U.S., Canada Urged To Toughen Fight Against Commercial spyware

Share post:

U.S. government intelligence employees should be banned for life from working for “foreign offensive operators” as one means of fighting commercial spyware, a member of a Canadian internet research group has told Congress.

John Scott-Railton, senior researcher at the University of Toronto’s Citizen Lab, made the proposal Wednesday while testifying before the House Permanent Select Committee on Intelligence on combating foreign commercial spyware such as NSO Group’s Pegasus and Saito Tech Ltd.’s Candiru.

While Congress has proposed that employees working for the National Security Agency (NSA) and other government intelligence groups be banned from joining what he called foreign offensive operators for 30 months after leaving their jobs, plus five years of mandatory reporting on what they are doing, Scott-Railton argued the ban should be for life.

“We would not let a nuclear weapons scientist go work for a potential adversary in three years,” he argued. “We should not do so with hacking technology.”

His testimony was echoed on Thursday by Citizen Lab director Ron Diebert, who said Ottawa should impose a lifetime ban for those who have worked in the Canadian intelligence and law enforcement agencies from working with “mercenary spyware firms.”

Developers of commercial spyware often say they only sell to law enforcement agencies for fighting crime, Scott-Railton testified. But, he added, governments often use it to spy on opposition leaders, reporters, and other groups that aren’t liked, as well as for espionage against other governments.

Over the years, Citizen Lab, part of U of T’s Munk School of Global Affairs and Public Policy, has issued numerous reports on the threat of commercial spyware. In 2021 it helped Microsoft identify and patch two Windows vulnerabilities it says were used by Candiru. Earlier this month Citizen Lab said Pegasus spyware was found on devices of 30 pro-democracy activists in Thailand.

Leading IT countries like the U.S., the U.K., Russia, and China have the ability to create their own spyware, Scott-Railton said. But he warned against the spread what he called “mercenary spyware” — meaning spyware that can be bought or rented by governments with less sophisticated capabilities.

Last year the U.S. blacklisted several companies for selling commercial spyware.

But in his Congressional testimony he urged Washington to do more to fight commercial spyware. As reported by The Record, Scott-Railton told Congress that NSO Group received investment from the Oregon Public Employee Retirement System (Oregon-PERS) and the Alaska Permanent Fund Corporation via the private equity firm Novalpina Capital, and suggested more substantial financial crackdowns.

He said not only should there be lifetime bans for certain people from working for foreign commercial spyware companies or government agencies, the government should also:

  • prevent U.S. federal agencies from doing business with identified problem companies. “Getting federal contracts is the ultimate prize for any defense contractor and their investors,” said Scott-Railton. “Removing this opportunity would have an immediate impact;”
  • expand the tools available to hold identified problem companies, and their officers, accountable, including sanctions, and work to co-ordinate these actions with allies, such as the Five Eyes intelligence group of the U.S., Canada, the U.K., Australia, and New Zealand;
  • apply diplomatic pressure to the countries that have become safe havens for the spyware industry, and that are enabling identified problem companies to thrive without regulation or oversight;
  • pass legislation ensuring comprehensive U.S. export control and transparency requirements for domestically-developed spyware, including extensive due diligence for national security risks and human rights concerns.
  • continue support for internet security and privacy promoting technologies through the Open Technology Fund.

In an email Thursday Citizen Lab director Ron Diebert said Ottawa should follow the example that has been set by the United States and some European allies in fighting commercial spyware.

That includes holding hearings on the risks and threats of the mercenary spyware industry, especially since we know from public research that Canadians have been victims of spyware used by foreign governments here, and developing strong export control guidelines for the Canadian surveillance industry. Currently, there are no such Canadian restrictions, he wrote.
Parliament should also impose regulatory penalties on firms that are known to facilitate human rights bans abroad, modeled after the U.S. Commerce Department’s designated entity list, he added.
Ottawa should also develop a publicly available set of procurement guidelines for Canadian agencies who purchase spyware, detailing the vendors and committing to never undertaking procurement with firms that are connected to human rights abuses abroad.
The government should “issue clear and forceful statements at the highest levels that Canada takes this threat seriously, especially considering we are chairing the Freedom Online Coalition this year,” Diebert also said.
Public Safety Canada has been asked for comment. At press time the department said it is working on a response.

The post U.S., Canada urged to toughen fight against commercial spyware first appeared on IT World Canada.

Howard Solomon
Howard Solomonhttps://www.itworldcanada.com
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Tech Jobs

SUBSCRIBE NOW

Related articles

Cyber Security Today, April 24, 2024 – Good news/bad news in Mandiant report, UnitedHealth admits paying a ransomware gang, and more

This episode reports on the danger of using expired open-source packages, a tool used by a Russian hacking group and passw

Google Play introduces new biometric verification with a user warning

Google has recently announced updates to the biometric verification process for Google Play purchases, aiming to bolster security...

Cyber Security Today, Week in Review for week ending Friday April 19, 2024

On this episode Jen Ellis, co-chair of the Ransomware Task Force, talks about ways of fighting one of the biggest cyber threats to IT d

Cyber Security Today, April 19, 2024 – Police bust phishing rental platform, a nine-year old virus found on Ukrainian computers, and more

This episode reports on a threat actor targeting governments in the Middle East with a novel way of hiding malware is going international

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways