In the hearing on 10 May, you referred to a lucrative market for trading vulnerabilities that manufacturers like NSO exploit. Who is involved in this?
In the commercial IT security sector, companies are now dealing in the knowledge of vulnerabilities and how to exploit them. What the buyers do with this knowledge or with the concrete exploits is only in some states subject to decided rules. Customers are primarily international secret services, their contractual partners, but also intermediaries or criminals, as well as law enforcement agencies and the military.
This grey market for vulnerabilities also includes some better-known companies like Exodus, Azimuth or Zerodium, which specialise in buying and selling exploits. They publish price lists for buying them up. Today, IT researchers can sell their knowledge to whoever pays the most.
Our focus tends to be on these well-known companies, but there are also lesser-known companies or those that serve a niche market. Who are they?
In particular, the United States, the United Kingdom, France, China and Israel are home to the larger providers of commercial hacking tools with associated support services. However, the human rights organisation Privacy International regularly surveys the commercial providers of all Western countries and compiles the „Surveillance Industry Index“ on this basis.
What sense do you see in regulating mercenary spyware as dual-use blacklisted goods? And how could the implementation of this control be improved?
We are talking about an international industry that functions according to market economy principles, in which government agencies are regular customers, concluding contracts and spending large sums of money. Accordingly, there should be the political will to pump less state money into this sector. However, previous attempts at blacklisting in other economic sectors, such as the arms industry, have only been partially helpful and have had even less success when suppliers or customers come from non-democratic states.
UN conventions on digital weapons could also be envisaged. This should not first be about comprehensive control of certain bans or focused on the goal of eliminating certain digital weapons altogether. Rather, the market could be pushed back through improved rules or conventions, in which those who develop, pay for and use what is banned are put in the wrong according to new conventions.
NSO is currently trying to get out of the firing line with a change in management and layoffs. They now want to focus more on sales in NATO countries. Don’t such manoeuvres also mean that even more poorly regulated markets worldwide will profit from this, and strengthen companies in countries like Russia or China?
Apparently, the NSO has not managed to get out of the firing line for many months. A new boss will not change anything. But the current series of scandals involving hacking software also has its roots in politics. In some democratic countries, the desire of police forces and secret services to be able to acquire digital attack tools has been met politically and subsequently implemented in law. This has fuelled the market for companies like NSO. Most Western buyers are unlikely to go shopping in China or Russia for such tools in the future.
You say that to protect against mercenary spyware attacks, it is better to focus on niche devices. What do you mean by that? Why is iOS in particular considered insecure?
This recommendation is not unconditional, but depends on one’s own usage habits as well as the knowledge and time one can invest in the security of one’s own information technology devices. The big spyware manufacturers have simply targeted common software and operating systems. Avoiding these also means avoiding a large part of the spyware. Few targets are so significant to the clients of the spy companies that expensive handmade hacking products are created specifically for them.
The big providers, on the other hand, also have advantages: Apple, for example, has recently been reacting in just a few days when vulnerabilities or even ready-made exploits become public. If you regularly install the latest updates, you can achieve a fairly high level of security. I wouldn’t say that iOS is considered insecure as a general rule.
Together with your colleague Chris Köver, you put together „8 points we learned from the Pegasus hearing“ on netzpolitik.org. Now, almost 4 months later, what is the most important lesson learned?
The NSO is still holding back on how much knowledge it has, or should have had, about the spying targets of its clients. Their protestations that they could not have known about the numerous attacks on opposition members or activists from a technical point of view are not credible. Without giving serious and technically precise answers to the questions in the committee, the assurances about changes in licensing remain hollow. After the series of scandals and the large number of victims, NSO should come clean and show maximum transparency. But they are far from doing so.
Not long now, the MPs in the Pegasus Committee will start drafting a final report. In your view, what demands should not be missing from it?
No more zero-day exploits should be used by state authorities and their contractors: The demand is therefore a ban on the state use of such exploits, also in order to push back the trade through this. In addition, all government agencies must commit to reporting all security vulnerabilities and, if possible, have them closed.