The perfect spy
NSO is hugely profitable and closely bound up with the Israeli state and its diplomatic interests. But there is far more to spyware than obtaining information on criminals, terrorists and political opponents. Paul Demarty explains
Recent revelations about the Pegasus spyware software will have shocked few people familiar with the cyberweapons industry. But the story provides a timely and disturbing reminder of how vulnerable everyone is nowadays.
‘Everyone’ is probably the right word, given the list of targeted phone numbers obtained by the Pegasus Project - a consortium of investigative journalists and NGO activists from Amnesty International, The Guardian, Ha’aretz, the Washington Post and more. There are also no less than 14 current and former heads of state or government - including Emmanuel Macron of France, Cyril Ramaphosa of South Africa, and Lebanon’s ill-starred Saad Hariri.
Elsewhere, and more commonly, governments are the paying clients rather than the targets. Jamal Khashoggi and his family were targeted in the run-up to his gruesome assassination by Saudi agents. The government of India used the software extensively against opposition figures, including one of the extant Gandhi dynasts, and the pacifist Jesuit priest, Stan Swamy, who recently died awaiting trial on dubious charges of Maoist insurrectionism. Several opponents and former associates of Viktor Orbán’s government in Hungary were targeted. The rulers of the United Arab Emirates were particularly enthusiastic consumers of this product, with over 10,000 phone numbers mentioned in connection with Dubai alone.
This has been going on for years - in fact, there was a spate of articles on the subject in 2016, which, of course, were quietly brushed away. For all the thoroughness of the Pegasus Project’s investigations, it is surely inevitable that history will repeat itself.
The producers of this malware are the Israeli firm, NSO, which claims it will sell only to “authorised governments … [to] combat terror and crime”, and claims to scrutinise the human rights records of its customers very carefully. Readers may look at the list of such people above - emirs, Hindutva pogromists, those who cheerily butcher opponents in the embassy basement - and draw their own conclusions about that claim.
Israel is, of course, a leading economy for such ‘products’. Its technology industry is very closely associated with its national security state, and it is a world leader in the high-tech end of the weapons industry. This is hardly the first time its exploits have hit the headlines: it was Israel - most likely in collaboration with the US - that created the Stuxnet worm, used in a truly audacious attack on an Iranian nuclear enrichment plant. Though that was a state rather than a private initiative, the links - here as in other areas of the military-industrial complex - are very close. NSO was founded by alumni of Unit 8200, the ‘signals intelligence’ arm of Mossad. Just as munitions sales from British firms to the Saudis have more than merely economic value, so the provision of such a valuable service to Mohammad bin Salman, Narendra Modi and so on has real diplomatic importance for the Israeli state.
What exactly was that service? Pegasus is a piece of spyware, targeted at Apple iPhones and other such devices. It listens for various kinds of activity on the phone and reports details to carefully-obscured internet sites. It is known to have access to SMS messages, passwords, location and call information.
What is so alarming about this? Apple’s iOS operating system has a basically well-deserved reputation for good security engineering practice. Each app is ‘sandboxed’ - that is, it runs in a carefully controlled environment and has very limited access to everything else that is going on the phone. An app in a sandbox is a little like Jim Carrey’s character in The Truman show, who lives in a facsimile of a big, wide world that in fact only consists of a small, strictly controlled one. It is always, of course, possible to screw this up. Minor inconsistencies tip Truman off to the reality that his environment is a Potemkin village, and he finds a door in the ‘sky’ and leaves.
Pegasus was able to get discreet access to so many pieces of sensitive information, thanks to several errors in a category called ‘memory corruption bugs’. This is basically when there are certain conditions, often very arcane, under which apps can break out of the ‘sandbox’ - like Truman leaving through the ‘door in the sky’. At least three such bugs are known to have given Pegasus access in the past. One in particular allowed Pegasus to ‘jailbreak’ the device: jail breaking is a feature on iOS that allows users to disable a lot of the access controls. It is typically used by software developers and hobbyists who are playing around with their phones, but Pegasus was able to achieve it without users noticing. It is to be assumed that other, newer exploits are now in use. One such allowed NSO to compromise a phone merely by initiating a voice call on the popular messaging app WhatsApp - it was not even necessary for the target to accept the call. (Facebook, which owns WhatsApp, is considering its legal options.)
Many of these bugs are so-called ‘zero-day’ vulnerabilities, meaning that attackers (in this case NSO) discovered them before Apple (or Facebook, or whoever else), who therefore have zero days to respond before the vulnerability is exploited. It goes without saying that this oh-so-responsible company, which would never aid anyone with a bad human rights record and only wants to fight “terror and crime”, did not report these vulnerabilities to Apple - since, of course, that would drastically reduce the value of software that exploits them. Put another way: we know, at least, that NSO used these loopholes to hack thousands of phones of politicians, dissidents and whoever else. We have no idea how many run-of-the-mill cybercriminals were able to just rip people off using the same methods, simply because our brave fighters against ‘terror’ failed to alert Apple and get them fixed.
The response to the whole affair in the west has been a deafening silence, for the most part. A few Democratic congressmen condemned NSO and suggested placing it on the same export blacklist as Huawei and others; that, however, is a matter for the White House, which has so far kept silent. Macron could hardly do the same, but in the end he demanded no more than an Israeli inquiry into the matter. Opposition parties in India have objected, of course. But on the whole the bourgeois world is restricted to trying to look angry and hoping it will all blow over. Imagine that it was a Russian or Chinese firm exposed in this way: we would presently be in a hurricane of demands for onerous sanctions, shrieking condemnations and all the rest. But for Israel, as for other hyper-militarised states, it pays to have powerful friends.
Some of the problems posed for the left are more subtle, but not all. For a start we should have no hesitation in condemning the manufacture of this new breed of weapon altogether. Though cyberweapons are not in themselves as dangerous as, say, nuclear bombs (code does not explode), the pervasiveness of computers in today’s world (and, for illustration, we remind comrades that there is a computer in every electrical appliance in your home, in your contactless credit card, and in most modern batteries) massively increases the potential impact of software exploits. The contents of the notorious ‘nuclear football’ - the briefcase, in the possession of a US presidential aide, brought everywhere the commander in chief goes - are, so far as we know, strictly analogue. But the mechanisms by which the president’s instructions would reach the missile silos, strategic bombers and submarines are certainly not. We assume that the relevant networks are well locked down - but so were those at the Natanz facility attacked by Stuxnet.
‘Innocent’ programming errors not long ago caused passenger airliners to drive themselves into the ground, killing hundreds. The potential consequences - intentional or unintentional - of the industry of which NSO is a part, are truly terrifying. The killer robots of the Terminator franchise remain the stuff of science fiction by virtue of technological limits and imaginative overreach. The automated nuclear apocalypse that opens Terminator 2, on the other hand, remains so only by the grace of god.
Exactly what it would mean to destroy this industry, however, is another matter. After all, the sort of ingenuity employed by NSO for fun and profit is the same used by principled security researchers to fix vulnerabilities. You must first know they exist, after all. A whole ecosystem exists of companies hired to try to ‘break in’, sometimes literally (old-fashioned burglary and con-artistry are skillsets as valuable as low-level coding in information security), and make recommendations for improvements to their clients. So, while we concur with Edward Snowden that spyware ought simply to be banned, spyware is only the tip of the iceberg, and a lot of the rest of the iceberg cannot simply be banned without criminalising the only defences humanity has against some of the most dangerous kinds of military and industrial sabotage in existence.
The true corrupting influence here is the military character of the industry; we are talking, in the end, about arms manufacture and, so far as arms manufacture serves the purpose of just defence against the assaults of reaction, it must in the end be tolerated, albeit under strict democratic control. The whole category of cyberweapons may not yet be in danger of abolition, and more’s the pity - but abolition is the only reasonable final objective for communists.