Pegasus is just one of many, some spyware tools can also plant false evidence
“Clean” cybersecurity companies should not employ people who have previously worked for a company that also produces spyware. This initiative was proposed by an internationally renowned expert at a conference in Tel Aviv. Iftach Ian Amit addressed the industry because no one at the week-long event, which was attended by academics, professionals and several Israeli government officials, had addressed the Pegasus scandal, which was unfolding at the time. Interview.
Support independent investigative journalism in Hungary, become a patron of Atlatszo on Patreon!
There was no mention of the surveillance scandal, which by then was of worldwide interest, although several members of the Israeli government also spoke at a conference organised by Tel Aviv University together with security companies in July this year. A well-known security expert, who was introduced on stage as Mr. Cyber, gave the closing keynote speech. Iftach Ian Amit did not want to let this pass so in his speech he suggested that:
in the future security companies should not employ professionals who have previously worked for a spyware company that has engaged in illegal practices.
Amit has also worked as a professional hacker, looking for vulnerabilities in companies’ defence systems. He is currently the Chief Security Officer at Cimpress and has previously worked as a security executive at several international companies (Amazon AWS, ZeroFOX, IOActive, Aladdin).
An expert in the spyware industry, he left the field when a product similar to Pegasus was ordered from his former employer by a South American dictatorship. Although this software was not ultimately produced, Amit objected to the fact that the Israeli authorities quickly and without hindrance granted permission for the production and distribution of a product of clearly dubious legitimacy.
- Why did you choose to end your closing keynote speech at Cyber Week by saying that cyber security companies should simply refuse to employ anyone who formerly worked for a spyware company with illegal practices?
It is a practice which I adopted a long time ago, and this topic was not really addressed during the conference. A lot of news came out about NSO and Pegasus during the week of the conference, yet none of the speeches made by the very high ranking by government officials seemed to address or even acknowledged the problem of spyware companies, is I thought I might as well address it.
- Have you yourself worked for a company with a similar profile to NSO?
I did not have direct experience with these products, I have never created or sold a program like Pegasus. I did do some work for a company in the consulting business, and towards the end of my tenure there the company started to seek new business and started engaging with the types of customers (South American organizations) that NSO, Finfisher, Hacking Team were getting. Shortly after we started creating a product like that I quit. Once I saw, especially the customers and part of the brokers who were working in that industry and the nature of the work, I thought ‘that is not for me, I’m out”.
- Who are these brokers? Companies or individuals?
Sometimes it is small companies, and it is individuals, with a background in security services, policing and government placing, government, ex-military, a shady group.
- Are there many tools available like Pegasus and Candiru? Why do you think Pegasus got so much more attention compared to Candiru for example?
I don’t know why Candiru was “neglected”, they are sister companies anyway through their ownership structure. There are other similar companies of course, it just happens that NSO is the most vocal one, and probably the most aggressive one, and because of their audacity, practice of working with questionable customers, and their sales practice wiling to engage with anyone or anything. I am sure that Candiru, Hacking Team and Black Cube specifically, and many others are also very much engaged with different questionable customers, but NSO has probably been the biggest one. It was basically built on the reputation that they are willing to work with any government which wants to acquire such tools.
- Has the uncovering of the Pegasus case changed anything? Do you think there will be fewer illegitimate attempts to use spyware?
I don’t think we can lean back and relax. Also, I don’t want to single out NSO or Pegasus, they are just an example that reflect on the industry. I think that we, as citizens, as people not involved in such activities, we should be concerned about the entire industry and where it is leaning. I think many companies operating in the spyware industry are much more legitimate, and not willing to take on any customers, but overall, in this sector there has been a shift – led by companies like NSO, Hacking Team, FinFisher, Gamma…(?), which are well known for pushing the boundaries. And this comes from a competitive need because there are not that many modern democratic governments that are in their target market. They had to redefine the market and expand the scope of potential customers, and that meant reaching out to other regimes. And this is biting us back: those tools sold to questionable governments are now deployed against us.
- Why do you think the NSO/Pegasus case was uncovered now and not?
There has been ongoing research and ongoing scrutiny that because this is a mostly unregulated industry, it has been allowed to operate very freely, it continued amassing more and more customers that were willing to overwrite human rights and civil rights and the number of victims from those systems has been constantly rising. The research into this has been going for a long time, the timing was not chosen. There have been many incidents before, and I’m sure there will be many in the future as well.
- How did the Israeli public opinion react?
I don’t think there has been an official addressing of the problem. I think the only few cases where I heard any official reactions was only after foreign governments asked for clarifications or investigations. The latest one was France, and there has been some ”we are looking into it” which means essentially that “we are NOT looking into it, just leave us alone”. As much as I can tell, some people were not surprised at all, saying that ”if you are chopping wood, there will be splinters.” Others said it is not acceptable if a government looks the other way, and the industry is filled with ex-military, ex-government people who are left to operate without control, and of course they end up doing shady stuff for the highest bidder.
There is more coverage of this topic that will certainly raise awareness. I do believe that just like other questionable industries (Spam, adware, online gambling, binary trading, crypto) which proliferated here in the past, and that was addressed that some point, and this is one of those cases.it should be addressed. I feel bad when Israel becomes the place to search for spyware companies, and companies that would do whatever it takes to get competitive intelligence
- Will this scandal change the situation in any way? The article in which I first read about your speech claimed few companies seemed enthusiastic about your initiative of refusing the employment of people who had worked at a spyware company with questionable practices.
I don’t think so. One of the reasons why the spyware industry is where it is at, is because it hangs on to the fact that it is seemingly regulated. Every time one of these companies must respond to an enquiry the first response is that “everything we do is under scrutiny and under approval of the government”. The first thing they say is “it’s not us, we got approval from the ministry of defense, etc. to sell this product to our customers”.
At the time when I was close to this industry (working for one of these companies also producing spyware) I was responsible for getting these approvals. I know exactly that it’s nothing more than a rubber stamp. I got the approval easily, for a product that did not exist yet. I explicitly said what the capabilities of it would be, and who the intended buyer was (a South American dictatorship) and I got it approved within a couple of days.
The reason why I called out to others publicly in my keynote speech was that I don’t think that regulation is going to change, so if we want to change the current situation it must come from inside the industry, based on economic reasons, drying up the hiring pipeline for this companies. A young security practitioner who has an opportunity to join a company like that, will have second thoughts about accepting a job offer there if he knows that afterwards he would not be able to get a job in the legitimate industry.
- After the Pegasus case how should we change our daily practices in privacy matters?
I think there should be a healthy amount of speculation in terms of how the government treats our privacy. There should be a change in how modern citizens think about their privacy in the current information landscape with all the applications used, cell phones etc. Our whole life is contained on a phone. Just knowing we carry so much personal, private information with us on our computers, Gmail accounts etc., means a lot. I am not advocating for a generation of paranoids, just recommending everyone to think twice before clicking “Accept” or installing an app.
- Can you estimate what proportion of this industry operates in legitimate ways, and how many can be using shady practices?
In the spyware industry only, a small portion is legit, I think. The number of modern democratic regimes, governments which purchase such tools is small. The major ones are developing these themselves, they would not trust a third party. The US, Russia, China they have their own, they do not need to buy these tools from questionable sources.
There are some governments which say they do not have the talent to develop such tools, or they are not willing to invest in this, they want a “shortcut”, they want to be GCHQ, NSA or GRU, but they to get there, so they buy it from someone. The number of legit companies in this industry is limited. Companies coming in from the defense industry (Northrop Grumman, Lockheed Martin etc.) are actively engaged in the legitimate market for defense contractors, they would never sell to questionable regimes. But a lot of the industry is much more questionable…..
- Are the spyware tools developed by big countries like Pegasus and the others?
They are pretty much the same: accessing video, audio, location information, etc., everything you do, everything you communicate. Everything you “touch” is recorded on the SIM card of your smart phone. It does not really matter if you encrypt your communication, at the end of the day everything is in there, it must be displayed. So, the custom-made tools developed by the big countries will be similar in their capabilities, in terms of gaining access to someone’s assets, perhaps the technical details are slightly different. Governments can work every closely with their respective country’s telecom companies and infrastructure providers. They do not need to bother with tapping your phone line, they go straight for your phone, because the unencrypted data is there. And this way they can also plant evidence there.
- Does this happen often?
Yes, absolutely. At the time when I worked in this field, this was a feature requested by the customers: not just to extract information but planting it. It is part of the feature set for these programs. It is easier to justify targeting someone, after planting evidence there (child porn, documents created in fraudulent way or proving illegal activities, etc.) It is not easy to explain if the police unlock your pone and finds child porn there even though you know this evidence was not there 5 minutes before.
Written by Gabriella Horn, the Hungarian version of this story is available here.
According to the Carnegie Endowment of International Peace, spyware products from Hacking Team, Black Cube and NSO Group (Pegasus) have been used in Hungary recently, and according to the research group Citizen Lab, NSO-affiliated Saito Tech’s Candiru has also been used in the country.
Support independent investigative journalism in Hungary, become a patron of Atlatszo on Patreon!