Pegasus in Downing Street? Commercial Spyware and Espionage Competition

April 27, 2022 Topic: Spyware Region: Europe Blog Brand: Techland Tags: CybersecurityEspionageIntelligenceNSO GroupIsraelUnited Kingdom

Pegasus in Downing Street? Commercial Spyware and Espionage Competition

States have always spied on each other, but is commercial spyware an equalizer?

States spy on each other. This fact is neither shocking nor surprising in itself. There are plenty of good reasons why states do it, even if not all states are equal in their relative intelligence power. So, you would think by now that we would have a high bar for being surprised or shocked by revelations about states spying on each other.

Certainly, when states become victims of espionage their responses are shaped by a number of factors, including the strategic context (is the transgressor an adversary or an ally?) and the severity of the case (a one-off or a sustained campaign?). Domestic public opinion might be inflamed by revelations of espionage victimhood, or else barely flicker with quickly-fading attention. Throughout, “victim” states will recognize that the basic problem—that they are targets of foreign espionage operations—is the mirror image of their own pursuit of intelligence gain against other states. States are not, therefore, shocked or surprised by the existence of foreign espionage: they do their best to counter it and remediate and respond to it where they have to. As indicated by recent comments from FBI director Christopher Wray about the magnitude of the threat posed by Chinese espionage, recognizing the perennial nature of espionage doesn’t necessarily imply complacency towards it.

The high bar to surprise or shock holds good even in the case of newer forms of espionage, such as digital or “cyber” spying—that is, establishing access to digital data for intelligence gain, whether that data is stored “at rest” somewhere (on a device like a mobile phone or laptop), or else by intercepting data whilst it is traversing a network. Nearly a decade after Edward Snowden’s revelations, few people can be surprised that some states have not only the ambition but also the capabilities to derive significant intelligence gains from information and communications technology.

Another obvious point is that, given much of this global technological infrastructure is built, owned, and operated by the private sector, the practice of states spying on each other inevitably involves relationships—commercial, collaborative, or competitive—between governments and companies. These relationships might be transactional—the procurement by governments of a service or tool—or they might be framed by legal requirement, compelling companies to comply with lawful requests for access. Equally, they might involve the non-consensual acquisition of data from companies by government intelligence agencies, or indeed the recognition that these companies are useful vectors of attack, so-called “supply chain” attacks such as the SolarWinds case.

The private sector’s importance also extends to digital spying by the state on its own citizens: “sovereign” capabilities for domestic surveillance are more likely to be developed by the private sector than the state itself. States with a thriving tech sector undoubtedly have had an advantage in this respect, with a domestic network of trusted companies to develop surveillance tools and systems. But, over decades, the market for commercial spyware has become truly global.

At its best, this global market helps to fill an important gap—providing those states that would otherwise lack the technical capabilities with the ability to counter severe national security threats such as terrorism or serious crime. But at its worst, the capabilities procured from the global marketplace can enable repressive states to target dissidents, either passively or to enable operations against them.

Many companies are active in this marketplace, but one, in particular, has become a focal point for global criticism of commercial spyware: the Israeli company NSO Group – and particularly its Pegasus spyware. Pegasus is reportedly so good at what it does—for example, providing “zero-click” access to a targeted iPhone, meaning no need for targets to fall for malware-laden messages—that many states were lining up to procure its services. This customer interest was great for the company—and presumably also for the Israeli government. The government issued export licenses for the spyware and potentially was able to integrate this commercial success into its wider diplomatic strategy—essentially, what many states would do in a similar position.

The problem facing the company—whether it was recognized as such or not—was how to contain the potentially negative consequences of this burgeoning customer interest. New contracts were one thing, but would its values, future sales, and potentially its continued existence as a company be compromised if its new customers used Pegasus to spy on innocent subjects, to enable victimization and human rights abuses? To this question we can add one other, perhaps more strategically pertinent for the Israeli government, and potentially devastating in repercussions for businesses like NSO Group: what if Pegasus was used, not against a client’s domestic targets, but against foreign governments, including governments with which Israel has close diplomatic ties?

This is indeed what recent reporting suggests has happened, with revelations in December 2021 that Pegasus had been used to target U.S. diplomats working overseas, and in more recent reporting that a range of European officials, including someone from the UK government working in the prime minister’s office (10 Downing Street), had also been targeted. In the UK case, independent researchers suspected the state client using Pegasus to target the UK was the United Arab Emirates (UAE). In diplomatic terms, the UAE is a relatively close regional partner of the UK—one with a controversial and widely-reported broader strategy of harnessing commercial spyware services to enhance its national intelligence power.

The same reports that highlighted the reported breach of communications in 10 Downing Street also indicated that Pegasus customers had also successfully used it in 2020 and 2021 against UK diplomats—with the UAE, India, and Cyprus identified as the potential state actors. All these states are regarded as partners—indeed, just this month the UK prime minister, Boris Johnson, signed agreements with his Indian counterpart, Narendra Modi, including an agreement to improve cybersecurity cooperation.

This juxtaposition suggests that states take a broad view of such revelations, placing them in broader strategic context. This is similar in the U.S. case, where bilateral relations with Pegasus-customer states appear relatively unharmed. In contrast, the United States has pursued more targeted responses against NSO Group and other firms, and might go further to address foreign commercial spyware more generally.

Collectively, this might suggest that we are at some kind of transitional point in the relationship between states and commercial spyware. A global market that has developed quickly and in the shadows is now very much more salient and starting to provoke some pushback from states. And yet, whilst the fates of a single company like NSO Group can rise and fall, it is very difficult to see the wider industry enjoying anything other than continued success.

States are not going to stop wanting to spy on each other, or on other, non-state targets. The market that has grown to cater to this perennial state practice is too valuable, too globally dispersed, and likely also too covert to be readily amenable to collective, verifiable efforts to curb it. And, in the absence of effective constraints, commercial spyware will continue to level the playing field between state actors in the competition for intelligence gains. This will create both opportunities to be exploited and challenges that must be overcome—an ever-present feature of intelligence competition between states throughout history.

Joe Devanny is a Lecturer in the Department of War Studies at King’s College London. He writes here in a personal capacity. He can be contacted on Twitter @josephdevanny.

Image: Reuters.