People are freaking out about reports of NSO Group’s Pegasus surveillance tool being used to spy on journalists, political dissidents, and other opponents of regimes worldwide. It’s disheartening, and worth discussing. But why are we shocked?
I’m an information security realist. With big-league stuff like nation-state surveillance, that means analyzing nation-state incentives. In other words, I’m applying game theory (admittedly amateurly). In Pegasus’ case, the game theory is clear: some company was bound to develop surveillance software, some less-than-scrupulous government was bound to buy it, and they’d eventually get caught.
Much of the media I’ve read has pondered the societal implications of snooping on the smartphones of people most of us agree don’t deserve it. To me, that thought exercise makes a good workout. But healthy exercise requires good form. To hit all the muscle groups, let’s consider Pegasus’s maker, wielder, and target.
A Mythical Beast Bred for Cyberwar
Pegasus has been dragged into the searing light of public scrutiny before. Regardless of how uniquely capable NSO would tell you Pegasus is, its class of software is well-established. In 2015, Italian surveillance tech firm Hacking Team, quite ironically, got hacked and saw its source code leaked online for all the world to fork. A year before that, Gamma’s FinFisher source code was dumped, too.
A look in this flying horse’s mouth reveals it can do everything that a government keeping tabs on “threats” could possibly hope for. Pegasus can nab photos, messages, audio and video recordings, contact lists, and passwords from infected devices. It sets up shop on devices via a text message bearing a payload link. The real trick, though, is that the user might not even see it, because it can dodge the notification tray and SMS app.
You can probably guess why this software exists. It’s impossible to find a government agency that couldn’t benefit from rooting through their targets’ phones to spot national security threats. Not every nation can develop spying tools in house, though. Enter NSO Group and friends.
The issue is, not every country defines “threat” reasonably. Even tyrannical regimes need to protect their citizens — they’re just more keen on protecting themselves.
NSO clearly foresaw the bad publicity it would suffer if a strongman sicked its products on peaceful protesters. To head that off, NSO swears it doesn’t sell to oppressive governments. Amnesty International claims to have a list of 50,000 Pegasus-targeted phone numbers proving that NSO does.
This could certainly be true, but neither party has presented evidence to definitively prove its case. For one thing, how can we be sure that regimes on NSO’s ban list acquired the software legally (i.e. purchased it)? Pirating or reverse engineering the tools is certainly possible. Could someone in the company have snuck copies out and sold them illegally?
That a list of 50,000 numbers was supposedly obtained suggests NSO isn’t airtight. It’s currently unclear how Amnesty’s list was compiled. The organization could be covering for the whistleblower or hacker who snatched the list, but we cannot assume this rationale.
One theory is that every Pegasus command module passes its target list back to NSO, and that someone merely leaked or stole NSO’s composite target list. NSO has every reason to design Pegasus to do so.
- It would enable the enforcement of their repressive government ban. How else would you make sure your software isn’t targeting the wrong people than by seeing the targets? Amnesty’s tone implies NSO doesn’t sincerely care, but it’s hard to argue that NSO could even do any due diligence without such functionality.
- If the Snowden documents taught us anything, it’s that the most capable 21st century intelligence powers are the ones harnessing their domestic private sectors. The NSA stole from and legally coerced American companies with global reach to obtain their data.
- Why should anyone think that Israel, with one of the most aggressive defense-intelligence apparatuses in the world, wouldn’t do the same? Israeli intelligence would benefit greatly from NSO’s trove. Either NSO already received this data and Israeli intelligence requested or pilfered it, or Israeli intelligence had code inserted that collected it.
NSO’s assurance that it “has no insight” into the specifics of customer monitoring operations complicates this theory, contradicting the idea that NSO keeps tabs on customers at all.
However, another Snowed lesson illustrated that the intelligence world loves word games that allow it to make statements that are technically true in light of internal, tortured redefinitions of common terms.
For instance, the NSA claims that it doesn’t “collect” data on Americans simply by sweeping it up because, in NSA parlance, “collect” means a human NSA analyst reviews the data. Why wouldn’t a private surveillance product vendor do likewise?
The Usual Cyber Suspects
Like all products, tools like Pegasus exist because they have buyers. Specifically, Pegasus is robust enough to supply respectable national intelligence capabilities to customers with sub-regional hegemon budgets. Nations that can’t match the United States’ or China’s resources still want to run with the big dogs on surveillance.
As mentioned earlier, less-than-democratic regimes have citizens to protect, too. There’s nothing untrue in that observation, so governments lean on it to give their activities an air of legitimacy.
What enterprising surveillance vendor would say no to that? Surveillance tech vendors aren’t geopolitical experts, so what might seem like a run-of-the-mill political faction to outside observers might be an existential threat to a nation, or vice versa; and, of course, weapon purchasers harboring malicious intent typically don’t announce it.
It’s a tricky business because the traditional meterstick of “does selling to this customer break the law” gets murky when governments are the customers — like Judge Dredd, they are the law.
Authoritarian states impose more permissive definitions of what constitutes a security threat than democratic states.
Many American tech companies don’t operate in China because they refuse to collaborate with Chinese government requests for their data, despite their complete legality under Chinese law. This is not because American companies don’t want to help Chinese citizens stay safe from violent attacks, but because the Chinese government classifies any open critic of the government as a threat to safety.
Once a country of questionable human rights commitment gets its spying software, the radio spectrum’s the limit. They probably will start by scoping out domestic bad guys, as promised. But eventually, they’ll want to train their sights abroad like everyone else.
Such has been the essence of espionage throughout history: see what the other guy, good or bad, is doing to outmaneuver them. Traditionally, any foreigner with political or financial power is a valid intelligence target.
The fact that Macron made Amnesty’s list suggests NSO tools were used for foreign signals intelligence. It is, shall we say, extremely unlikely that France spied on Macron. However, other countries would definitely be interested in knowing what the leader of a moderately powerful Western nation is up to.
Would you stop at domestic violent criminals if you could spy on anyone, anywhere?
As nations increasingly move their critical communication, commercial, and civil infrastructures online, this juncture was inevitable. The economics of digital technology merely accelerated this inevitability.
Pegasus marks the unmistakable point where private surveillance vendors are permitting nations to spy which otherwise could not. It’s a perfect example of a distinct dynamic of information security which Bruce Schneier illustrates in his latest book, “Click Here to Kill Everybody.”
To adapt his example, if a country has an elite spy that can extract intelligence from anywhere, that person can still only spy on one country at a time and can’t quickly transmit their skills to others. But software exploits can be packaged into a spying tool and distributed to anyone, and then deployed against every user’s targets concurrently.
At first, only militarily sophisticated nations could develop digital surveillance capabilities. Now, a motivated hacker can distill their tradecraft into point-and-shoot tools, providing any nation wielding it with top-tier surveillance for a fraction of the cost. These economic realities have been steadily playing out — it’s only now that we’re noticing.
No Geneva Convention in Cyberspace
The fact that these hard realities are rational doesn’t make them any softer for anyone. Scrutiny of the consequences of omnipresent Pegasus-like software shows a world that is less shocking than casual news consumers might think.
Some Pegasus analysis writeups I’ve read estimated that readers are eager to bolster their security, as they concluded by dispensing “best practices” like setting unique high-entropy passwords, using encrypted messaging apps, and avoiding suspicious links. Unfortunately, these overlook Pegasus’ previously stated capability of compromising fully-patched OSes without user interaction.
More importantly, as I’ve noted in the past , most users will never be targeted with the likes of Pegasus, so worrying is a waste of time.
Based on NSO’s pricing model, Pegasus isn’t well-suited to mass surveillance. At tens of thousands of dollars per target, it would be exorbitantly expensive to surveil a population of millions, but affordable for tracking a high-priority target list of a few hundred. If you conform and submit — most people do — you’ll be fine.
The other reason I think we’re seeing explosive reporting is that compromising a device is flashier than passively watching the internet backbone or telecom switches.
Intelligence agencies around the world have shifted from collecting data in transit to collecting data at rest, since encryption uptake has made the former less fruitful. Sniffing packets in the air or over the wire has traditionally been the first choice for intelligence agencies only because it was the easiest. Intelligence agencies historically targeted devices, too, but usually only for their top targets.
But now that so much traffic is encrypted, it makes more sense to focus on its endpoints. All the data from those end-to-end encrypted chats is sitting on the sender and recipient devices, decrypted while the device is running and ripe for the taking. There’s a reason it’s called “end-to-end” and not “end-and-end” encryption.
Give Cyber Peace a Chance?
My goal here isn’t to stop worrying and love the digital bomb, but to worry productively. NSO should probably choose its customers more carefully, but we can’t count on that. Get too squeamish about whose emails get read and customers will take their business elsewhere.
What are we plebeians to do? Less than we’d like, but not nothing. If this teaches us anything, it’s that we should understand the limits of our devices. Encrypted messaging apps protect data traversing the internet, but that’s not what sophisticated spying tools target. There are exceptions like stingrays, but you may have noticed that stingray headlines aren’t too common these days.
Your phone doesn’t deserve your trust for the really sensitive stuff. Case in point, no information security pros I know conduct banking on their phone, and neither do I.
If you think the spying NSO enables its customers to do isn’t cool, it’s not enough to red-card players — the rules of the game need to change. Again, shut down NSO and buyers will find new sellers. While the Internet crosses borders, laws can’t. Surveillance vendors will just set up shop wherever business is legal.
To take another (literal) page from “Click Here to Kill Everybody,” attitudes toward vulnerability research and disclosure need to change. If governments disclosed vulnerabilities instead of hoarding them, they could be patched, locking everyone out of using (or abusing) them; and if laws protected good-faith researchers, we’d have the bloodhounds sniffing out security holes.
Until then, as long as there’s money to be made and the powers that regulate it can derive some reward, one entity will sell surveillance tools, another will buy, and a third will let it happen.