The Commerce Department Wednesday added two Israeli spyware companies, NSO Group and Candiru, to its entity list of companies that pose a national security and foreign policy risk to the United States.
The designation accuses both NSO Group and Candiru of having “developed and supplied spyware to foreign governments that used this tool to maliciously target government officials, journalists, business people, activists, academics, and embassy workers.” Inclusion on the list enacts stringent licensing requirements for exports to designated companies from U.S. businesses. Companies previously included on the list include Chinese firm Huawei, which the U.S. government has flagged as posing a risk to Americans’ data.
Also added to the entity list Wednesday were Russia-based Positive Technologies and Singapore-based Computer Security Initiative. The Commerce Department accused the two companies of trafficking “cyber exploits used to gain access to information systems, threatening the privacy and security of individuals and organizations worldwide.” The U.S. Treasury Department sanctioned Positive Technologies in April for allegedly supporting Russian government espionage.
Many of the accusations about the spyware vendors come after a plethora of research by human rights and privacy experts, who have linked NSO Group and Candiru technology to spying on dissidents, journalists and human rights advocates by authoritarian regimes.
For instance, this summer the “Pegasus Papers” consortium led by Amnesty International found that NSO Group’s Pegasus spyware was actively exploiting iPhones to target more than three dozen victims. A Citizen Lab report in July tied Candiru to more than 750 websites posing as human rights organizations.
“NSO Group is dismayed by the decision given that our technologies support US national security interests and policies by preventing terrorism and crime, and thus we will advocate for this decision to be reversed,” a representative for the company wrote in an email to CyberScoop.
Candiru could not be reached for comment.
Amnesty International and the United Nations have called for a moratorium on spyware technologies until nations reach an agreement on an international human rights framework. Groups have also called for Israel to halt the export of NSO Group’s technologies. Israel committed to investigating allegations against NSO Group after the French president’s personal phone number was exposed in the documents uncovered by the Pegasus Project.
The Israeli embassy did not immediately respond to a request for comment.
“I think it’s a signpost that the U.S. government recognizes the threat posed by a surveillance industry that is wildly out of control and while the NSO Group has been at the forefront, certainly there are other companies that are at play,” said Danna Ingleton, deputy director of Amnesty Tech.
Action from the United States could also put pressure on how other governments deal with the company.
“I think we’ve seen the first signals of what could be a bit of a corrective for the out-of-control market place and countries will have to choose if they want to be a part of this direction,” said John Scott-Railton, a senior researcher at the University of Toronto’s Citizen Lab.
While Israel has claimed that NSO Group’s offerings are regulated per its guidelines for its other cybersecurity exports, human rights advocates haven’t been satisfied by the country’s answers.
“I think it’s an eye-opener for Israeli regulatory systems or any country regulating the spyware industry that lip service isn’t sufficient and there needs to be greater transparency in how these companies are regulated,” said Ingleton.
Ingleton said Amnesty will continue to push for a global moratorium and for justice for victims of NSO Group’s spyware.
The designation, which will limit the NSO Group from the U.S. technologies it has relied on in the past, could also hurt its bottom line. The blacklisting could go a long way in slowing NSO Group’s growth and have “a chilling effect on investors,” said Railton.
Updated 11/3/2021: To include additional comment from NSO Group, John Scott-Railton and Danna Ingleton.