US Blocks Trade with ‘Legal’ Pegasus Spyware Firm, NSO

What took you so long? The U.S. Commerce Dept. has finally blocked exports to the notorious NSO Group—makers of sophisticated “zero-click” spyware, Pegasus. This is a serious blow to NSO’s grubby business model.

The company is accused of enabling authoritarian regimes to silence dissidents, control journalists, and spy on other governments. It’s been added to the Entity List, meaning U.S. companies can’t sell technologies or services to NSO.

AWS Builder Community Hub

TIL a new phrase: transnational repression. In today’s SB Blogwatch, we work out what it all means.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Jurassic Park but with a cat.

U.S. Beef with Data Thief

What’s the craic? Drew Harwell, Ellen Nakashima and Craig Timberg report—“Biden administration blacklists NSO Group over Pegasus spyware”:

Attempts to rehabilitate its image
There are hundreds of companies on the “entity list.” [It’s] a federal blacklist prohibiting the company from receiving American technologies.

The entity list designation prohibits export from the United States to NSO of any type of hardware or software, severing the company from a vital source of technology … after determining that its phone-hacking tools had been used by foreign governments to “maliciously target” government officials, activists, journalists, academics and embassy workers around the world. … The Commerce Department said in a statement that the action is part of the Biden administration’s “efforts to put human rights at the center of U.S. foreign policy, including by working to stem the proliferation of digital tools used for repression.”

[It] comes two weeks after Commerce announced a rule that would bar sales of American hacking software and equipment to any entity overseas known to have engaged in hacking for malign purposes. The “Wassenaar” rule will align the United States with 42 European and other allies. [It] could also weaken NSO’s standing with investors and cast a pall over the company’s attempts to rehabilitate its image. … “They made this real effort to change the conversation,” … David Kaye, a former United Nations special rapporteur … said. “Who will want to work with a company that’s been so publicly sanctioned?”

NSO spokesperson Oded Hershkovitz said in a statement that the company is “dismayed.” … The company said its “rigorous” human rights policies … “already resulted in multiple terminations of contracts with government agencies that misused our products.”

O RLY? Mehul Srivastava and Aime Williams add—“NSO Group on trade blacklist”:

Military-grade software
Groups like NSO use developer versions of popular operating software to develop “zero-click exploits”, which do not require the user to open a malicious link to deploy. … The US commerce department said … “These tools have also enabled foreign governments to conduct transnational repression … targeting dissidents, journalists and activists outside of their sovereign borders to silence dissent. Such practices threaten the rules-based international order.”

NSO’s licensed military-grade software, Pegasus, was last year revealed to have been used to target smartphones belonging to 37 journalists, human rights activists and other prominent figures. French media reported that it had been used by Morocco to spy on senior French officials, including the personal mobile phone of President Emmanuel Macron.

What goes around comes around? Here’s adespoton:

It’s about time. The US government was previously a sizeable customer of NSO, perpetuating this sort of thing.

What does it mean, in practice? paulhar counts the ways:

They're going to find it hard
They’ve now got no access to: iPhones, App stores, Google phones, Amazon AWS, Azure, GCP, CPUs from Intel, AMD. No Microsoft Office/SQL. Seagate. … No payment processors (e.g., Visa, Mastercard) nor access to any banks that have a US entity.

They’re going to find it hard to actually do business.

So what’s next? Here’s @GrahamBrookie:

The gaps
This is a big step. But it is also only a first step—and an easy one at that.

The gaps between democratic countries in our approach to how we design, fund, and govern technology is the space that authoritarians abroad and would-be autocrats at home seep into.

But some think the Entity List is toothless: With complex, international supply chains, how can the feds hope to stop U.S. companies doing business with NSO? Graham Cobb explains:

Reducing their access to capital
Mostly it tells US companies selling things to the entity that they need to be very careful. … Large companies with distributor networks cannot effectively prevent their products being sold to those companies but it warns them that the government now have a lever to really screw them up if they feel like it: “That’s a nice international business you’ve got there — it would be a shame if anyone asked how your routers got into NSO’s network.”

It can also be used as a tool against … companies the government want to influence for any reason: “Hmm, looks like one of your distributors has been selling to NSO. We wouldn’t want to have to close down your US operation — maybe you can do us a favor and include these lines in the software you supply to NSO.”

I think it will have more direct impact on investors. Many (such as pension funds) are expected to be very risk-averse and will probably withdraw from investment in those companies, reducing their access to capital.

However, The Dark says it’s simpler than that:

Whacked with a violation
Nobody can sell them American products. … It also includes re-exports—when a foreign middleman sells to a different foreign customer—so that’s not a loophole: If … any foreign company imported something from the US and sold it to Pegasus now, they’d be whacked with a violation and potentially barred from buying US products.

So NSO is dead? Not so fast, pleads smooth wombat:

The Streisand Effect
Oh please. If you think a company which enables dictators to go after their opponents, and lies about doing so, will have any problem getting business, think again.

There will be no shortage of people, groups, or governments lining up to buy this software, especially after this blacklisting, and willing to pay for it. The Streisand Effect is now in play.

Meanwhile, Stephanie Kirchgaessner—@skirchy—raises a wry eyebrow:

Needless to say, this does not bode well for NSO in its ongoing lawsuit with WhatsApp.

And Finally:

I would pay real money to see a full length version of this—maybe with dogs, too

Hat tip: FeralCatMan

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Lucas Sankey (via Unsplash)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 492 posts and counting.See all posts by richi