Google, Cisco, others wake up to threat from ‘cyber-mercenary’ NSO Group

Several tech giants filed an amicus brief in support of WhatsApp’s legal action against Israeli firm NSO Group, which develops and sells spyware and hacking tools. 

A private cybersurveillance industry that is expanding and immunised from civil or criminal prosecutions would mean “more foreign governments with powerful and dangerous cyber-surveillance tools” that would increase “systemic cybersecurity risks,” the brief argues. 

Filed by Google, Microsoft, Cisco, GitHub, LinkedIn, VMware, and the Internet Association (which represents companies like PayPal, Amazon, and Twitter), the brief holds that granting NSO immunity would pave the way for a growing private cyber-surveillance industry to further exploit technological vulnerabilities in violation of US law.

The joint legal filing came after a Citizen Lab report revealed that spyware products from NSO Group were used by governments to hack into 36 phones of journalists, producers, anchors and executives at Al Jazeera and a journalist at Al Araby TV.

Continued attacks on journalists and human rights defenders

The Al Jazeera journalist breach is the latest known use of the firm’s products to hack civilians. 

NSO Group claims that it sells its technology to help governments target and fight “terrorists” and “crime,” but its spyware has been found on civilians phones repeatedly over the past few years. Critics say the firm poses a major threat to human rights 

A 2017 Citizen Lab report found that dozens of journalists, lawyers, scientists, public health campaigners, anti-corruption activists, politicians, and their families had been targeted with NSO. 

A UN forensic investigation in January identified the NSO Group’s Pegasus as the spyware used to hack into the phone of Amazon CEO and Washington Post owner Jeff Bezos in 2018.

NSO’s spyware was also used to spy on Saudi Arabian journalist Jamal Khashoggi who was brutally murdered two years ago.  

The spyware was injected into victims’ phones through WhatsApp phone calls, even if the user did not pick up the phone. Programs allow access to the phone’s microphone, camera, and storage. 

“21st century mercenary”

In October 2019, Facebook subsidiary WhatsApp sued NSO for helping governments target 1,400 WhatsApp accounts in 20 countries by exploiting an app vulnerability to spy on diplomats, human rights activists, political dissidents, government officials, and journalists.

In July, NSO lost a case before a US district court in California over its claim that it had no role in the targeting of the WhatsApp users. Judge Phyllis Hamilton ruled that the NSO Group “retained some rule” in the breach. 

Since then, the NSO Group has argued for foreign sovereign immunity from US hacking laws since it works for sovereign governments.

Sovereign immunity is a legal doctrine that protects states from lawsuits without their consent. 

The brief aims to counter this claim. 

“[O]ne of these 21st-century mercenaries, called the NSO Group, is attempting to cloak itself in the legal immunity afforded its government customers, which would shield it from accountability when its weapons inflict harm on innocent people and businesses,” wrote Tom Burt, head of Microsoft Customer Security and Trust, in a blog post. 

“NSO Group’s business model is dangerous...immunity would enable it and other PSOAs [private-sector offensive actors] to continue their dangerous business without legal rules, responsibilities or repercussions.”