Guard the Digital Door

Individuals and organizations around the globe were shaken when a French nonprofit organization, Forbidden Stories, and Amnesty International revealed in mid-July that they had a list of 50,000 phone numbers that were supposedly being targeted by a powerful Israeli spyware program called Pegasus.

The military-grade software, developed by NSO Group and licensed to governments by the Israeli Ministry of Defense, was being used to spy on journalists, corporate executives, human rights activists, members of royal families, politicians, diplomats, and government officials. At least 10 prime ministers, three presidents and a king were on the list.

Seventeen media partners came together to form the Pegasus Project to research and report on the reach and use of the software. University of Toronto’s Citizen Lab found suspected Pegasus infections in 45 countries, including Bahrain, Brazil, Canada, France, Greece, India, Israel, Kuwait, Latvia, Mexico, Morocco, the Netherlands, Poland, Singapore, Switzerland, Turkey, the United Arab Emirates, the United Kingdom and the United States. That does not mean, however, that these countries have licensed the Pegasus software; it means their citizens could be targets. NSO has reportedly licensed its software to Azerbaijan, Bahrain, Hungary, India, Mexico, Morocco, Rwanda, Saudi Arabia, and the UAE.

Earlier, in January, the United Nations linked the May 2018 hacking of Jeff Bezos’s mobile phone to Saudi Crown Prince Mohammed bin Salman, known as MBS. The UN statement assumed Bezos was targeted because it was during the period when Saudi Arabia was supposedly investigating the killing of Jamal Khashoggi, a reporter for The Washington Post, which Bezos owns. I disagreed in a Forbes article, arguing it was more likely that MBS—who had recently met with Bezos and exchanged cell numbers—was seeking intelligence on whether Amazon was going to establish a major Amazon Web Services (AWS) center in Saudi Arabia. In other words, Pegasus could have been a handy economic espionage tool for the crown prince.

The use of spyware for economic espionage is a risk that many companies are not focusing on. The Pegasus software is especially one to guard against, because it works on iPhones, Androids, Blackberrys, and other phones and it is very difficult to detect. The spyware enables access to all content, communications, photos, emails, camera and microphone. The latest version of the software is “zero-click”—the user does not have to do anything for it to penetrate the phone and begin “phoning home.” If you suspect your phone may have been infected, the only way to get rid of the spyware is to throw your phone away and begin afresh.

Although NSO Group claims that its software cannot target phones in the United States, others doubt that, and U.S. numbers were on the list of 50,000 numbers. WhatsApp, a secure-communications app owned by Facebook, sued NSO Group in federal court in San Francisco for breaching its software to send the spyware to users of WhatsApp. The lawsuit seeks unspecified damages and seeks to have NSO Group barred from accessing WhatsApp or Facebook services.

New Risk Requires New Controls  

Hackers after personal identifiable information and ransom payments are not the only cyber threats that organizations should be worried about. The NSO spyware scandal highlights a risk that needs to be elevated in companies. When executives, presidents, politicians, journalists, activists, and government officials are targeted with spyware on the very devices they use to discuss some of the most sensitive personal and corporate issues, new controls are required. This is especially important during a time where remote working will either continue or be a part-time option until the COVID-19 pandemic is under control.

Mobile devices are leveraged more heavily in remote working environments. New controls to help protect against mobile economic espionage are needed. Here are some:

• Review and revise policies and procedures on the use of mobile devices and the content that can be stored on them.
• Define where and how discussions and communications regarding potential acquisitions, confidential strategic plans, research and development, and other highly sensitive issues take place.
• Restrict business use of text messaging and secure-communication applications (these generally are not considered to be business records, and retention can vary).
• Employ mobile device management (MDM) software tools to manage the use of mobile devices and restrict their use to approved and registered devices.
• Turn off geolocation services on devices and use those services only when needed so you avoid leakage about locations of personnel and prevent metadata on photos and videos from revealing locations.
• Restrict applications using device microphones and cameras.
• Train personnel, including executives, security and IT staff, on the risks and safety precautions for mobile devices. They should understand why controls are important.

Organizations also should consider where they are doing business globally and with whom. During the pandemic, there have been fewer personal meetings and more phone/video conversations. Consider whether these conversations can be recorded by others and if others could be listening who are not identified. Losing intellectual property, proprietary data, and strategic advantages to economic espionage may have far greater financial consequences than revenues received. Everyone understands that governments engage in intelligence gathering, but when that moves to the level of targeting executives’ and workers’ mobile devices, we have entered a new era of cyber crime. Get prepared.

Agents and brokers should raise this issue with clients and help them examine their vulnerability to spyware and mobile device compromise. Organizations that are not large multinational companies may immediately assume this does not apply to them. That could be short-sighted thinking, so agents and brokers should be ready to explain how this risk may apply to their operations. This is an area where risk transfer plays an important role for any organization that operates globally, is competing against foreign companies, relies upon a global supply chain, is involved in valuable research and development, is a government contractor involved in sensitive operations, etc. Agents and brokers should also review existing policies and spotlight policies that might not cover the loss of confidential and proprietary data via spyware, especially if gathered by a foreign nation-state.