U.S. government intelligence employees should be banned for life from working for “foreign offensive operators” as one means of fighting commercial spyware, a member of a Canadian internet research group has told Congress.
John Scott-Railton, senior researcher at the University of Toronto’s Citizen Lab, made the proposal Wednesday while testifying before the House Permanent Select Committee on Intelligence on combating foreign commercial spyware such as NSO Group’s Pegasus and Saito Tech Ltd.’s Candiru.
While Congress has proposed that employees working for the National Security Agency (NSA) and other government intelligence groups be banned from joining what he called foreign offensive operators for 30 months after leaving their jobs, plus five years of mandatory reporting on what they are doing, Scott-Railton argued the ban should be for life.
“We would not let a nuclear weapons scientist go work for a potential adversary in three years,” he argued. “We should not do so with hacking technology.”
His testimony was echoed on Thursday by Citizen Lab director Ron Diebert, who said Ottawa should impose a lifetime ban for those who have worked in the Canadian intelligence and law enforcement agencies from working with “mercenary spyware firms.”
Developers of commercial spyware often say they only sell to law enforcement agencies for fighting crime, Scott-Railton testified. But, he added, governments often use it to spy on opposition leaders, reporters, and other groups that aren’t liked, as well as for espionage against other governments.
Over the years, Citizen Lab, part of U of T’s Munk School of Global Affairs and Public Policy, has issued numerous reports on the threat of commercial spyware. In 2021 it helped Microsoft identify and patch two Windows vulnerabilities it says were used by Candiru. Earlier this month Citizen Lab said Pegasus spyware was found on devices of 30 pro-democracy activists in Thailand.
Leading IT countries like the U.S., the U.K., Russia, and China have the ability to create their own spyware, Scott-Railton said. But he warned against the spread what he called “mercenary spyware” — meaning spyware that can be bought or rented by governments with less sophisticated capabilities.
Last year the U.S. blacklisted several companies for selling commercial spyware.
But in his Congressional testimony he urged Washington to do more to fight commercial spyware. As reported by The Record, Scott-Railton told Congress that NSO Group received investment from the Oregon Public Employee Retirement System (Oregon-PERS) and the Alaska Permanent Fund Corporation via the private equity firm Novalpina Capital, and suggested more substantial financial crackdowns.
He said not only should there be lifetime bans for certain people from working for foreign commercial spyware companies or government agencies, the government should also:
- prevent U.S. federal agencies from doing business with identified problem companies. “Getting federal contracts is the ultimate prize for any defense contractor and their investors,” said Scott-Railton. “Removing this opportunity would have an immediate impact;”
- expand the tools available to hold identified problem companies, and their officers, accountable, including sanctions, and work to co-ordinate these actions with allies, such as the Five Eyes intelligence group of the U.S., Canada, the U.K., Australia, and New Zealand;
- apply diplomatic pressure to the countries that have become safe havens for the spyware industry, and that are enabling identified problem companies to thrive without regulation or oversight;
- pass legislation ensuring comprehensive U.S. export control and transparency requirements for domestically-developed spyware, including extensive due diligence for national security risks and human rights concerns.
- continue support for internet security and privacy promoting technologies through the Open Technology Fund.
In an email Thursday Citizen Lab director Ron Diebert said Ottawa should follow the example that has been set by the United States and some European allies in fighting commercial spyware.