The powerful chairman of the House Intelligence Committee said Wednesday that he will fight foreign commercial surveillance with greater urgency, calling the technology a national security risk and universal threat to individual privacy.
Rep. Adam Schiff, D-Calif., said he is alarmed by the proliferation of powerful spyware that “can be used against every member of this committee or in the executive branch, every journalist and political activist, every American citizen, every citizen of the world with an electronic device.”
Schiff’s call to action came during a House Intelligence hearing featuring prominent security researchers and a victim of spyware.
Last week, the committee approved legislation to give the president and intelligence community more power to sanction and ban contracts with firms selling military-grade surveillance tools within the intelligence community. Days later, Schiff and fellow committee members used the hearing to signal grave concern about the threat spyware poses not only to the intelligence community, but also to the public at large.
Members from both parties appeared disturbed by the fact that American companies and investment funds support spyware vendors. Schiff said the U.S. must do more to counter the “robust market for powerful spying tools that are sold on the open market, essentially offering sophisticated signals intelligence capabilities as an end-to-end service.”
Schiff said spyware poses a serious threat to national security and suggested the extent of the technology’s proliferation may be much larger than is realized. Pointing to a December revelation that spyware had been found on the phones of 11 American officials working in Uganda, Schiff cautioned that he believes “we are very likely looking at the tip of the iceberg.”
Google alone tracks more than 30 spyware vendors worldwide and there may be hundreds of government customers working with those vendors, said John Scott-Railton, a researcher at the University of Toronto’s Citizen Lab, which has conducted extensive research on the spyware market and focused much of its work on an Israeli company called NSO Group that sells Pegasus surveillance technology.
Scott-Railton and his colleagues have exposed several spyware incidents, including a Pegasus hack of a phone connected to the British Prime Minister’s office, Pegasus used on 63 Catalans targeted in Spain and an intrusion into the phone of a New York Times reporter covering Saudi Arabia.
Reuters reported Wednesday that European Union Justice Commissioner Didier Reynders said Apple told him in 2021 that his iPhone had possibly been hacked using Pegasus. Investigation revealed “indicators of compromise,” Reuters reported.
Scott-Railton told Schiff and his committee that not enough has been done to date and urged them to act more quickly and decisively moving forward. “It has taken us too long to have this conversation … and now we must make sure it moves at the pace of proliferation.”
More can be done to stop American companies and investors from supporting spyware vendors, Scott-Railton told the committee. He said the majority owner of Pegasus vendor NSO Group is the Oregon Public Employees Retirement System. The Alaska Permanent Fund, which was established in 1976 to invest a portion of the state’s oil revenue for future generations, is also an investor in the Israeli spyware vendor, he said.
Shane Huntley, senior director of Google’s Threat Analysis Group (TAG), told the committee that Google has been tracking spyware for years. Seven of the nine zero-day vulnerabilities TAG discovered in 2021 were originally developed by commercial providers and sold to and used by state-sponsored actors, Huntley said. He said the spyware industry is “thriving” and pointed to a large industry conference held recently in Europe.
“This trend should be concerning to the United States and all citizens,” Huntley said. “These vendors are enabling the proliferation of dangerous hacking tools, arming nation state actors that would not otherwise be able to develop these capabilities in-house.”
He urged the committee to act, saying it is time for government, industry and civil society to “come together to change the incentive structure which has allowed these technologies to spread in secret.”
Huntley warned that we don’t yet even understand the scope of the threat. In addition to grappling with that problem, Huntley said the U.S. should also consider ways to foster greater transparency in the marketplace, including by “setting heightened transparency requirements for the domestic surveillance industry … and by reviewing and disclosing its own historical use of these tools.”
The U.S. must consider a full ban on federal procurement of commercial spyware technologies and contemplate imposing further sanctions to limit spyware vendors’ ability to operate in the U.S. and receive U.S. investment, Huntley said.
“The harms from this industry are amply evident by this point, and we believe they outweigh any benefit to continued use,” Huntley said.
Google is not the only major tech company tracking the problem and sounding an alarm. Microsoft officials submitted testimony to the committee that said it is seeing increasing use of spyware by authoritarian governments. The company also announced it has disrupted the use of certain cyber weapons created and sold by a group Microsoft calls KNOTWEED.
Attacks targeting law firms, banks and strategic consultancies in countries such as Austria, the U.K. and Panama were detected as part of Microsoft’s KNOTWEED investigation. The company has since issued a software update to address the problem.
Schiff suggested more action will be coming from the committee, saying he believes the U.S. needs to put a “greater emphasis on this” and “respond to this threat with urgency.”
Several committee members from both parties expressed similar concerns, a development that highlights the rapidly evolving understanding of the threat and its magnitude.
“There’s little that you can do currently to protect yourself,” Schiff said. “The availability of these tools in the hands of governments who previously lacked robust surveillance capabilities was truly a game changer for the US national security … [and] for autocratic regimes that are looking for new means to surveil, intimidate, imprison or even kill dissidents, journalists and others they view as a threat.”