Picture of John Scott-Railton of the Munk School.
Conflict & security, Technology & society, Munk School, Citizen Lab

John Scott-Railton delivers testimony to House Permanent Select Committee on Intelligence

On July 27, 2022, Citizen Lab senior researcher John Scott-Railton was asked to appear before the House Permanent Select Committee on Intelligence. He was invited to provide expert testimony on a hearing devoted to combating threats to U.S. national security from the proliferation of foreign commercial spyware. What follows is the written submission of that testimony.

Written Testimony

Chairman Schiff, Ranking Member Turner, and esteemed Members of the Committee:

Thank you for this opportunity to testify today, and for your continuing efforts to address the many serious threats posed by the mercenary spyware industry.

My name is John Scott-Railton. I am a Senior Researcher at the Citizen Lab, a research group based at the University of Toronto’s Munk School of Global Affairs & Public Policy. We do independent academic research into digital threats, focusing on attacks against civil society, censorship, and disinformation.

The Citizen Lab’s mandate is concerned with how these threats impact civil society, whether nonprofits, journalists, human rights defenders, and more. We are transparent about our funding, strictly independent of both corporations and governments, and never undertake commissioned research.

Our research includes working closely with high-risk civil society groups around the world, and examining and publishing on the digital threats they face. For the past decade, a growing fraction of the cases that we have encountered involve mercenary spyware.

This testimony is developed from a body of evidence assembled by my colleagues and peers, and a field of talented researchers in academia, industry, and non-profit organizations. Many more groups have helped with victim outreach, collecting cases, and collaborating in investigations. Investigative journalists and reporting collectives have also played a significant role in shedding light on this secretive world. I cannot speak for anyone else in this growing ecosystem of accountability, but without their critical work, this conversation would not be happening. I would also like to acknowledge the colleagues that helped me prepare this testimony, as well as Dr. Bill Marczak, whose work developing techniques for scanning for various mercenary spyware families has led to many of our recent discoveries.

It is also very meaningful to me that Carine Kanimba has been invited to testify. As a victim of Pegasus spyware, she will be able to tell you about the impact of being targeted during her efforts to secure the release of her father, Paul Rusesabagina, from jail in Rwanda. Much of what we know about mercenary spyware abuses come from brave victims stepping forward, despite the risks. We owe them a great debt.

Part 1: Proliferating Capabilities for Sophisticated Hacking

Less than twenty years ago, only a relatively small set of states could engage in sophisticated, invisible-to-the-target, hacking of phones and computers at nearly any scale. As a shorthand, I call these Tier A states. They typically have a robust STEM pipeline (e.g., access to PhD students in cryptography and computer science). These states may also have domestic offensive developers that exclusively supply to them, or to a handful of allies such as the Five Eyes. This group includes the U.S., France, U.K., Israel, Russia, China, Australia, and so on.

Even as a growing list of governments around the world are busily working to develop their own endogenous capabilities, a new tier has emerged: pay-to-play government customers.

While the pay-to-play tier may lack a robust STEM pipeline, they do have checkbooks. They are supplied by the mercenary spyware industry, which sells an increasingly sophisticated set of espionage capabilities to a growing global customer list.

In many cases, the talent pool of mercenary spyware developers draws from veterans of the intelligence services of U.S. allies. This includes countries with whom the U.S. has intelligence-sharing relationships.

While some pay-to-play customers are situated within governments with a degree of oversight, many are operating without any clear oversight or accountability. Predictably, this ballooning customer list is responsible for many of the abuses that have been uncovered.

How ‘Good’ is Mercenary Spyware Technology?

The U.S. Government has extensive offensive capabilities against phones and computers. While the mercenary spyware industry probably cannot match them, some companies are getting closer. The growing use of “zero-click” exploits is illustrative.

“Zero-click,” which refers to exploits that do not require any victim interaction, means that operators no longer need to rely on tricking victims into clicking links or opening files in order to infect their device.

The risk does not come from sitting in a cafe and connecting to unsecured Wi-Fi. Your phone can be on your bedside table at 2 a.m., and the spyware operator a continent away. One moment the device is clean. The next? Your data is silently streaming to an adversary.

Google’s Project Zero recently described a zero-click exploit used by NSO Group, which they identified based on forensic artifacts that we shared with them, as:

“…one of the most technically sophisticated exploits we’ve ever seen, further demonstrating that the capabilities NSO provides rival those previously thought to be accessible to only a handful of nation states.”

 

Unfortunately, there are few, if any, actions available to phone users to protect themselves from zero-click exploits. Even U.S. officials are not immune.

What Can Mercenary Spyware Do on an Infected Device?

The most notorious mercenary spyware currently available is NSO Group’s Pegasus, although there are many others. Pegasus’ capabilities on an infected phone broadly match many other mercenary spyware products. With Pegasus, the user can access the following, and more, on an infected device:

  • Your texts and calls
  • Your encrypted texts, like those in WhatsApp and Signal
  • Your pictures and notes
  • Your contacts, emails, etc.

In short, Pegasus can do anything on your phone that you can do. And some things you can’t, like:

  • Silently enabling the microphone or the camera and turning your phone into a bug in your pocket
  • Stealing the tokens that your phone uses to access cloud accounts, potentially enabling the attacker to maintain access to accounts long after an infection is over

     

This kind of mercenary spyware is highly sophisticated, invasive, and difficult to detect at scale, even by well-resourced governments.

Part 2: Harms to National Security, Foreign Policy, and Human Rights

As the number of pay-to-play government operators continues to grow, we have seen an avalanche of abusive targeting. In these cases, the hacking is often clearly in breach of international human rights law and contrary to democratic values.

However, in response to what has become a drumbeat of reported abuses, the mercenary spyware industry typically claims that they are merely aberrations, and that the technology is designed only to combat crime and terror.

The facts do not bear this out in two ways. First, we know from a decade of discoveries that abuses are a persistent feature of any hacking technology when sold widely. This was true a decade ago with companies like Gamma Group (which made FinFisher), and Hacking Team.  It is still true today.

Secondly, the ‘crime and terror’ narrative omits the fact that a substantial fraction of the targeting is espionage. In fact, some mercenary spyware customers seem to use the technology primarily to spy on other governments’ officials. We know this not only from reporting like the Pegasus Project, which was led by Amnesty International and Forbidden Stories, but also because, when we at Citizen Lab have reviewed samples of all targeting using a particular exploit from a particular period of time, a substantial fraction of that targeting appears to be states targeting each other.

The mercenary spyware industry knows that expanding espionage capabilities is a core part of their business model. But, it is inconvenient for them to acknowledge, as this quickly leads to the critical question: when does the industry become a threat to the U.S. national security and counterintelligence? The answer: it already has.

Turbocharging Counterintelligence Threats

U.S. government personnel are not well-protected from mercenary spyware. The fact that some mercenary spyware companies claim that they prevent targeting people located in the U.S., or with U.S. phone numbers, does not address the threat posed by companies with no such restrictions. Nor does it address the fact that many U.S. officials working overseas must use phones with non-U.S. numbers.

Reportedly, at least nine U.S. officials were hacked with Pegasus spyware last year. Remarkably, this appears to have remained undetected until Apple made the discovery while investigating the FORCEDENTRY zero click exploit used by NSO Group.

Threats to U.S. officials from mercenary spyware are not new. Indeed, nearly a decade ago, when the industry was in its infancy, U.S. diplomats in Panama were already reportedly being targeted. This alleged incident was described in a motion supporting an extradition request between the U.S. and Panama. The motion also reported allegations made by a witness that Panama’s then-President would direct an associate to publish stolen audio of his rivals’ private conversations on YouTube.

I believe that these cases are only the tip of the iceberg. There is tremendous incentive for countries around the world to hack U.S. officials. Given past experiences, it is plausible that some cases have never been uncovered. Recently, the Biden Administration recognized this threat when it added a number of mercenary spyware companies, including Candiru and NSO Group, to the Entity List. It also highlighted the human rights impact of the spyware industry.

The U.S. is not alone in recognizing the risk posed by mercenary spyware. The European Union Agency for Cybersecurity (ENISA) has also recently listed mercenary hacking as a major risk. Hacks using mercenary spyware have also impacted some very close allies. In the past two years, for example, we have repeatedly notified the U.K. government of multiple Pegasus compromises in their Foreign Office by several distinct governmental operators, and even of a Pegasus infection within the networks of Number 10 Downing Street.

Reporting by the Pegasus Project, meanwhile, suggests that globally at least ten prime ministers, three presidents, and even a king may have been selected for Pegasus targeting.

Pegasus in Politics, Elections, and Human Rights Abuses

The volume and variety of mercenary spyware abuses uncovered by different research groups, antivirus and threat intelligence companies, and platforms, is so extensive that it is difficult to summarize concisely. Let me illustrate by highlighting some of our recent findings.

Just last week, as part of a collaborative investigation, we confirmed evidence of Pegasus infections on the phones of activists and opposition politicians in Thailand. Earlier this spring, we confirmed the targeting and hacking of Catalan politicians, including Members of the European Parliament. Before that? Journalists in El Salvador, Polish opposition politicians, and Christian religious leaders in Africa—just to cite a few examples from recent years.

Let’s take the case of Senator Kryzstof Brejza. In 2019, he was hacked at least 33 times while managing the electoral campaign for the opposition in Poland. The hacking timeframe often tracked consequential events and meetings in the run-up to the election. At one point, messages reportedly stolen from his phone were also published in an attempt to discredit him. Of course, political spying, and hacking during elections, are nothing new. But tools like Pegasus make this easier, much more invasive, and very difficult to uncover.

Physical Distance is No Protection

Many mercenary spyware operators do not restrict themselves to hacking within their borders. Spyware like Pegasus has enabled them to conduct hacking thousands of miles away. Spyware has long been a core part of the transnational repression toolkit used by dictatorships like China. Now, a growing number of other states have gotten in on the action.

Washington, D.C. is a vibrant city. It is also home to many diaspora populations. Unsurprisingly, autocrats back home want to monitor them. Now, with the aid of mercenary spyware, they no longer have to dodge FBI counterintelligence to do so. Just across the river in Virginia, for example, U.S.-based Ethiopian journalists were targeted with mercenary spyware sold by Hacking Team, a since-rebranded Italian mercenary spyware company.

Proliferation May be Fueling Non-State Access to Sophisticated Spyware

We have encountered troubling cases that speak to the possibility that non-state actors may be accessing or directing the use of mercenary spyware.

For example, in Mexico, a government health researcher, a consumer advocate, and an anti-obesity campaigner were all targeted with Pegasus. Why? They had all been actively campaigning for an increase in the tax rate on soda. Circumstantial evidence led us to speculate that their targeting might have been directed or requested by someone with a financial interest in soft drinks.

Meanwhile, in Mexico, we are already witnessing a troubling nexus between targeting and cartel activities. We documented the targeting of Javier Valdez, a journalist who wrote about drug trafficking and crime in Mexico and who was killed in a cartel slaying. Both Valdez’s colleagues and wife were infected shortly after the hit. Meanwhile, the phone number of Mexican journalist Cecilio Pineda Birto was selected for possible targeting with Pegasus by a Mexican Pegasus client in the weeks prior to his killing by cartel hitmen. Other troubling reports from Mexico further suggest that spyware may be ending up in the hands of cartels.

As the mercenary spyware business grows, there will be an inevitable focus on pushing the technology to subnational entities, such as regional police services. These groups can be expected to have an even lower ability to ensure adequate oversight, or control access to the technology. Meanwhile, at least one NSO Group employee stole source code. Another used the technology to target a love interest. As the number of pay-to-play mercenary spyware customers grows, I believe it to be almost inevitable that the exploit code and technology may leak in ways that cause serious, large-scale harm.

In addition, while some of the more notorious mercenary spyware companies do appear to limit sales exclusively to governments, other players in the industry may also seek lucrative engagements with private individuals and companies. This possibility highlights the need for action.

Part 3: A Critical Moment, and an Opportunity for Action

It has taken us many years to get to this public conversation about the threats of mercenary spyware. But the conversation now needs to move at the pace of the proliferation. We cannot put this technology back into the box. But, we can and must slow proliferation.

U.S. Investments: A Key Target in Curbing the Mercenary Spyware Industry

One of the core impacts of the U.S. government’s recent actions around mercenary spyware—namely, adding NSO Group and Candiru to the Entity List—has been to cool investment and acquisition interest.

But, if NSO Group goes bankrupt tomorrow, there are other companies, perhaps seeded with U.S. venture capital, that will attempt to step in to fill the gap. As long as U.S. investors see the mercenary spyware industry as a growth market, the U.S. financial sector is poised to turbocharge the problem and set fire to our collective cybersecurity and privacy.

Instead, investors must feel that they stand to lose on these deals. The Biden Administration sent that signal about NSO Group. Congress has the power to send that signal about all unaccountable players within the industry.

Areas of Potential Action to Curb the Mercenary Spyware Threat

Here are several areas of action that have the potential to make a serious impact on mercenary spyware companies:

  • Congress should direct the U.S. Intelligence Community to identify problematic mercenary spyware companies, and use all tools at their disposal to counter and disrupt their activities.
  • Federal agencies should be prevented from doing business with identified problem companies. Getting federal contracts is the ultimate prize for any defense contractor, and their investors. Removing this opportunity would have an immediate impact.
  • The U.S. should expand the tools available to hold identified problem companies, and their officers, accountable, including sanctions, and work to coordinate these actions with allies, such as the Five Eyes.
  • The U.S. should apply diplomatic pressure to the countries that have become safe havens for the spyware industry, and that are enabling identified problem companies to thrive without regulation or oversight.
  • Your committee put forward a sit-out period for operators from the intelligence community going to work for foreign offensive cyber operators.

This is a powerful disincentive. I encourage you to extend the timeframe from 30 months (and 5 years of reporting requirements) to a lifetime ban. We would not let a nuclear weapons scientist go work for a potential adversary in 3 years. We should not do so with hacking technology.

  • Congress should develop legislation ensuring comprehensive U.S. export control and transparency requirements for domestically-developed spyware, including extensive due diligence for national security risks and human rights concerns.
  • The U.S. Government should continue to support internet security and privacy promoting technologies through the Open Technology Fund.

Special Note: How Mercenary Spyware is Licensed

One common confusion about mercenary spyware concerns how the technology is licensed to customers. Some companies may charge simply for the provision of spyware with an unlimited number of possible targets. Others may charge by total number of targets in a given period. We believe that Pegasus is often sold with a number of ‘licenses.’ In this context, this specifies the number of simultaneous infections. For example, purchasing ten licenses authorizes a customer to have ten devices under monitoring at any given time. Analysis of victims’ devices suggests that it may be a common practice for customers to infect for fairly brief periods, enabling them to use the same set of licenses to monitor a much larger set of individuals over time. In this manner, a single governmental customer with only ten licenses might be able to infect hundreds or more individuals in a year.

The preference for re-infection over persistence can lead to startling numbers of unique infections. For example, a journalist investigating the relationship between El Salvador’s president and organized gangs was hacked on more than forty occasions. During the times that his phone was not infected, we can assume that the licenses were being used to infect others’ phones.