US, Allies to Tighten Export Controls on Cyber ToolsInitiative Draws European Support, Follows NSO Group Spyware Developments
The Biden administration has announced that the U.S. and several allies have aligned to create stricter criteria around the export of certain offensive cyber tools, particularly those that end up in the hands of authoritarian regimes.
The Export Controls and Human Rights Initiative - announced as part of President Joe Biden's inaugural, two-day Summit for Democracy with leaders from 110 countries - comes on the heels of a discovery earlier this month that the flagship spyware of sanctioned Israeli firm NSO Group was detected on at least nine Apple iPhones belonging to U.S. State Department officials. The latter were located in Uganda or were working on Ugandan issues (see: Report: NSO Group Spyware Found on State Department Phones).
In November, the U.S. Department of Commerce blacklisted NSO Group and fellow Israeli spyware provider Candiru after they allegedly supplied their software to foreign governments that in turn "maliciously targeted" government officials, journalists, businesspeople, activists and academics. The Commerce Department's Bureau of Industry and Security, which issued the final rule, said the companies "threatened the privacy and security of individuals and organizations worldwide." Those on the Entity List cannot purchase U.S. technologies or goods without a special license.
'Serious Human Rights Abuses'
The new initiative, issued jointly with the governments of Australia, Denmark and Norway, recognizes that "authoritarian governments increasingly are using surveillance tools and other related technologies in connection with serious human rights abuses, both within their countries and across international borders, including in acts of transnational repression to censor political opposition and track dissidents." Officials say such risks defeat the benefits of the advanced technologies.
Participating nations say that now, in consultation with industry and academia, they will establish a voluntary, nonbinding written code of conduct to use export controls to prevent the proliferation of software used to enable human rights abuses.
Canada, France, the Netherlands and the U.K. have expressed support for the initiative, according to the White House statement.
"[Cybercrime] comes in multiple forms and arguably the most concerning of which is when it is used to undermine human rights," says Lisa Plaggemier, interim executive director of the National Cybersecurity Alliance. "[This initiative has] a very real impact on shifting the narrative around cybercrime and shining a new light on how nation-states are using cybercrime - sometimes towards their own people."
Building Policy Alignment
In a fact sheet on the initiative, U.S. officials continue: "Too often, cyber intrusion, surveillance, and other dual-use technologies are misused to stifle dissent; harass human rights defenders; intimidate minority communities; discourage whistle-blowers; chill free expression; target political opponents, journalists, and lawyers; or interfere arbitrarily or unlawfully with privacy."
Atop the voluntary code of conduct, officials say the initiative will:
- Help build policy alignment with like-minded partners;
- Help unify policymakers, technical experts, and export control and human rights practitioners;
- Work to strengthen domestic legal frameworks, share threat information, implement best practices and assist others with building capacity.
Cybersecurity experts say this effort could be effective in reducing the offensive cyber-tool market.
"It's easy to write this off as just optics, however, it really is more than that," says Jake Williams, a former member of the National Security Agency's elite hacking team. "When many countries, especially major players, come together to discuss norms for allowing offensive cyber tool exports, that has a … significant impact."
Williams, who serves as co-founder and CTO at the security firm BreachQuest, also says," While I don't believe this will limit the use of spyware by authoritarian regimes, it targets the problem at the source. As the supply of offensive tools becomes more limited, it will be harder for authoritarian regimes to obtain government-grade spyware tools in the first place."
And NCA's Plaggemier says, "This agreement provides additional evidence that the Biden administration is serious when it comes to saying it promises to forge more international partnerships and collaboration in the cybersecurity world."
Others believe the impact may be minimal.
"The likelihood of these new restrictions making a tangible difference on how this sector operates is low," says Ross Rustici, a former technical lead for the U.S. Department of Defense and currently the managing director of the advisory firm StoneTurn. "The upside to the market is large, and consequences to selling these tools to date have been negligible for those who operate in this space."
NSO Group Allegations
Last week, Amnesty International's Security Lab reported that at least four activists "who are critical of their government" in Kazakhstan were infected with NSO Group's spyware, according to Israeli newspaper Haaretz.
Three of the four officials reportedly received a warning from Apple in November that their iPhones had been tampered with by a "state-sponsored attacker," according to the same report. The spyware can allow clients to obtain remote access on target phones, though the firm maintains that it's designed for legitimate use among law enforcement and intelligence agencies.
On the Kazakhstan developments, an NSO spokesperson told the Israeli newspaper that it "cannot refer to an alleged report we have not seen."
During the summer, an international consortium of journalists investigated a leak of approximately 50,000 potential targets, including high-ranking officials, for possible surveillance by those leveraging Pegasus, the NSO spyware. It's unclear, however, if any campaigns were mounted against them.
The Israeli Ministry of Defense has reportedly reduced the number of nations to which its companies can export spyware from 102 to 37 - a move that reportedly eliminates previous client countries (see: Report: NSO Group Spyware Found on State Department Phones).