The UK Prime Minister’s office and the Foreign Commonwealth and Development Office (FCDO) have both been infected with Pegasus spyware, which turns mobile devices into surveillance tools, a new report says. The attacks, detailed in research from The Citizen Lab, which tracks electronic spying, highlights the need for an international tightening of regulation around Pegasus and similar types of software.
However, experts say Big Tech may be more likely to introduce de facto rules that limit the power of companies such as Israeli business NSO Group, which makes Pegasus. Governments, they argue, will be loathe to ban tools that they might use themselves.
Will UK government Pegasus breach prompt spyware crackdown?
Pegasus spyware was found in devices within the Prime Minister’s Office and the FCDO between 2020 and 2021, according to the Citizen Lab report. The suspected infections relating to the FCDO were associated with Pegasus operators linked to United Arab Emirates (UAE), India, Cyprus and Jordan, while the report pins the breach of the Prime Minister’s office on an operator in UAE. Researchers were unable to identify targeted individuals within the departments.
Spyware like Pegasus can circumnavigate encryption to monitor messages and pictures. A device’s camera and microphone can also be activated to enable remote surveillance. Pegasus hit the headlines last year when an international investigation revealed it was being used by authoritarian regimes to spy on opposition politicians, activists and journalists. In July 2021 French President Emmanuel Macron, along with 14 other French ministers, were informed that Pegasus had been detected on their phones, and last week European Commission officials were targeted using the software.
These breaches at the highest level of government show a need for tighter international regulation around surveillance software, says Etay Maor, senior director of security strategy at Cato Networks. ”What governments should be doing is making treaties with one another on what you’re allowed or not allowed to do between different countries [when it comes to spying],” Maor says. “This already is happening in the physical world, but I don’t think there is anything that is regulated in the cyber realm.”
In the UK, MPs have called for action against companies which deploy Pegasus and other spyware from NSO. In November, ten parliamentarians signed a letter demanding that the government end cybersecurity programmes with countries that are known to have used NSO spyware to target their own citizens, as well as asking for sanctions to be imposed on NSO.
So far the UK government has not followed in the footsteps of the US, which in November put NSO on its blacklist of companies which are banned from doing business in America. However, further action on spyware at governmental level is unlikely because many countries rely on spyware as part of their cybersecurity strategies.
“Any government is going to be really wary about drawing bright lines around activities that might well trip them up in the future,” explains Emily Taylor, CEO of Oxford Information Labs. “It is clear that these are dual-use technologies; even countries that do not have the greatest human rights records have genuine needs to combat things like cybercrime and terrorism.”
An outright ban on spyware is unrealistic, and would be likely to lead to the growth of a black market for the technology. “A ban wouldn’t work because the stuff is out there and there is a market for it,” Taylor says.
Big Tech and spyware: a new de facto regulator?
Governments can demand greater transparency from vendors like NSO about who is using their software, Taylor says. “I think that there is something more that states should be doing to try to demand transparency and responsibility,” she explains. “I think that there needs to be much more put into the due diligence effort, about being a responsible customer and demanding levels of transparency from the suppliers, so that we can feel that we a line hasn’t been crossed.”
More powerful than government intervention could be the actions of Big Tech companies, many of which have been negatively impacted by Pegasus and other spyware. Facebook parent company Meta is suing NSO, claiming that the Israeli company’s software was used to send malware to users of Meta’s WhatsApp messaging service. Apple is also suing NSO and seeking an injunction to bar its software from all Apple devices.
“[Big Tech] might not initiate legislation or due diligence, but their actions might clip the wings of companies like NSO and force better practices in response,” Taylor argues. “It could be an informal way of [regulating] spyware.”