“It was always going to be a very difficult committee to work as a team,” Jeroen Lenaers, chair of the committee investigating Pegasus and similar surveillance spyware, told The Cybersecurity 202. “But I personally feel that, especially lately, the politics have really taken too much center stage.”
The drafting of the report — which is due to be presented in less than a month — comes amid revelations about the use of Pegasus spyware, which have prompted scandal on nearly every continent. It could boost awareness of spyware misuse and build momentum for action on spyware in Europe, where lawmakers say not enough is being done to curb the proliferation of such software.
In Europe and elsewhere, the subject is controversial. Opposition lawmakers, journalists and activists in Greece, Hungary, Poland and Spain have reportedly been targeted with spyware.
The work of the committee, whose members are from countries all across Europe, has turned tense at times. When lawmakers supporting the independence of Spain’s Catalonia region testified at a Thursday hearing on their experiences being targeted with spyware, the hearing turned testy and some Spanish members of the committee criticized the Catalan independence movement. The arguments frustrated some other lawmakers, who see the spyware issue as something that goes beyond a debate over Catalonia and Spain.
- Complicating things, the committee’s membership includes both alleged targets of surveillance and members of Hungarian and Polish ruling parties, which have been embroiled in spyware scandals in their countries.
Lenaers said the committee’s work would be effective if members of the committee “work as European members of Parliament and leave the national discussions to the national parliaments.”
NSO Group, the maker of Pegasus, has a sizable European client base. Fourteen European countries have purchased Pegasus, and the licenses of two member states’ licenses have been revoked, NSO told the committee, per Haaretz.
NSO has long said it investigates credible allegations of misuse and cuts off some customers. The company also says Pegasus is used to catch terrorists and other criminals. But it’s reportedly been used to try to target U.S. and European officials:
The committee, which is dubbed the European Parliament “Committee of Inquiry to investigate the use of Pegasus and equivalent surveillance spyware,” faces other limitations as well. Some governments haven’t even been willing to reply to letters asking them about their legal frameworks for using spyware, committee rapporteur Sophie in ‘t Veld told The Cybersecurity 202.
Moreover, the committee has limited power, a stark contrast to the United States’ subpoena-equipped investigators who have forcefully looked into U.S. political scandals like Watergate.
In ‘t Veld’s report will be presented Nov. 8, she said. After that, the committee will debate it, Lenaers said. Members of the committee plan to visit Greece and Cyprus next month and Hungary in February, before the committee’s mandate ends in March, he said, adding that if the committee’s mandate is extended, lawmakers could visit another country like Spain, the United Kingdom or the United States.
The report is due almost exactly a year after the U.S. government blacklisted NSO upon finding that Pegasus was used to “maliciously target” journalists, activists and government officials. The sanctions came months after The Washington Post and 16 other news organizations published dozens of articles on how NSO clients had misused the technology.
This year alone, there have been new reports of spyware victims in at least a half dozen countries, from El Salvador to the United Kingdom. Just this month, digital rights groups said that Mexican journalists and activists were targeted with the spyware after the country’s president pledged not to use such tools.
For In ‘t Veld, one current challenge is incorporating all of the information she’s gotten into her report. “I have so much information, I’m not even sure how I’m going to integrate all that into one report,” she said. “And the picture is becoming pretty complete, and it’s not a pretty picture.”
Iranian state television briefly taken over amid protests
Hackers on Saturday took over Iranian state television for around 15 seconds and displayed an image of Ayatollah Ali Khamenei in flames, the Associated Press’s Samya Kullab reports. The captions on the footage said “join us and stand up!” and “the blood of our youth is dripping from your claws.”
The hack came as protesters in Iran began demonstrations for a fourth week. The protests came in response to the death of Mahsa Amini, a 22-year-old woman who died after being detained by the country’s “morality police” for allegedly violating the conservative dress code imposed by Islamic clerics leading the government. Rights groups say that dozens of people have been killed, with hundreds more injured and arrested, as security forces faced off against protesters.
Iranian authorities appear to have cut internet access in the evening — when protests typically take place — making it difficult for protesters to communicate, my colleagues reported. On Thursday, the U.S. government sanctioned Iranian Communications Minister Eisa Zarepour, with the Treasury Department saying that Zarepour “is responsible for the Iranian government’s shameful attempt to block the internet access of millions of Iranians in the hopes of slowing down the protests.”
Another cryptocurrency firm was hit in a multimillion-dollar hack
Hackers stole around $570 million worth of cryptocurrency from a blockchain bridge used by the Binance-linked BNB Chain, but they were only able to get away with around $100 million in cryptocurrency, Reuters’s Elizabeth Howcroft reports. Blockchain bridges are tools that let users transfer assets between blockchains.
The cryptocurrency industry and such tools have been the targets of hackers, with the U.S. government accusing North Korean hackers of being responsible for a $620 million heist this year. It’s not clear if North Korean hackers were responsible for the BNB Chain hack, but U.N. investigators have said that cryptocurrency hacks are an “important revenue source” for the country’s nuclear and ballistic missile programs.
Biden administration announces increased privacy checks for European data flows
The new executive order boosts privacy protections for data transferred between the United States and Europe in an attempt to address long-standing concerns about U.S. surveillance, Cristiano Lima reported. It puts into practice a March deal between President Biden and European leaders, and adds checks on U.S. intelligence agencies’ collection of Europeans’ personal information. It also lets them seek redress if their data is unlawfully intercepted.
“U.S. and E.U. officials have sought for years to come to terms on a legal mechanism to replace Privacy Shield, a data pact that allowed businesses to safely transfer data across the Atlantic that was struck down by European courts in 2020 over U.S. surveillance concerns,” Cristiano wrote. “But a deal proved elusive, even as businesses clamored for clarity around the legality of data flows.”
The new pact still has to be ratified in Europe, which could take months. It’s not clear if it will withstand challenges in European courts. “At first sight it seems that the core issues were not solved and it will be back to the [Court of Justice of the European Union] sooner or later,” Austrian privacy activist Max Schrems said. Schrems’s legal challenges ushered in the end of the Privacy Shield.
- The FS-ISAC holds its FinCyber Today summit in Scottsdale, Ariz., today through Wednesday.
- National security adviser Jake Sullivan speaks at an event hosted by the Center for a New American Security and Georgetown University’s Walsh School of Foreign Service on Wednesday at 2 p.m.
- Deputy national security adviser Anne Neuberger, Rep. John Katko (R-N.Y.) and Google Cloud global director of risk and compliance Jeanette Manfra discuss cybersecurity at a Washington Post Live event on Thursday at 9 a.m.
Thanks for reading. See you tomorrow.