US lawmakers call for regulation over “hacking for hire” industry

Representatives Tom Malinowski (NJ-07), Katie Porter (CA-45), Joaquin Castro (TX-20), and Anna G. Eshoo (CA-18) said that the recent revelations regarding the misuse of the NSO Group’s software reinforce their conviction that the hacking for hire industry must be brought under control.

Adding that companies should not be selling sophisticated cyber-intrusion tools on the open market and that the US should work with its allies to regulate this trade: “Companies that sell such incredibly sensitive tools to dictatorships are the A.Q. Khans of the cyber world. They should be sanctioned, and if necessary, shut down.”

”The NSO Group’s denials are not credible, and show an arrogant disregard for concerns that elected officials, human rights activists, journalists, and cyber-security experts have repeatedly raised. The authoritarian governments purchasing spyware from private companies make no distinction between terrorism and peaceful dissent; if they say they are using these tools only against terrorists, any rational person should assume they are also using them against journalists and activists, including inside the United States,” the statement read.

“Selling cyber-intrusion technology to governments like Saudi Arabia, Kazakhstan, and Rwanda based on assurances of responsible use is like selling guns to the mafia and believing they will only be used for target practice.

”The United States government and our allies often partner with private companies to develop and provide to our national security agencies sensitive technologies. But we would never tolerate a company that contracts with the Pentagon to develop drone, or missile, or laser technology, and then sells that technology on the open market to governments that might use it against us. If hacking for hire companies continue to exist, clear rules must be established to ensure they only do business with governments in rule of law states.”

The representatives have called on the U.S government to urgently:

1. Call out by name publicly and in reports provided to Congress private companies that sell cyber-intrusion tools to governments with a history of misusing them.
2. Consider the immediate addition of the NSO Group and any other company engaged in similar activities to the Entity List administered by the Commerce Department and consider the company’s abusive clients for sanction under the Global Magnitsky Act.
3. Establish by legislation or executive order a sanctions regime to hold accountable individuals and companies that sell these tools to authoritarian states.
4. Ensure that the NSO Group and companies engaged in similar activities do not access American investors funds—including through a potential IPO—through SEC regulations that would protect non-securitized capital from funding their activities.
5. Accelerate efforts to finalize accession to the Wassenaar Arrangement’s limited controls on cyber-intrusion tools, lead a multilateral initiative to impose strengthened controls with transparent human rights assessments on items with surveillance capabilities, and consider SEC regulations requiring companies to publicly disclose exports of technologies with surveillance capabilities and to carry out published human rights due diligence for any such exports.
6. Investigate and assess the possible targeting of American ‘journalists, aid works, diplomats and others’ with NSO Group’s Pegasus spyware, determine whether America’s national security was harmed, and take steps to protect all Americans, including federal employees, from the threat posed by the growing mercenary spyware industry.