In October 2021, the US blacklisted the Israeli technology firm, the NSO Group, an unusual step against one of its closest allies in the Middle East. NSO earned its spot by developing and licensing the surveillance software Pegasus, a program that has gained infamy in recent years. The software has become known as "the world's most powerful cyberweapon" due to its ability to remotely infiltrate smartphones without the user clicking on any links. Reports have revealed that NSO clients have targeted people such as Jamal Khashoggi, human rights lawyers, dissidents, and journalists throughout Latin America and the Middle East. In addition to immediate targets, several states used Pegasus to infiltrate the phones of targets' family members in the US and France. The breadth of Pegasus targets and its geopolitical utility highlight the gaps in current cyberweapon regulation and point to a future in which such software will continue to proliferate and stronger regulatory mechanisms will be necessary.
Human rights activists have widely condemned NSO contracts with authoritarian state actors. NSO officially confirmed it has licensed Pegasus to 19 countries between 2011 and March 2022. Unofficially, a 2018 Citizen Lab investigation found that number to be closer to 36 state operators. Beyond the NSO Group's self-regulation in determining its client list, the Israeli Defense Ministry can also block the export of Pegasus to other countries, an ability it has used to its geopolitical advantage. A New York Times investigation found that after the export of Pegasus was approved, countries like Mexico and Panama changed their position towards Israel in votes at the UN, particularly regarding issues viewed as Pro-Palestine. Israel continued to leverage this power during the negotiation for the Abraham Accords, which normalized relations between Israel and many of its Arab neighbors. Although not explicitly part of the deal, several news reports indicated that the UAE, Bahrain, and Saudi Arabia were brought to the table after the Israeli government promised to grant them licenses to Pegasus.
Israel is clearly far ahead in understanding the geopolitical potential of cyberweapons. Nonetheless, the blacklisting of NSO demonstrates that the US views cybersurveillance technology on the same level as other military equipment and is willing to contain its spread as part of its national defense. However, this containment effort will run into the challenge of regulating the burgeoning Access-as-a-Service (AaaS) industry. AaaS firms like NSO offer "access" to systems and data that buyers desire. Many of these companies exploit zero-day vulnerabilities, which are flaws in software for which there is no official patch or security update. Pegasus relies on these gaps. Compared to fighter jets or missile defense systems, this type of software is cheap and easily transportable. The difficulty of tracing such cyberweapons back to the attacker further complicates US efforts to identify and contain the actors responsible.
By blacklisting NSO, the US Department of Commerce has added it to its Entity List for activities "contrary to the national security or foreign interests of the United States." For NSO, this means it cannot buy essential supplies from the US such as Dell computers or Amazon cloud servers. Even if NSO is temporarily out of the game, many other firms are eager to take its place. This US policy change opens the field to many US domestic companies such as Boldend and Raytheon, as well as other international companies that wish to take up Pegasus' mantle. Nevertheless, Pegasus has exposed the need for US policymakers to strengthen international cybersurveillance regulation, specifically addressing export control, zero-day vulnerability, and transparency concerns if the continued unchecked transfer of this technology is to be avoided.
Policy Options: Export Control of Dual-Use Technology
Because Israel controls the sale of Pegasus through the Defense Ministry's oversight of arms exports, many human rights activists and policymakers have advocated for greater and stricter export regulations. Tighter export controls would not address the development of cybersurveillance software within Israel or other countries, but it could prevent their transfer to countries that lack the ability to develop their own programs.
In the field of export control, international regulatory regimes play an important role in setting norms and restrictions. Any effective, comprehensive cybersurveillance regulatory regime would need to receive support from all states that already possess the technology. This consensus has been stymied as the US, EU, and China have developed separate regulatory authorities. Analysis of the US Export Control Reform Act (ECRA), the EU Dual-Use Regulation, and the Export Control Law (ECL) of the People's Republic of China demonstrates that export control regimes are becoming increasingly divergent, reinforcing gaps that firms like the NSO Group have exploited.
Some advocates argue that linking regulatory initiatives with international organizations such as the World Trade Organization (WTO) or the United Nations would persuade more states to participate. Currently, there are numerous initiatives at both organizations to implement international regulation of "cyberweapons" such as Pegasus. However, because of the consensus decision-making model at these organizations, it is unlikely that they will be able to create, adopt, and adapt regulations in such a quickly evolving field. The US, in coordination with allies, could pressure non-participating states to enter a regulatory framework by refusing to export cybersurveillance technology or needed equipment to non-members. Nevertheless, many states would most likely want to maintain the ability to export to countries of their choice to avoid hurting domestic industry. Alternatively, member states in a theoretical international framework should introduce sanctions or blacklist AaaS companies in non-participating countries to compel host countries into compliance with a new regime.
To build an effective international cybersurveillance regime, the US and its allies will need to further develop the Wassenaar Arrangement, an existing export control agreement regulating dual-use goods and technologies that includes forty-two member states. In 2017, the framework was amended to specifically strengthen export controls on cybersurveillance tools. However, the Wassenaar Arrangement is only a framework, not an international regulatory agency or treaty organization. It is considered "soft law" and non-binding. Participating countries include Turkey, Russia, Mexico, and the US, but there are notable exceptions such as Israel and China. Yet, Israel has committed to follow the Arrangement unilaterally, and it claims that all its approvals for Pegasus exports have not violated international export law.
Despite the controversy of Pegasus, Israel's assertion may have grounds given the weakness of the Wassenaar Arrangement. Currently, the Wassenaar Arrangement covers three types of cybersurveillance technology: mobile telecommunications interception equipment, intrusion software-related items, and IP network surveillance. Although the 2017 amendment added intrusion software, it does not restrict it to the same degree as other technologies to allow cybersecurity researchers and white hat hackers access to these tools. It instead regulates software that is "specifically designed or modified for the generation, command, control, or delivery of intrusion software" or what is commonly referred to as "intrusion-related software." Additionally, it puts export controls on systems and equipment that interacts with intrusion software. Therefore, it controls software toolkits that companies sell to clients to conduct operations with intrusion software, but not the software itself.
Consequently, this allows NSO to sell its Pegasus software in accordance with the Wassenaar Arrangement. NSO insists that it only sells the software to governments and does not operate Pegasus itself. If NSO supplied systems to use Pegasus (which is likely, but not proven), it would then technically be in violation of the Arrangement. Additionally, the accepted interpretation of the Wassenaar Arrangement applies to "cyberweapons" used to infiltrate military systems. Although some experts would argue that this would cover civilian law enforcement, the Wassenaar Arrangement put the onus on the exporting state to decide whether the export is compatible with the Arrangement. Therefore, even if Israel was a signatory of the Wassenaar Arrangement, it would have significant leeway in interpreting Pegasus exports to be compliant with the Arrangement. This demonstrates that the current weakness of international export control goes beyond the lack of universal participation.
The Wassenaar Arrangement's inherent problem is that it is trying to regulate the same tools that cybersecurity practitioners need to access for their legitimate work. For example, the kinds of programs that would be controlled under a stricter definition of "intrusion software" are the same programs used in verification software. Some experts recommend using a broad definition but encourage policymakers to include specific regulatory exceptions in cases of legitimate use. However, the exceptions would have to be continuously evaluated and adapted as the field evolves. Instead, policymakers should implement adaptability to the Arrangement's provisions on intrusion software. The EU's 2021 export control regulation update contains a "catch-all" clause that requires the exporter to obtain a license for a non-controlled item if they are informed by a "competent authority" that the recipient may intend to repress domestic dissent or violate human rights with the item. This provision acts as an "emergency brake" or a policy stop-gap for potential situations that arise from the ambiguous "intrusion-related" software definition. The provision also allows the EU to add a new item to the controlled list once a state invokes the clause and all other member states agree within 60 working days. Thus, the new EU export control regulation has built-in flexibility that allows it to be adapted to the quickly evolving cybersurveillance sector.
Combining the EU provision with the US's validated end-user (VEU) process can strengthen the effectiveness of states' export control regime. Currently, the US maintains a VEU process for receivers of US-based technology in China and India. US export controls allow its domestic firms to export without a license to any country that is not embargoed or designated as supporting terrorism if the item is being exported to a subsidiary of a US company or a company headquartered in a "Favorable Treatment Country" (NATO allies). Therefore, the VEU process is particularly crucial to confirm the actual users of exported software even in instances when no other restrictions are triggered. The US government alerts exporters with "red flags" when they notice software exports may be destined for an inappropriate end-user. An expansion of the program beyond China and India can serve as a model for cooperation between exporting and importing states through information sharing.
However, putting too much emphasis on government control of export licenses can also have the inverse effect. In the case of NSO, the company had formed an ethics committee prior to the killing of Jamal Khashoggi in 2018. Despite NSO denying that Saudi Arabia had used Pegasus to spy on Khashoggi, it complied with the request of its ethics committee to withdraw Saudi Arabia's permission to use Pegasus. Almost immediately, the Israeli government requested that NSO reconnect Saudi Arabia to Pegasus. At the time, Israeli Prime Minister Netanyahu was conducting secret diplomatic talks with Saudi Arabia and had an obvious political interest in maintaining cordial relations. Although it initially declined, NSO later succumbed to the pressure and reconnected Saudi Arabia to Pegasus. Compliance with international frameworks and even domestic controls can be subject to governments' strategic aspirations. Therefore, any future international system based on the above US-EU best practices needs other mechanisms that can be implemented when individual states are not compliant with their obligations.
Zero-day Vulnerabilities Regulations
Even if a robust, enforceable international framework is developed for export control, it does not stop the development of cybersurveillance technologies, nor does it prevent the transfer of software between black market actors. For example, in 2018, a disgruntled ex-NSO employee stole Pegasus's source code and tried to sell it online to an "industry insider". Hence, some experts argue that international efforts should not stop at export controls but should also cover zero-day vulnerabilities governance.
Policymakers and hackers view zero-day vulnerabilities differently, making it challenging to define them for regulation. Policymakers frequently view zero-day vulnerabilities as a commodity that can be defined and regulated, whereas the hackers using them see such vulnerabilities as multifaceted processes. The global nature of the market also hampers domestic efforts to regulate the issue as countries may have a double standard for domestic versus international regulation. Thus, attempts to include zero-day vulnerabilities in international agreements such as the Wassenaar Arrangement have been met with opposition over concerns that regulation may limit positive cyberoperations like researchers' attempts to identify bugs. On top of this, pricing in the zero-day market is not standardized as it depends on several factors such as the bug's importance (which may depend on the importance to the buyer), in addition to the market largely being conducted outside the reach of government regulators. Thus, it is difficult to regulate the zero-day market in the same way governments manage commerce in other sectors. As a result, many experts recommend avoiding attempts to regulate the zero-day market as it is nearly impossible to effectively enforce. Instead, they propose that policymakers focus on promoting programs such as Hack the Pentagon that use vetted hackers to find vulnerabilities that pose a national security risk. These programs help mitigate the national security risks of zero-day vulnerabilities but do not attempt to intervene directly in the market.
However, if domestic governments want to attempt to regulate the market, they need to create and enforce policy on both international and domestic levels. To build a foundation for international norms on zero-day governance, the US can first work with the North Atlantic Treaty Organization (NATO) or the Organization for Security and Co-operation in Europe (OSCE) as well as traditional allies. After establishing these norms, the US can build on these agreements to partner with countries that would most likely exploit the international zero-day market. The eventual inclusion of these countries, like China and Russia, would enhance the potency of any agreement. Similar to export control of cybersurveillance technology, the US can center its coalition-building efforts around establishing "know your vendor" (KYV) standards. The US could improve on its own KYV laws by mandating that any firm bidding for a government contract must report their vendors, customers, sub-contractors, and other actors within their supply chain.
The US and its coalition partners should also advocate for private firms to adopt more transparent practices. It has been reported that NSO can perform after-the-fact forensic analysis on its clients' use of Pegasus. Although some activists advocate for this data to be published, most AaaS companies' clients do not want the results of their spyware use disclosed later. Ethics committees can serve as a balance between the realities of the industry and the need for transparency. As mentioned earlier, the NSO ethics committee led to the company's decision to temporarily cut off Saudi Arabia from using its product after Khashoggi's death, proving that ethics committees can be somewhat effective. By taking the added step of requiring ethics committees to regularly release public reports (which NSO's ethics committee is currently not required to do), the US and its partners would strengthen transparency within the AaaS industry. States should require the publication of these reports as a prerequisite for eligibility for government contracts.
The proliferation of Pegasus has revealed the weaknesses of the international export control regime for dual-use technology and highlighted the need to strengthen current agreements like the Wassenaar Arrangement. Progress can be made by increasing the number of participating states as well as replicating provisions from EU and US export rules to ensure that human rights abusers and security threats are not able to import such software. Furthermore, the US and its international partners must take a multifaceted approach and promote better governance of the zero-day vulnerabilities market, as well as build an international coalition to help establish norms on issues such as "know your vendor" laws. Finally, the US should mandate the release of public ethics committee reports to obtain government contracts to incentivize transparency in AaaS industry.
About the Author
Shannon Burton is a second-year graduate student at John Hopkins School for Advanced International Studies (SAIS) where she focuses on security and conflict management policy. Previously, she worked in project management in the governance assistance field on the South Asia portfolio at the International Republican Institute and the Middle East and North Africa division at the National Democratic Institute. She obtained a Bachelor of Arts in International Affairs from George Washington University with a concentration in security policy and a minor in Arabic.Footnotes
Download footnotes here.