools. 

Last November, the Biden administration announced sanctions against four vendors of surveillance tools sold to foreign governments, including NSO Group — the Israel-based makers of the Pegasus spyware. That spyware was used to target U.S. officials in Uganda last year, Reuters reported.

In response to questions from Democratic Congressman Jim Himes (D-CT), Scott-Railton noted that NSO Group received investment from the Oregon Public Employee Retirement System Oregon-PERS and the Alaska Permanent Fund Corporation via the private equity firm Novalpina Capital and suggested more substantial financial crackdowns. 

“I think some investors have gotten into this without fully understanding what’s going on – without fully doing due diligence,” Scott-Railton said, adding that it was hard to track the funding for the groups, but in some cases included U.S. based venture-capital firms. 

Himes requested further information about known Western investors of commercial spyware vendors from Scott-Railton and expressed dismay that companies would leverage the contract structures enabled by rule of law to “invest in a company that might end that rule of law.” 

(Oregon-PERS referred The Record to the State Treasury for comment, which did not respond to an inquiry about the testimony and investment status by press time. The Alaska Permanent Fund Corporation also did not respond to a request for comment.)

In the hearing, Alphabet Threat Analysis Group senior director Shane Huntley urged lawmakers to consider additional action, including a full ban on federal procurement of commercial spyware tools and further sanctions — including on investment. 

His team is tracking more than thirty commercial spyware vendors, Huntley said. 

Microsoft submitted written testimony to the committee that included support for additional efforts to identify spyware vendors and subject them to economic penalties. The tech giant also announced Wednesday the disruption of a private sector spyware operation it dubbed Knotweed, which was “targeting law firms, banks and strategic consultancies in countries such as Austria, the United Kingdom and Panama.”