NSO Group Among Those Added to Commerce’s EAR Entity List

This week, the Department of Commerce (DoC) amended its export administrative regulations (EAR) with the addition of four companies onto the entity list, effective November 4, 2021. The four companies—one from Singapore, two from Israel and one from Russia—were all engaged in activities which the U.S. government determined were “contrary to the foreign policy and national security interests of the United States.” The NSO Group, best known for the Pegasus Project, has made multiple headlines due to critical vulnerabilities in its spyware, and now finds itself at the top of the blacklist. NSO Group was not alone, given that Candiru, also an Israeli firm, finds itself in the same situation. Both companies are accused of having “developed and supplied spyware to foreign governments that used this tool to maliciously target government officials, journalists, businesspeople, activists, academics and embassy workers.”

Singapore’s Computer Security Initiative Consultancy (CSIC) and Russian firm Positive Technologies are both accused of having trafficked “in cyber exploits used to gain access to information systems, threatening the privacy and security of individuals and organizations worldwide.”

AWS Builder Community Hub

What This Means for These Companies

This is believed to be the first time the DoC has placed companies on the entity list because of their activities in cyberspace. Their placement on the EAR will impose upon these companies (and those wishing to engage in business with them) the additional requirement of requiring licensing from the U.S. DoC and reduce the ability for these entities to receive waivers in EAR, ITAR and other arms and technology restrictions which the United States may have in place.

Lawful Intercept and the NSO Group

Lawful intercept and search and seizure tools have been developed as standard tools of the trade and are found within most network suites as either built-ins or add-ons; they enable service providers to comply with lawful requests for data and information. Additionally, legal forensic investigations have utilized tools to recover or collect data from and on users’ devices. The challenge is policing how such tools are used. The most popular defense seems to follow the old saw, “We only enable the capability; how a given country/entity uses the tool is outside of our purview.”

Vice pointed out in May 2020 that the NSO Group was actively pitching their products and capabilities to U.S. law enforcement entities across the United States. According to Vice, the NSO Group’s product brochure at that time pitched the NSO Group product, “Phantom” (aka Pegasus) by saying it would “[t]urn your target’s smartphone into an intelligence gold mine.” If local, state or federal entities purchased NSO group’s offerings, they may wish to reassess that decision.

It is worth noting that NSO Group is the centerpiece of the Pegasus Project which highlighted the global use of the company’s surveillance and spyware capabilities against journalists, business executives, activists, dissidents, international political leaders (France’s president Macron, for example) and government entities.

The NSO Group is working diligently to change the perception that they knowingly facilitate unlawful surveillance or forensic examination; that is precisely what the DoC accused them of doing: Providing spyware which is used maliciously. In early October 2021, the company announced they were severing their contract with the UAE when, according to the UK court ruling and as reported by Reuters, it was determined Sheikh Mohammed bin Rashin al-Maktoum had “instructed the hacking of six phones belonging to Princess Haya bin al-Hussein [his ex-wife], her lawyers and security team.”

This action, however, came only after the judgment from England’s high court and not when a global consortium of journalists exposed the widespread use of NSO Group’s technologies to target journalists, dissidents and protestors in July 2021. To this jaded eye, it appears to be a case of “Sorry we were caught,” rather than “Sorry, we regret facilitating such actions and how the capabilities were used.”

NSO also claimed their spyware tool were only used to track terrorists and major criminals and that the company self-policed abuse. The Pegasus Project demonstrated that was not the case; England’s high court rendered a judgment which demonstrated that wasn’t the case. Now, with the NSO Group on the entity list, it seems a similar opinion has been reached by the U.S. government vis-à-vis the company’s tools and business processes.

Christopher Burgess

Christopher Burgess (@burgessct) is a writer, speaker and commentator on security issues. He is a former Senior Security Advisor to Cisco and served 30+ years within the CIA which awarded him the Distinguished Career Intelligence Medal upon his retirement. Christopher co-authored the book, “Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century”. He also founded the non-profit: Senior Online Safety.

burgesschristopher has 185 posts and counting.See all posts by burgesschristopher