The US Commerce Department on Wednesday blacklisted Israeli firms NSO Group and Candiru, accusing the companies of providing spyware to foreign governments that “used these tools to maliciously target” journalists, embassy workers and activists.
Commerce officials added the Israeli firms to its so-called “entity list,” effectively banning the companies from buying software components from US vendors without a license.
Also added to the list were Russian firm Positive Technologies and Singaporean firm Computer Security Initiative Consultancy. Commerce accused these two firms of trafficking “in cyber tools used to gain unauthorized access to information systems.”
Taken together, it is one of the biggest steps yet by the Biden administration to curb the sale of hacking tools that analysts say have been used in human rights abuses around the world.
“Today’s action is a part of the Biden-Harris Administration’s efforts to put human rights at the center of US foreign policy, including by working to stem the proliferation of digital tools used for repression,” the Commerce Department said in a statement.
NSO Group slammed the Commerce announcement. In a statement, the firm said it is “dismayed by the decision given that our technologies support US national security interests and policies by preventing terrorism and crime, and thus we will advocate for this decision to be reversed.”
“We look forward to presenting the full information regarding how we have the world’s most rigorous compliance and human rights programs that are based [on] the American values we deeply share,” according to the statement, “which already resulted in multiple terminations of contacts [sic] with government agencies that misused our products.”
Positive Technologies and Computer Security Initiative Consultancy did not immediately respond to requests for comment. Candiru could not be reached for comment.
The Treasury Department in April sanctioned Positive Technologies, accusing the firm of providing support for Russia’s FSB intelligence agency. The firm has denied any wrongdoing.
Cybersecurity analysts and human rights activists have long accused NSO Group, in particular, of selling invasive and easy-to-use mobile hacking software to repressive governments. NSO Group’s Pegasus spyware is said to have been used to spy on a journalist and activist in Morocco and the widow of a slain Mexican journalist, among other targets, according to security researchers. (NSO Group has said it only sells its software to authorized users for law enforcement and counterterrorism missions.)
US government officials have been concerned by the expansion of the market for hacking tools and the ability of foreign governments to quickly develop their own cyber capabilities using American expertise. In September, for example, the Justice Department announced charges against three former US intelligence and military operatives for allegedly helping build a hacking program for the United Arab Emirates government.
“The US Department of Commerce’s designation is a very positive first step to bringing some public accountability and order to this otherwise poorly regulated marketplace,” said Ron Deibert, head of the University of Toronto’s Citizen Lab, a research team that has documented alleged abuse of Pegasus.
Natalia Krapiva, tech legal counsel at nonprofit Access Now, said other governments could follow the US in blacklisting spyware vendors.
The United States is “saying these companies are in fact acting in violation not only of universal human rights, but also US national security,” Krapiva said. “US blacklisting them likely means that other democratic powers will have to respond in a similar way and we strongly encourage them to.”