A Big Tech team of Microsoft, Google, Cisco, VMWare, LinkedIn and GitHub are joining Facebook in a legal fight against spyware vendor NSO Group, alleging the group enables its customers to break into computers, phones and other connected devices.
In a blog on Monday, Microsoft’s Corporate Vice President for Customer Security and Trust Tom Burt wrote that the Israeli firm’s tools contribute to the alarming increase in cyber attacks.
The litigation centers around the NSO Group’s spyware called Pegasus, which Burt says can be installed on a device simply by calling the device via WhatsApp, the Facebook-owned end-to-end encrypted messaging app. A device’s owner doesn’t even need to answer.
According to Reuters, Facebook first filed the lawsuit last year, but NSO has argued that it should benefit from “sovereign immunity” because sells tools to police and spy agencies. The company lost that argument and is appealing.
In laying out three reasons why the NSO Group’s actions are concerning, Burt wrote that the firm has used Pegasus to target the devices of journalists and human rights defenders.
These tools could fall into the wrong hands
By just existing, the risk that these could fall into the hands of a malicious cyber actor increases, Burt says. Previously, only a handful of nation-states with well-funded cyber agencies had these capabilities. But even then, there was misuse, as those tools were used in attacks like WannaCry and NotPetya.
Customers with less robust cyber defenses are more susceptible to intrusion, possibly exposing these dangerous tools to criminals.
“Lowering the barrier for access to these weapons would guarantee that such catastrophes would be repeated,” Burt writes.
Private companies aren’t subject to international law, consequences
Secondly, Burt argues that entities in the private sector that create these tools aren’t responsible for millions of people, economies, or international law in the same way that their customers are. Governments even with these hacking capabilities are bound by certain laws governing the use of these weapons.
Burt also noted that the U.S. and other governments typically share high-consequence vulnerabilities in software to impacted organizations so as to protect the nation’s IT ecosystem.
“Private actors like the NSO Group are only incented to keep these vulnerabilities to themselves so they can profit from them, and the exploits they create are constantly recycled by governments and cybercriminals once they get into the wild,” Burt writes.
Human rights are threatened, regardless of intention
Lastly, organizations like the NSO Group are a threat to human rights, regardless of their intention, Burt writes, noting several companies that have used surveillance tools purchased from similar organizations to spy on human rights defenders, journalists and others, including U.S. citizens.
These tools allow users to track someone’s location, listen to conversations, read texts and emails, look at photographs, download their data, see their contacts list and more.
Burt cited a recent report about Pegasus being used to hack 36 phones belonging to journalists and other employees at Al Jazeera.
“Privacy is fundamental to the ability of journalists to report, of dissidents to speak their voices and of democracy to flourish and these tools threaten their rights and their lives,” Burt writes.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!