We're likely only seeing 'the tip of the iceberg' of Pegasus spyware use against the US
House intel chair raises snoop tool concerns as Google and others call for greater crack down
Google and internet rights groups have called on Congress to weigh in on spyware, asking for sanctions and increased enforcement against so-called legit surveillanceware makers.
During an open House Intelligence Committee hearing on Wednesday, US lawmakers heard testimony from Citizen Lab senior researcher John Scott-Railton; Shane Huntley, who leads Google's Threat Analysis Group; and Carine Kanimba, whose father was the inspiration for Hotel Rwanda and who was, herself, targeted by Pegasus spyware.
This, of course, is the now-infamous malware that its developer, Israel's NSO Group, claims is only sold to legitimate government agencies — not private companies or individuals. Once installed on a victim's device, Pegasus can, among other things, secretly snoop on that person's calls, messages, and other activities, and access their phone's camera without permission.
NSO also claims the software can only be used "for the purpose of preventing and investigating terrorism and other serious crimes," despite numerous reports from Citizen Lab, Google, and the media of Pegasus being used to spy on journalists, activists, and politicians by their opponents.
Earlier this year, European lawmakers opened an inquiry into spyware in general, and Pegasus more specifically, after the malware was reportedly found on cellphones associated with the UK and Spanish prime ministers, Spain's defense minister, and dozens of Catalan politicians and members of civil society groups.
But despite cracking down on the notorious Israeli outfit last year, America has been slow to counter Pegasus and similar software being used to eavesdrop on its people. And, in fact, US military contractor L3Harris reportedly was ready to buy NSO Group until the White House raised concerns.
In recent days, the House Intelligence Committee has taken steps toward prohibiting cyber espionage and even sanction foreign governments that use it to target Americans.
Last week the panel advanced a bill that would prohibit US intelligence agencies from acquiring and using foreign spyware, block contracts with US companies that invest in any such foreign technology, and give the president authority to sanction snoopware developers, their execs, and other governments using the software against American officials.
During today's hearing, Representative Adam Schiff (D-CA), who chairs the committee, vowed to "put a greater emphasis on this threat."
Schiff called NSO's software and similar eavesdropping tools "a threat to Americans," and pointed to news reports from last year about cellphones belonging to US diplomats in Uganda being compromised by Pegasus.
- NSO claims 'more than 5' EU states use Pegasus spyware
- US military contractor moves to buy Israeli spy-tech company NSO Group
- Google: How we tackled this iPhone, Android spyware
- Predator spyware sold with Chrome, Android zero-day exploits to monitor targets
"It is my belief that we are very likely looking at the tip of the iceberg, and that other US government personnel have had their devices compromised, whether by a nation-state using NSO's services or tools offered by one of its lesser known but equally potent competitors," Schiff said.
We are very likely looking at the tip of the iceberg, and that other US government personnel have had their devices compromised
Google's Threat Analysis Group tracks more than 30 firms that sell exploits or surveillance capabilities to government-backed groups, Huntley told the committee. "Countering these threat actors is becoming a bigger part of our work," he added, noting that seven of the nine zero-day vulnerabilities that Google's Threat Analysis Group discovered in 2021 were originally developed by commercial vendors.
Huntley applauded US sanctions against NSO Group, and called for a full ban on federal procurement of commercial spyware technologies. He also urged lawmakers to "contemplate imposing further sanctions to limit spyware vendors' ability to operate in the US and receive US investment," and lead diplomatic efforts to work with governments that harbor spyware vendors and criminals using these tools.
"We believe it is time for government, industry and civil society to come together to change the incentive structure, which has allowed these technologies to spread in secret," Huntley said. ®
- Advanced persistent threat
- App stores
- Black Hat
- Bug Bounty
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Google AI
- Google Cloud Platform
- Google Nest
- G Suite
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Privacy Sandbox
- Remote Access Trojan
- RSA Conference
- Tavis Ormandy
- Trusted Platform Module
- Zero trust