On May 1, 2018, the richest man in the world had an apparently friendly WhatsApp conversation with the Saudi Arabian Crown Prince Mohammed bin Salman when an unsolicited file was sent from the Crown Prince's phone.
An amount of data was filtered out of the phone by Amazon CEO Jeff Bezos in a matter of hours: a data theft that, according to a United Nations report released earlier this year, was probably triggered by NSO Group's notorious Pegasus Mobile Spyware.
This one commercial spyware alone has been linked to at least one assassination attempt and multiple human rights violations, including an alleged role in the murder of Washington Post journalist Jamal Khashoggi in 2018; a spear phishing attack on an Amnesty International employee in June 2018; and action by the Mexican government against prominent human rights lawyers, journalists and anti-corruption activists.
Finally, after years of use of this type of powerful spyware by states against their rivals and political enemies, the U.S. Congress plans to instruct its director of the National Intelligence Service (DNI) to keep an eye on the threat this malware poses to the nation Governments use it and for what.
John Scott-Railton, a senior researcher at the Citizen Lab, discovered a powerful law last week that is included in a draft 2021 Intelligence Funding Act. The Senate bill, which will fund government intelligence operations next year, would require DNI to report to Congress on the commercial spyware threat. Scott-Railton called it a "clear signal that the Senate is very serious about the threat to national security posed by commercial spyware."
You can read the appropriate language in section 503 of the draft Intelligence Authorization Act for the 2021 financial year.
§ 503. SOURCE: Secret Service Licensing Act for the 2021 financial year
Researchers at the University of Toronto's Citizen Lab cybersecurity research lab are very familiar with Pegasus and other spyware. You have been following Pegasus for years. In fact, Citizen Lab first revealed Pegasus in August 2016. They also consulted a New York Times report that found "Mexico's most prominent human rights lawyers, journalists, and anti-corruption activists have been attacked by advanced spyware that has been sold to the Mexican government." by the NSO Group, an Israeli company that claims to have "made an explicit agreement that it should only be used to fight terrorists or drug cartels and criminal groups that have long kidnapped and killed Mexicans".
Scott-Railton said that every major US technology company has been addressing the threats posed by commercial spyware for years. The same applies to the country's secret services and elected officials, including the State Department. Now, in a push led by Senator Ron Wyden, "the issue is going to prime time for Congress," said Scott-Railton.
Section 503 would require investigation and reporting on the companies that sell commercial spyware, including whether it is from US companies. It also looks for details of which spyware buyers – be it foreign governments or other companies – pose the greatest threat to the United States and government employees at home or abroad.
Who does it and who uses it? IMAGE: Section 503. SOURCE: Law approving information for the 2021 financial year
Section 503 requires the government to work with technology companies and telecommunications companies to find out how to improve the security of consumer software and hardware used in the United States: technology that targets intrusion and surveillance software. It is proposed to actively block threat actors using several tools: export controls, diplomatic pressure and trade agreements.
Scott-Railton provided this TLDR translation:
Commercial spyware has always been a NATSEC threat to the United States. This language helps the government take action.
It's "very bad news for habitually bad actors like the NSO Group and quieter colleagues around the world," he said.
Maybe, but these "habitually bad actors" usually make an enormous amount of money selling this malware. Don't expect them to give up without a fight, Scott-Railton said:
The sound you hear? These are dodgy spyware companies trying to figure out how much more money they have to spend on lobbying, lawyers, and lobbying to mitigate the damage.
Earlier this month, the Senate Select Committee on Intelligence passed the current draft finance law with 14 to 1 votes. It will be put to a vote in the Senate later in the summer.