Last week, researchers at Citizen Lab uncovered sophisticated new spyware that allowed hackers to take complete control of anyone’s iPhone, turning the phone into a pocket-spy to intercept communications, track movements and harvest personal data. The malicious software, codenamed “Pegasus,” is believed to have been developed by the NSO Group, an Israeli company (whose majority shareholder is a San Francisco based private equity firm) that describes itself as a “leader in cyber warfare” and sells its software — with a price tag of $1 million – primarily to foreign governments. The software apparently took advantage of three previously unknown security flaws in Apple’s iOS software, and was described by experts as “the most sophisticated” ever seen on the market. Apple quickly released a patch of its software, iOS 9.3.5, and urged users to download it immediately.
Citizen Lab learned about Pegasus from Ahmed Mansoor, a UAE human rights activist, who received text messages baiting him to click on a link to discover “new secrets about the torture” of Emirati prisoners. Mr. Mansoor had been prey to hackers before, so he contacted Citizen Lab. When researchers tested the link, they discovered software had been remotely implanted onto the phone, and brought in Lookout, a mobile security firm, to reverse-engineer the spyware. Citizen Lab later identified the same software as having been used to track a Mexican journalist whose writings have criticized Mexico’s President. Citizen Lab and Lookout also determined that Pegasus could have been used across Turkey, Israel, Thailand, Qatar, Kenya, Uzbekistan, Mozambique, Morocco, Yemen, Hungary, Saudi Arabia, Nigeria, and Bahrain, based on domains registered by NSO.
NSO Group, the architect of Pegasus, claims to provide “authorized governments with technology that helps them combat terror and crime,” insisting that its products are only used in lawful ways., NSO spokesperson Zamir Dahbash told reporters that the company “fully complies with strict export control laws and regulations.” The Citizen Lab researcher who disassembled the malicious program, however, compared it to “defusing a bomb.” All of which raises the question – what laws or regulations govern the export of cyber-weapons by an Israeli firm (likely controlled by U.S. investors) to foreign governments around the world?
Cyber weapons are becoming increasingly interchangeable with traditional weapons. Governments (or terrorists) no longer need bombs or missiles to inflict large-scale destruction, such as taking down a power grid, since such attacks can now be conducted from anywhere there is a computer. Do export controls – which have long been used as foreign policy and national security tools, and which would regulate the transfer of traditional weapons – play any real role in regulating the transfer of weapons of cyber-surveillance or destruction? In fact, the legal framework underlying current export controls has not caught up (and maybe never will) to the capabilities of technological tools used in cyberwarfare. Proposals to regulate malware have been met with resistance from the technology industry because malware technology is often dual-use and the practical implications of requiring licenses would impede technological innovation and business activities in drastic ways.
The Wassenaar Arrangement
The Wassenaar Arrangement (WA) was established in 1996 as a multilateral nonproliferation regime to promote regional security and stability through greater transparency and responsibility in the transfer of arms and sensitive technologies. The United States is a member. Israel is not, but has aligned its export controls with Wassennaar lists.
In December 2013, the list of export controlled technologies under WA was amended to include commercial surveillance software, largely to curb human rights abuses by repressive governments’ use of spyware on citizens. Earlier this year, the Department of Commerce issued recommendations that the definition of “intrusion software” in the WA be modified to encompass the concept of “authorization” so that malware such as Pegasus, in which the user does not truly understand the nature of the consequences, would be controlled. Those proposals have not been implemented.
U.S. Export Controls of Malware
In 2015, following data breaches at the Officer of Personnel Management and several private companies, the Department of Commerce published proposed rules to harmonize concepts embedded in the WA into the U.S. regulatory framework for export controls. One critical proposal was a definition of “intrusion software” to require a license for the export and use of malware tools. But the definition covered much more than malware. Cybersecurity experts were alarmed by the rule’s over-inclusive and vague language. The rules would have impeded critical business activities, stifled international research and cross-border exchanges of technology, and hindered response to cyber threats.
NSO Group has been described by researchers as “incredibly committed to stealth, and reportedly has close partnerships with other Israeli surveillance firms that seek to sell spyware, suggesting an inevitable increase in cyber mayhem. As malware becomes more sophisticated, widespread, and threatening, the need for strictly tailored export controls is not going to go away.
Regulating software is challenging at least in part, because there is no workable legal definition of what constitutes a cyber weapon. Because malware is largely dual-use, the only way to determine whether particular software constitutes a cyber weapon is retroactively. If software has been used as a weapon, it is considered a cyber weapon. But that definition arrives far too late to control the dissemination of the code. Moreover, controlling components of that software would likely be over-inclusive, since the same code that can exploit flaws to break in to devices can also have benign uses, such as detecting vulnerabilities to help manufacturers like Apple learn what needs patching. Another challenge is that requiring export licenses can take months, which, in the fast-moving tech world is as good as denial.
The revelation of the Pegasus iPhone spyware highlights questions that have perplexed national security and export control experts in recent years. As the use and sophistication of malware continue their explosive growth, not only must individuals and governments face the chilling realities of cyber warfare, but regulators must quickly understand the technological issues, address the risks, and work with the cyber security and technological communities to find a path forward.