On Wednesday, the U.S. Department of Commerce barred notorious Israeli spyware company NSO Group, along with three other companies, from receiving exports of U.S. technologies because of the companies’ malicious cyber activities. NSO Group and another Israeli firm, Candiru, were sanctioned because they “developed and supplied spyware to foreign governments that used these tools to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers.” Meanwhile, Russian company Positive Technologies and Singaporean firm Computer Security Initiative Consultancy PTE. LTD. were added to the blacklist because they “traffic in cyber tools used to gain unauthorized access to information systems, threatening the privacy and security of individuals and organizations worldwide,” according to the Commerce Department’s statement.
The statement frames the sanctions as part of the White House’s “efforts to put human rights at the center of U.S. foreign policy, including by working to stem the proliferation of digital tools used for repression.” And there’s no question that taking a strong, public stand against NSO Group, which has been implicated in a wide range of digital surveillance campaigns operated by governments around the world, is the right call from a moral and human rights standpoint. NSO Group’s Pegasus spyware has been linked to the killing of Jamal Khashoggi, and extensive and excellent analysis of the company’s software, especially by researchers at the Citizen Lab at the University of Toronto, has pointed to many other instances in which dissidents, activists, and journalists have been targeted using these same tools.
So it’s been clear for some time that governments should be taking a more active role in trying to crack down on NSO Group exporting these tools to the authoritarian governments of Saudi Arabia, India, Hungary, and Rwanda, among others. But most of the pressure to act has been on the Israeli government, which could, if it chose, directly block the company from selling its spyware programs to these customers. Instead, Israel has continued to allow the company what appears to be relatively free rein in its dealings with foreign governments. And it’s a little difficult to say, in the absence of more stringent oversight by Israel, whether the sanctions announced this week by the United States will matter much when it comes to stopping, or at least slowing, the spread of NSO Group’s spyware worldwide.
The move has attracted some attention both because it’s still fairly unusual for the United States to sanction companies due to concerns about digital surveillance and spyware, and because it’s such a public statement of the U.S. government’s low regard for NSO Group. For instance, former United Nations special rapporteur David Kaye said in an interview with the Washington Post, “Who will want to work with a company that’s been so publicly sanctioned by the U.S. government?” But that interpretation seems unduly optimistic—after all, do we really think that the government of Saudi Arabia is going to be cowed out of working with NSO Group because the United States has voiced its strong disapproval?
Beyond just trying to shame customers and investors into abandoning NSO Group, the sanctions also prohibit the company from receiving U.S.-originating technology. But there, again, it’s not clear how significant the impact of those prohibitions will be. Indeed, many U.S. tech firms including Amazon, Facebook, Google, and Microsoft, had already cut ties with or denounced the company, long prior to the government’s announcement. And fundamentally, NSO Group is a software company—it probably doesn’t need to buy a lot of U.S. technology to continue to do what it does.
That doesn’t mean there’s no value in the United States taking a strong public stance against NSO Group and the other companies included in this week’s announcement. But making strong public statements against adversaries in cyberspace has been a hallmark of the U.S. government for many years now, and it’s not clear how effective it actually is as a means of curbing anyone’s malicious online activity. Perhaps these latest sanctions will prompt Israel (and Russia and Singapore) to pay closer attention to what these companies are doing and impose more meaningful domestic export regulations. But NSO Group has been heavily criticized for years and that criticism has done little to change the Israeli government’s policies. The United States should probably be prepared for the possibility that these latest measures will be similarly ineffective—and that it may need to be willing to pressure Israel much more directly if it wants to see real changes in that country’s spyware industry.
The U.S. government’s response to NSO Group and the other companies sanctioned this week is not unique in that it may well turn out to be largely symbolic. In fact, one of the hardest things to figure out about the various ways the United States government has responded to cyberattacks and online misbehavior over the course of the past decade is whether any of those responses have had any real effect. Have the indictments of foreign hackers made any difference or merely served to further an ultimately ineffective “name and shame” strategy? Did the sanctions against Russia, issued earlier this year in the aftermath of the SolarWinds compromise, deter further espionage operations at all? Will the recently announced sanctions against cryptocurrency exchange Suex make any difference in the ongoing efforts to try to tamp down on ransomware attacks?
The fact that there’s tremendous uncertainty surrounding the effectiveness of these measures doesn’t mean they’re not worth trying, though. It just means that we still don’t know very much about what actually works when it comes to dissuading or disrupting cybercriminals and foreign government cyber operations. The recent set of sanctions, including those issued against NSO Group, represent a small step beyond merely naming and shaming online adversaries in public indictments. But just as those indictments proved to be largely ineffective at deterring unwanted online behavior, it may yet turn out that so, too, are many of these targeted restrictions in which case the U.S. government should be thinking through what the next step would look like in escalating its responses to malicious cyber activity.