Bill Would Help Congress Track Offensive 'Cyber Tool' SalesState Department Would Be Required to Provide Information on Approved Sales
A House panel has approved a measure that's designed to make sure Congress is informed when U.S. companies sell offensive cyber technologies and services to other nations' governments. The measure was introduced after a U.S. firm sold technologies to the United Arab Emirates that were used to target activists and journalists.
The provision is included in a larger State Department funding bill. The House appropriations committee approved the bill in a 29 to 23 vote on Thursday, sending it to the House floor, according to a congressional staffer.
Under current U.S. law, the State Department's Directorate of Defense Trade Control is responsible for enforcing regulations that govern the selling of any weapons to foreign governments. U.S. firms need permission from this office to sell offensive cyber technologies and services to foreign governments.
Rep. Dutch Ruppersberger, D-Md., added a provision to the State Department appropriations bill that would require the Directorate of Defense Trade Control office to inform Congress when it approves the sale of these offensive cyber tools to foreign governments. The bill also would require Congress to be notified if a U.S. firm is penalized for violating policies on such sales.
"While emerging technologies have always created regulatory headaches for government, I have been particularly troubled by recent media reports concerning DDTC processes for cyber licensing," Ruppersberger says. "My report language ensures we meet the challenge head-on with a transparent, well-resourced process for licensing cyber tools and capabilities for export."
The proposed changes to State Department protocol follow a Reuters report about the selling of offensive cyber technology to the United Arab Emirates, which then used these capabilities against militants as well as activists and journalists as part of an operation called Project Raven.
CyberPoint International, a Maryland-based defense contractor that sold the technology and also provided personnel to UAE, has denied knowing how the country's intelligence agency would use the technology, according to Reuters.
The legislative proposal has garnered support among those seeking greater transparency when it comes to these transactions. Robert Chesney, a national security law professor at the University of Texas, notes on Twitter that he hopes Congress will demand even more detailed information.
I do hope this provision makes it into the bill, though I also hope they'll expand this provision regarding how much information must be reported. Don't collect just four months' worth of info; get many years' worth, and more detail about what has happened in each case. https://t.co/8jYlUOWXnZ— Bobby Chesney (@BobbyChesney) May 15, 2019
Parallels to WhatsApp Disclosure
The House panel's vote on the measure came the same week that Facebook sent a warning to users of its WhatsApp messaging app to update the software immediately to fix a flaw that could be exploited to remotely install surveillance software (see: Attackers Exploit WhatsApp Flaw to Auto-Install Spyware).
A buffer overflow flaw in WhatsApp could be used to install Pegasus spyware, which is built by Israel-based NSO Group. The company is known to sell this software to governments looking to infect targets of investigations and gain access to various aspects of their devices, according to published reports.
The NSO's software has been tied to uses against activists in Mexico and the UAE, according to Citizen Lab, a research group within the University of Toronto that investigates the use of software exploits by governments with questionable human rights records to monitor activists and dissidents (see: Apple Fixes Zero-Day Flaws Used to Target Activist).
This has driven groups, such as Amnesty International, to attempt to take legal action against the Israeli Ministry of Defense to demand it revoke the export license of NSO Group.
An NSO spokesperson, however, tells Information Security Media Group that the company's software is designed to combat terrorism and crime, and the governments that buy the technology determine how it's used.