Updated The US government's Dept of Commerce on Wednesday sanctioned four companies in Israel, Russia, and Singapore for selling software used to break into computer systems and by foreign governments to suppress dissent.
The department's Bureau of Industry and Security (BIS) added Israel-based firms NSO Group and Candiru to its Entity List "based on evidence that these entities developed and supplied spyware to foreign governments that used these tools to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers."
BIS also added Russia-based Positive Technologies, sanctioned in April for selling weaponized software to Russia, and Singapore-based Computer Security Initiative Consultancy Pte Ltd (COSEINC) for offering software used "to gain unauthorized access to information systems."
“The United States is committed to aggressively using export controls to hold companies accountable that develop, traffic, or use technologies to conduct malicious activities that threaten the cybersecurity of members of civil society, dissidents, government officials, and organizations here and abroad," said US Secretary of Commerce Gina Raimondo in a statement.
The Commerce Department attributed the decision to sanction the four companies to the Biden-Harris administration's commitment to put human rights at the center of US foreign policy.
- India's Supreme Court starts probe into use of Pegasus spyware
- Uncle Sam to clip wings of Pegasus-like spyware – sorry, 'intrusion software' – with proposed export controls
- Russia-based criminals are still the UK's number 1 cyber-foe, NSO Group's wares a 'red flag' says NCSC chief
- NSO Group's Pegasus malware was used to spy on Dubai princess's lawyers during child custody dispute
Inclusion on the Entity List disallows the export of hardware and software in the US to named organizations or individuals unless approved by the Commerce Department. US companies may still do business with named entities, but such transactions are frowned upon: "BIS considers that transactions of any nature with listed entities carry a 'red flag' and recommends that US companies proceed with caution with respect to such transactions," the Commerce Department explains.
The decision to sanction the four firms follows from export controls outlined last month by the Commerce Department to adopt rules consistent with the 1996 Wassenaar Arrangement, an international arms control agreement that extends to "intrusion software."
Positive Technologies, Candiru, and COSEINC did not immediately respond to requests for comment. El Reg's Gareth Corfield noted earlier this isn't the first time the US government has tried to crack down on Positive Technologies:
PT was previously sanctioned by the US but chose to carry on as if nothing had happened. Its UK arm, servicing mobile vendors, hastily deleted most of its marketing material quoting them after @TheRegister asked about it. https://t.co/j2vflonHCo— Gareth Corfield (@GazTheJourno) November 3, 2021
In an email to The Register, NSO Group said it intends to lobby to have the decision undone.
"NSO Group is dismayed by the decision given that our technologies support US national security interests and policies by preventing terrorism and crime, and thus we will advocate for this decision to be reversed," a company spokesperson said.
"We look forward to presenting the full information regarding how we have the world’s most rigorous compliance and human rights programs that are based the American values we deeply share, which already resulted in multiple terminations of contacts with government agencies that misused our products."
Amnesty International, which earlier this year published a report in conjunction with French advocacy group Forbidden Stories alleging that NSO's Pegasus spyware was widely used to violate human rights and to target government officials and members of civil society, described the Commerce Department's action as confirmation of its findings.
This decision sends a strong message to NSO Group that it can no longer profit from human rights abuses without repercussions
"With this move, the US government has acknowledged what Amnesty and other activists have been saying for years: NSO Group’s spyware is a tool of repression, which has been used around the world to violate human rights," said Danna Ingleton, deputy director of Amnesty Tech, in a statement. "This decision sends a strong message to NSO Group that it can no longer profit from human rights abuses without repercussions."
Ingleton described the Entity List inclusion as "a day of reckoning for NSO Group’s investors" – which includes multiple US pension funds through their respective stakes in NSO Group backer Novalpina Capital – and questioned whether they will be willing to continue to bankroll a firm accused of violating human rights.
"The threats posed by surveillance technology are bigger than one company," said Ingleton. "This dangerous industry is out of control, and this must spell the end of the impunity spyware companies have so far enjoyed. We need an immediate global moratorium on the export, sale, transfer and use of surveillance technology until there is a human rights-compliant regulatory framework in place." ®
Updated to add
On Thursday, Positive Technologies published a statement from CEO Denis Baranov on its website. He said the action by the Department of Commerce would have little or no impact on the company’s business.
"Every one of our developments is strictly protection-focused. The time is ripe to develop tools of this kind, and we shall continue to do so," he said.
"On what basis the DOC included us in this list, we do not know. In any case, we preempted the sanctions risks ahead of time, and now they pose no additional threats to us."
- Black Hat
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Federal government of the United States
- Government of the United Kingdom
- Identity Theft
- Microsoft 365
- Microsoft Office
- Microsoft Teams
- Palo Alto Networks
- Visual Studio
- Visual Studio Code
- Web Browser