The US Commerce Department blacklisted Israeli firms NSO Group and Candiru on Wednesday, accusing them of providing spyware to foreign governments who “maliciously targeted” journalists, embassy workers, and activists.
Commerce officials added the Israeli companies to its so-called “entity list,” effectively prohibiting them from purchasing software components from US vendors without a license.
Positive Technologies from Russia and Computer Security Initiative Consultancy from Singapore have also been added to the list. Commerce accused these two companies of smuggling “cyber tools used to gain unauthorized access to information systems.”
Taken together, it is one of the biggest steps yet by the Biden administration to curb the sale of hacking tools that analysts say have been used in human rights abuses around the world.
“Today’s action is part of the Biden-Harris Administration’s efforts to put human rights at the center of US foreign policy, including by working to stem the proliferation of digital tools used for repression,” said the Commerce Department in a statement.
The Commerce announcement was slammed by NSO Group. The company said in a statement that it is “dismayed by the decision given that our technologies support US national security interests and policies by preventing terrorism and crime,” and that it will “advocate for this decision to be reversed.”
“We look forward to presenting the full information regarding how we have the world’s most rigorous compliance and human rights programs that are based [on] the American values we deeply share,” the statement reads, “which have already resulted in multiple terminations of contacts [sic] with government agencies that misused our products.”
Positive Technologies was sanctioned by the Treasury Department in April, accusing the company of providing support to Russia’s FSB intelligence agency. Positive Technologies said in a statement Thursday that the Commerce and Treasury departments’ actions were geopolitically motivated, and that the Treasury sanctions had had little impact on the company’s business. “We firmly believe that geopolitics should not stand in the way of society’s technological development,” the company stated. “We will never stop doing what we do best: delivering cybersecurity on a global scale.”
NSO Group, in particular, has long been accused by cybersecurity analysts and human rights activists of selling invasive and simple-to-use mobile hacking software to repressive governments. According to security researchers, NSO Group’s Pegasus spyware was used to spy on a Moroccan journalist and activist, as well as the widow of a slain Mexican journalist, among other targets.
Officials in the United States have expressed concern about the growth of the market for hacking tools and the ability of foreign governments to quickly develop their own cyber capabilities using American expertise. In September, for example, the Justice Department announced charges against three former US intelligence and military operatives for allegedly assisting in the development of a hacking program for the government of the United Arab Emirates.
“The designation by the US Department of Commerce is a very positive first step toward bringing some public accountability and order to this otherwise poorly regulated marketplace,” said Ron Deibert, director of the University of Toronto’s Citizen Lab, a research team that has documented alleged abuse of Pegasus.
According to Natalia Krapiva, tech legal counsel at the non-profit Access Now, other governments may follow the United States in blacklisting spyware vendors.
According to Krapiva, the US is “saying these companies are in fact violating not only universal human rights, but also US national security.” “The US blacklisting them almost certainly means that other democratic powers will have to respond in a similar manner, which we strongly encourage.”