May 24, 2019

May 24, 2019

Subscribe to Latest Legal News and Analysis

May 23, 2019

Subscribe to Latest Legal News and Analysis

May 22, 2019

Subscribe to Latest Legal News and Analysis

May 21, 2019

Subscribe to Latest Legal News and Analysis

Espionage and Export Controls: iPhone Hack Highlights New World of Warfare

Last week, researchers at Citizen Lab uncovered sophisticated new spyware that allowed hackers to take complete control of anyone’s iPhone, turning the phone into a pocket-spy to intercept communications, track movements and harvest personal data. The malicious software, codenamed “Pegasus,” is believed to have been developed by the NSO Group, an Israeli company (whose majority shareholder is a San Francisco based private equity firm) that describes itself as a “leader in cyber warfare” and sells its software — with a price tag of $1 million – primarily to foreign governments. The software apparently took advantage of three previously unknown security flaws in Apple’s iOS software, and was described by experts as “the most sophisticated” ever seen on the market. Apple quickly released a patch of its software, iOS 9.3.5, and urged users to download it immediately.

Citizen Lab learned about Pegasus from Ahmed Mansoor, a UAE human rights activist, who received text messages baiting him to click on a link to discover “new secrets about the torture” of Emirati prisoners. Mr. Mansoor had been prey to hackers before, so he contacted Citizen Lab. When researchers tested the link, they discovered software had been remotely implanted onto the phone, and brought in Lookout, a mobile security firm, to reverse-engineer the spyware. Citizen Lab later identified the same software as having been used to track a Mexican journalist whose writings have criticized Mexico’s President. Citizen Lab and Lookout also determined that Pegasus could have been used across Turkey, Israel, Thailand, Qatar, Kenya, Uzbekistan, Mozambique, Morocco, Yemen, Hungary, Saudi Arabia, Nigeria, and Bahrain, based on domains registered by NSO.

NSO Group, the architect of Pegasus, claims to  provide “authorized governments with technology that helps them combat terror and crime,” insisting that its products are only used in lawful ways., NSO spokesperson Zamir Dahbash told reporters that the company “fully complies with strict export control laws and regulations.” The Citizen Lab researcher who disassembled the malicious program, however, compared it to “defusing a bomb.” All of which raises the question – what laws or regulations govern the export of cyber-weapons by an Israeli firm (likely controlled by U.S. investors) to foreign governments around the world?

Cyber weapons are becoming increasingly interchangeable with traditional weapons. Governments (or terrorists) no longer need bombs or missiles to inflict large-scale destruction, such as taking down a power grid, since such attacks can now be conducted from anywhere there is a computer. Do export controls – which have long been used as foreign policy and national security tools, and which would regulate the transfer of traditional weapons – play any real role in regulating the transfer of weapons of cyber-surveillance or destruction? In fact, the legal framework underlying current export controls has not caught up (and maybe never will) to the capabilities of technological tools used in cyberwarfare. Proposals to regulate malware have been met with resistance from the technology industry because malware technology is often dual-use and the practical implications of requiring licenses would impede technological innovation and business activities in drastic ways.

The Wassenaar Arrangement

The Wassenaar Arrangement (WA) was established in 1996 as a multilateral nonproliferation regime to promote regional security and stability through greater transparency and responsibility in the transfer of arms and sensitive technologies. The United States is a member. Israel is not, but has aligned its export controls with Wassennaar lists.

In December 2013, the list of export controlled technologies under WA was amended to include commercial surveillance software, largely to curb human rights abuses by repressive governments’ use of spyware on citizens. Earlier this year, the Department of Commerce issued recommendations that the definition of “intrusion software” in the WA be modified to encompass the concept of “authorization” so that malware such as Pegasus, in which the user does not truly understand the nature of the consequences, would be controlled. Those proposals have not been implemented.

U.S. Export Controls of Malware

In 2015, following data breaches at the Officer of Personnel Management and several private companies, the Department of Commerce published proposed rules to harmonize concepts embedded in the WA into the U.S. regulatory framework for export controls. One critical proposal was a definition of “intrusion software” to require a license for the export and use of malware tools. But the definition covered much more than malware. Cybersecurity experts were alarmed by the rule’s over-inclusive and vague language. The rules would have impeded critical business activities, stifled international research and cross-border exchanges of technology, and hindered response to cyber threats.

NSO Group has been described by researchers as “incredibly committed to stealth, and  reportedly has close partnerships with other Israeli surveillance firms that seek to sell spyware, suggesting an inevitable increase in cyber mayhem. As malware becomes more sophisticated, widespread, and threatening, the need for strictly tailored export controls is not going to go away.

Regulating software is challenging at least in part, because there is no workable legal definition of what constitutes a cyber weapon. Because malware is largely dual-use, the only way to determine whether particular software constitutes a cyber weapon is retroactively. If software has been used as a weapon, it is considered a cyber weapon. But that definition arrives far too late to control the dissemination of the code. Moreover, controlling  components of that software would likely be over-inclusive, since the same code that can exploit flaws to break in to devices can also have benign uses, such as detecting vulnerabilities to help manufacturers like Apple learn what needs patching. Another challenge is that requiring  export licenses can take months, which, in the fast-moving tech world is as good as denial.

The revelation of the Pegasus iPhone spyware highlights questions that have perplexed national security and export control experts in recent years. As the use and sophistication of malware continue their explosive growth, not only must individuals and governments face the  chilling realities of cyber warfare, but regulators must quickly understand the technological issues, address the risks, and work with the cyber security and technological communities to find a path forward.

Copyright © 2019, Sheppard Mullin Richter & Hampton LLP.

TRENDING LEGAL ANALYSIS


About this Author

Fatema Merchant, international, trade, Lawyer, Sheppard Mullin
Associate

Fatema Merchant is an associate in the Government Contracts, Investigations & International Trade Practice Group in the firm's Washington, D.C. office.

Fatema’s practice focuses on investigations and compliance counseling related to international trade laws.  She has extensive experience with U.S. Foreign Corrupt Practices Act and U.S.-Sanctioned Countries investigations, compliance, due diligence, and training.  Fatema also advises clients on compliance with International Traffic in Arms Regulations, Export Administration Regulations, Customs and Anti-Money Laundering...

202-469-4930
Partner

Laura Jehl is a partner in the Business Trial Practice Group in the firm’s Washington, D.C. office. Ms. Jehl is a privacy and cybersecurity expert and serves as Co-Leader of the Privacy and Data Security Practice.

Ms. Jehl has more than two decades of in-house and private practice experience, and has represented clients on a wide range of business and legal matters, including privacy, data security, breach response, litigation and government investigations, crisis management, Internet, digital media, technology and First Amendment matters. Most recently, Ms. Jehl worked as a Senior Strategist for a strategic communications and public affairs firm where she counseled clients facing legal and media scrutiny, primarily involving cybersecurity and data breaches, privacy practices,  litigation and government investigations.

Previously, Ms. Jehl served  as General Counsel, Chief Privacy and Security Officer at Resolution Health, Inc., (“RHI”), a healthcare data analytics and personalized communications company, which was acquired by Anthem, Inc., the Fortune 50 health insurer. In addition to serving as RHI’s General Counsel, with responsibility for all the company’s legal and privacy matters, Ms. Jehl, who is CIPP/US certified, had responsibility for privacy matters across the Anthem enterprise. She played a leading role in developing and executing Anthem’s highly-regarded response to a major cyberattack in January, 2015 in which hackers accessed the personal information of more than 80 million individuals. At Anthem, Ms. Jehl also served as principal legal counsel for innovative healthcare technology development initiatives.

202-747-1922