The US Commerce Department's Bureau of Industry and Security (BIS) released a final rule on November 3, 2021, that added four foreign companies to the Entity List for engaging in activities contrary to the United States' national security or foreign policy interests. One of the four named was NSO Group—the Israeli military-grade spyware manufacturer responsible for creating software traced to the phones of politicians, journalists, and human rights activists around the world.
Another Israeli company, Candiru, is also on the trade blacklist, as the US targets the growing surveillance threat posed by hacking-for-hire companies.
"Today's action is a part of the Biden-Harris administration's efforts to put human rights at the center of US foreign policy, including by working to stem the proliferation of digital tools used for repression," the Commerce Department said in a statement.
In effect, this means that NSO will be barred from buying parts and components from US companies without a special license. It also puts a cloud over the sale of the company's software globally, including in the US.
NSO Group said it was "dismayed" by the decision, adding that its technology helped maintain US national security by "preventing terrorism and crime." NSO has said it only sells its spyware to governments whose human rights records have been vetted for the purpose of countering terrorism and crime. Meanwhile, on October 31, 2021, The Times of Israel reported that NSO Group CEO Shalev Hulio is to step aside from his position, to serve instead as "global president" and deputy chairman of the board; current co-president Isaac Benbenisti will take over as CEO.
While the US went ahead and added NSO Group to the Entity List, France has decided to take a different approach, despite French President Emmanuel Macron's phone appearing in a list of potential targets for surveillance by Morocco... using the Pegasus software. According to an Israeli diplomatic official, who declined to be identified, Israeli Prime Minister Naftali Bennett and President Macron agreed that "the subject will continue to be handled discreetly and professionally, and with the spirit of transparency between the two sides," Reuters reported.
Candiru, founded by engineers who left NSO, was sanctioned based on evidence that it supplied spyware to foreign governments. In July, Microsoft reported that Candiru's spyware exploited a pair of Windows vulnerabilities to target the phones, computers, and internet-connected devices of some hundred activists, journalists, and dissidents across ten countries.
According to the Commerce Department's announcement, Russian firm Positive Technologies—targeted with sanctions last April for its work with Russian intelligence—and Computer Security Initiative Consultancy of Singapore were also added to the list for trafficking in hacking tools.
You can read all about the Pegasus software in our previous post on the topic.