Cyber Mercenaries Don't Deserve Immunity

A growing industry of companies called private-sector offensive actors - or PSOAs - is creating and selling cyberweapons that enable their customers to break into people's computers, phones and internet-connected devices. Now, one of these 21st-century mercenaries, called the NSO Group, is attempting to cloak itself in the legal immunity afforded its government customers, which would shield it from accountability when its weapons inflict harm on innocent people and businesses. The firm also contributes to the urgent cybersecurity challenges discussed by our president Brad Smith last week. We believe the NSO Group's business model is dangerous and that such immunity would enable it and other PSOAs to continue their dangerous business without legal rules, responsibilities or repercussions. That's why today we filed an amicus brief- along with Cisco, GitHub, Google, LinkedIn, VMWare and the Internet Association - in a legal case brought by WhatsApp against the NSO Group.

The NSO Group sold governments a program called Pegasus, which could be installed on a device simply by calling the device via WhatsApp; the device's owner did not even have to answer. According to WhatsApp, the NSO Group used Pegasus to access more than 1,400 mobile devices, including those belonging to journalists and human rights defenders. We believe companies like NSO Group selling tools like Pegasus are concerning for three reasons.

First, their presence increases the risk that the weapons they create fall into the wrong hands. Previously, sophisticated nation-state hacking capabilities resided in a small number of governments with well-funded agencies focused on developing these weapons. Even then, government-created espionage tools got into the hands of other governments who used them in attacks like WannaCry and NotPetya that spread like wildfire beyond the targeted victims and ultimately devastated lives and disrupted businesses around the world. Lowering the barrier for access to these weapons would guarantee that such catastrophes would be repeated.

Even if the tools are sold to governments who use them for narrowly targeted attacks, there are a variety of ways they can still fall into the wrong hands. For example, private actors like the NSO Group and their less sophisticated customers may lack the defenses some governments use to protect the weapons, making them more susceptible to cyber-theft. For example, an Italian company called Hacking Team - one of NSO's competitors - was itself hacked in 2015. Additionally, targets of these weapons can observe, reverse-engineer and then use these tools for their own purposes.