NSO Group, an Israeli firm that has risen to a billion-dollar valuation on the strength of the aggressive hacking tools it sells to authoritarian governments across the Arab world, is being sued by lawyers and activists who claim to be victims of its software. One of the lawyers involved in the suit was targeted some weeks ago by mysterious WhatsApp calls to his phone in the middle of the night. When he contacted technical experts, they discovered Pegasus 3, an aggressive virus that can apparently install itself on a phone without the victim taking any action at all. Once installed, it takes control of the device, recording conversations and video. It can destroy the evidence of its own arrival and existence, and control any files on the device. In effect, it turns a smartphone into the perfect spying device, which the victim will carry everywhere with them.
Similar programs are widely available to abusers of all sorts, which is one reason why many domestic violence shelters ban the use of smartphones. But the ones that can easily be bought require some action from the victim, usually a misplaced click, or else a few moments’ access to their phone. The NSO malware targeting WhatsApp is different in that it could install itself without the victim doing anything at all. To discover and exploit the programming mistakes that opened this vulnerability would take years and cost millions of dollars. That is why it’s assumed that only states, or state-backed actors, have the resources to produce them.
The NSO group has claimed to have contracts with 22 European countries. Its Pegasus programs have been detected in 45 countries, though some of this may be the result of operators outside the country concerned. Although the company sells only to states approved by the Israeli government, these include Saudi Arabia, Mexico, Bahrain, Kazakhstan and the United Arab Emirates. All have a history of human rights abuses and of targeting dissidents and journalists.
NSO is not the only private firm in this digital arms trade, although it is the largest and probably the most successful. The only comparably advanced operators appear to be national governments. The NSA and GCHQ in the US and the UK have the legal power and duty to develop such weapons, although they are not for sale. The variety of Russian cyberweapons is astonishing. They have been used in attacks on the power-generation facilities of Ukraine as well as in the hacking of the Democratic party’s emails in the US presidential election campaign. One Russian network recently discovered used messages posted as comments in Britney Spears’ Instagram account to coordinate its operations.
There are two great dangers to the spread of these weapons. The first is highlighted by the Pegasus case: they can be used against individuals who defy criminal governments or even large criminal gangs. The second is that they can be used against states, as part of low-intensity warfare. Here, the boundary between digital and physical becomes unclear: in its most recent bombing of Gaza, Israel claimed to have destroyed a Hamas “cyberwarfare” centre. These weapons must urgently be controlled in international law before there is a disastrous accident.
Gloss