U.S., Canada urged to toughen fight against commercial spyware

U.S. government intelligence employees should be banned for life from working for “foreign offensive operators” as one means of fighting commercial spyware, a member of a Canadian internet research group has told Congress.

John Scott-Railton, senior researcher at the University of Toronto’s Citizen Lab, made the proposal Wednesday while testifying before the House Permanent Select Committee on Intelligence on combating foreign commercial spyware such as NSO Group’s Pegasus and Saito Tech Ltd.’s Candiru.

While Congress has proposed that employees working for the National Security Agency (NSA) and other government intelligence groups be banned from joining what he called foreign offensive operators for 30 months after leaving their jobs, plus five years of mandatory reporting on what they are doing, Scott-Railton argued the ban should be for life.

“We would not let a nuclear weapons scientist go work for a potential adversary in three years,” he argued. “We should not do so with hacking technology.”

His testimony was echoed on Thursday by Citizen Lab director Ron Diebert, who said Ottawa should impose a lifetime ban for those who have worked in the Canadian intelligence and law enforcement agencies from working with “mercenary spyware firms.”

Developers of commercial spyware often say they only sell to law enforcement agencies for fighting crime, Scott-Railton testified. But, he added, governments often use it to spy on opposition leaders, reporters, and other groups that aren’t liked, as well as for espionage against other governments.

Over the years, Citizen Lab, part of U of T’s Munk School of Global Affairs and Public Policy, has issued numerous reports on the threat of commercial spyware. In 2021 it helped Microsoft identify and patch two Windows vulnerabilities it says were used by Candiru. Earlier this month Citizen Lab said Pegasus spyware was found on devices of 30 pro-democracy activists in Thailand.

Leading IT countries like the U.S., the U.K., Russia, and China have the ability to create their own spyware, Scott-Railton said. But he warned against the spread what he called “mercenary spyware” — meaning spyware that can be bought or rented by governments with less sophisticated capabilities.

Last year the U.S. blacklisted several companies for selling commercial spyware.

But in his Congressional testimony he urged Washington to do more to fight commercial spyware. As reported by The Record, Scott-Railton told Congress that NSO Group received investment from the Oregon Public Employee Retirement System (Oregon-PERS) and the Alaska Permanent Fund Corporation via the private equity firm Novalpina Capital, and suggested more substantial financial crackdowns.

He said not only should there be lifetime bans for certain people from working for foreign commercial spyware companies or government agencies, the government should also:

  • prevent U.S. federal agencies from doing business with identified problem companies. “Getting federal contracts is the ultimate prize for any defense contractor and their investors,” said Scott-Railton. “Removing this opportunity would have an immediate impact;”
  • expand the tools available to hold identified problem companies, and their officers, accountable, including sanctions, and work to co-ordinate these actions with allies, such as the Five Eyes intelligence group of the U.S., Canada, the U.K., Australia, and New Zealand;
  • apply diplomatic pressure to the countries that have become safe havens for the spyware industry, and that are enabling identified problem companies to thrive without regulation or oversight;
  • pass legislation ensuring comprehensive U.S. export control and transparency requirements for domestically-developed spyware, including extensive due diligence for national security risks and human rights concerns.
  • continue support for internet security and privacy promoting technologies through the Open Technology Fund.

In an email Thursday Citizen Lab director Ron Diebert said Ottawa should follow the example that has been set by the United States and some European allies in fighting commercial spyware.

That includes holding hearings on the risks and threats of the mercenary spyware industry, especially since we know from public research that Canadians have been victims of spyware used by foreign governments here, and developing strong export control guidelines for the Canadian surveillance industry. Currently, there are no such Canadian restrictions, he wrote.
Parliament should also impose regulatory penalties on firms that are known to facilitate human rights bans abroad, modeled after the U.S. Commerce Department’s designated entity list, he added.
Ottawa should also develop a publicly available set of procurement guidelines for Canadian agencies who purchase spyware, detailing the vendors and committing to never undertaking procurement with firms that are connected to human rights abuses abroad.
The government should “issue clear and forceful statements at the highest levels that Canada takes this threat seriously, especially considering we are chairing the Freedom Online Coalition this year,” Diebert also said.
Public Safety Canada has been asked for comment. At press time the department said it is working on a response.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer. Former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, Howard has written for several of ITWC's sister publications, including ITBusiness.ca. Before arriving at ITWC he served as a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Story

How the CTO can Maintain Cloud Momentum Across the Enterprise

Embracing cloud is easy for some individuals. But embedding widespread cloud adoption at the enterprise level is...

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.

Featured Tech Jobs