At least five officials at the European Commission were targeted by spyware last year, according to a report by news agency Reuters. The alleged breach reveals the failings of conventional cybersecurity defences, experts told Tech Monitor, and bolsters the argument for spyware to be regulated like military technology.
Former European Justice Commissioner Didier Reynders and at least four other Brussels-based officials were targeted using spyware, news agency Reuters reported today.
The officials were alerted to the breach in November last year, when Apple sent a mass alert warning thousands of users that they may have been “targeted by a state-sponsored attack”.
Security researchers have said that the affected individuals were targeted between February and November last year allegedly using a tool called ForcedEntry from Israeli spyware vendor NSO Group. It is not yet known who was behind the attempted breach or whether it was successful.
NSO Group denies that its software was used in the breach.
Earlier this year, the European Parliament launched an enquiry into spyware, after reports alleged that Pegasus – another product from NSO Group – had been used to spy on government critics in Poland and Hungary. The enquiry will examine “existing national laws regulating surveillance, and whether Pegasus spyware was used for political purposes against, for example, journalists, politicians and lawyers,” it said.
European Commission breach: can spyware be controlled?
Traditional cybersecurity measures are insufficient to defend against spyware, says Etay Maor, senior director of security strategy at Cato Network. “This is a highly targeted, highly sophisticated military-grade tool,” he says. “This is on the same level as a nation-state attack. It’s going to be extremely hard to stop it using conventional tools and conventional security methodology.”
Instead, spyware should be regulated like military technology, he argues. “You can’t build a tank and not let anybody know about it or even get the materials for it,” he says. Spyware vendors are “modern arms dealers … and there should be heavy regulation around them”.
International treaties may also be required, Maor argues. “We have the Geneva Convention so you’re not allowed to torture people. There should be things like this around cyber as well.”
Until then, anyone handling politically sensitive information should be careful in their use of technology, Moar says. “Officials in certain positions and, unfortunately, those journalists reporting on certain topics will have to think how they use the technology and what it means in terms of how it can be used against them.”
Max Heinemeyer, VP of cyber innovation at security company Darktrace, argues that AI-powered cybersecurity could defend against spyware.
“Whether it’s today’s issue with NSO’s targeted spyware, yesterday’s supply chain attacks or the exploitation of Log4j vulnerabilities, what we know is that humans can’t anticipate what tomorrow’s threat will look like,” he says. “We must stop chasing after the latest threats and instead use AI to understand the organisation, so that novel attacks can be mitigated against no matter where they come from.”