U.S., Canada Urged To Toughen Fight Against Commercial spyware

Share post:

U.S. government intelligence employees should be banned for life from working for “foreign offensive operators” as one means of fighting commercial spyware, a member of a Canadian internet research group has told Congress.

John Scott-Railton, senior researcher at the University of Toronto’s Citizen Lab, made the proposal Wednesday while testifying before the House Permanent Select Committee on Intelligence on combating foreign commercial spyware such as NSO Group’s Pegasus and Saito Tech Ltd.’s Candiru.

While Congress has proposed that employees working for the National Security Agency (NSA) and other government intelligence groups be banned from joining what he called foreign offensive operators for 30 months after leaving their jobs, plus five years of mandatory reporting on what they are doing, Scott-Railton argued the ban should be for life.

“We would not let a nuclear weapons scientist go work for a potential adversary in three years,” he argued. “We should not do so with hacking technology.”

His testimony was echoed on Thursday by Citizen Lab director Ron Diebert, who said Ottawa should impose a lifetime ban for those who have worked in the Canadian intelligence and law enforcement agencies from working with “mercenary spyware firms.”

Developers of commercial spyware often say they only sell to law enforcement agencies for fighting crime, Scott-Railton testified. But, he added, governments often use it to spy on opposition leaders, reporters, and other groups that aren’t liked, as well as for espionage against other governments.

Over the years, Citizen Lab, part of U of T’s Munk School of Global Affairs and Public Policy, has issued numerous reports on the threat of commercial spyware. In 2021 it helped Microsoft identify and patch two Windows vulnerabilities it says were used by Candiru. Earlier this month Citizen Lab said Pegasus spyware was found on devices of 30 pro-democracy activists in Thailand.

Leading IT countries like the U.S., the U.K., Russia, and China have the ability to create their own spyware, Scott-Railton said. But he warned against the spread what he called “mercenary spyware” — meaning spyware that can be bought or rented by governments with less sophisticated capabilities.

Last year the U.S. blacklisted several companies for selling commercial spyware.

But in his Congressional testimony he urged Washington to do more to fight commercial spyware. As reported by The Record, Scott-Railton told Congress that NSO Group received investment from the Oregon Public Employee Retirement System (Oregon-PERS) and the Alaska Permanent Fund Corporation via the private equity firm Novalpina Capital, and suggested more substantial financial crackdowns.

He said not only should there be lifetime bans for certain people from working for foreign commercial spyware companies or government agencies, the government should also:

  • prevent U.S. federal agencies from doing business with identified problem companies. “Getting federal contracts is the ultimate prize for any defense contractor and their investors,” said Scott-Railton. “Removing this opportunity would have an immediate impact;”
  • expand the tools available to hold identified problem companies, and their officers, accountable, including sanctions, and work to co-ordinate these actions with allies, such as the Five Eyes intelligence group of the U.S., Canada, the U.K., Australia, and New Zealand;
  • apply diplomatic pressure to the countries that have become safe havens for the spyware industry, and that are enabling identified problem companies to thrive without regulation or oversight;
  • pass legislation ensuring comprehensive U.S. export control and transparency requirements for domestically-developed spyware, including extensive due diligence for national security risks and human rights concerns.
  • continue support for internet security and privacy promoting technologies through the Open Technology Fund.

In an email Thursday Citizen Lab director Ron Diebert said Ottawa should follow the example that has been set by the United States and some European allies in fighting commercial spyware.

That includes holding hearings on the risks and threats of the mercenary spyware industry, especially since we know from public research that Canadians have been victims of spyware used by foreign governments here, and developing strong export control guidelines for the Canadian surveillance industry. Currently, there are no such Canadian restrictions, he wrote.
Parliament should also impose regulatory penalties on firms that are known to facilitate human rights bans abroad, modeled after the U.S. Commerce Department’s designated entity list, he added.
Ottawa should also develop a publicly available set of procurement guidelines for Canadian agencies who purchase spyware, detailing the vendors and committing to never undertaking procurement with firms that are connected to human rights abuses abroad.
The government should “issue clear and forceful statements at the highest levels that Canada takes this threat seriously, especially considering we are chairing the Freedom Online Coalition this year,” Diebert also said.
Public Safety Canada has been asked for comment. At press time the department said it is working on a response.

The post U.S., Canada urged to toughen fight against commercial spyware first appeared on IT World Canada.

Howard Solomon
Howard Solomonhttps://www.itworldcanada.com
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

SUBSCRIBE NOW

Related articles

California Gov. Newsom vetoes sweeping AI safety bill amid Silicon Valley pressure

California Governor Gavin Newsom has vetoed a major AI safety bill aimed at regulating powerful AI models before...

Hackers Plant False Memories in ChatGPT to Steal User Data

A security researcher has uncovered a vulnerability in ChatGPT that could allow hackers to store false information and...

“Octo2” Trojan Targets Bank Accounts by Posing as VPN or Chrome Apps on Android

A new malware variant called “Octo2” is spreading across Android devices by posing as popular apps like NordVPN...

Evilginx – Open source tool can bypass Multi-Factor Authentication (MFA)

Security vendor Abnormal Security is reporting a new cybersecurity tool that is gaining traction among cybercriminals. The tool,...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways