“There will come a time when it isn’t ‘They’re spying on me through my phone’ anymore. Eventually, it will be ‘My phone is spying on me’.”
The above quote is by Philip K Dick who died in 1982. Sounds prescient or scary, or both?
The recent Solarwinds cyber attack event has once again reignited the debate about the role of spyware vis-a-vis the role of the governments and the potential threat it envisages.
As a matter of fact, Brad Smith, President of Microsoft–that is battling the Solarwinds attack–in a rather candid blog on the subject has denounced in no uncertain terms the role of the emerging Private Sector Offensive Actors (PSOA) who are the creators of the spyware in the first place.
While the origin of the Solarwinds spyware is still being debated (The president of United States calls it Chinese while his Secretary of State ascribes a Russian origin to it), the potential damage that Solarwinds has caused is yet to be estimated.
But where does one draw the line? In an ongoing case in the US, WhatsApp has sued NSO Group Technologies–the Israeli cyber security firm that shot into prominence when it was accused of hacking into WhatsApp chats. Even in India, it was reported that around Pegasus was used to hack into 121 Indian citizens. Globally Pegasus as much as admitted that over 1400 WhatsApp accounts were infiltrated but also said that it only played the role of a ‘tech support agent’ to the sovereigns.
On the other hand, governments the world over are getting increasingly frustrated over their inability to read end-to-end encrypted data, such as WhatsApp chats, and argue that spyware like Pegasus help them in preventing serious threats such as terrorist attacks which helps in preventing lives. Curiously, in the WhatsApp lawsuit against NSO, other tech giants such as Microsoft, Twitter, Amazon, Facebook and Cisco have joined the legal battle, but no arm of the US government has joined the suit.
NSO has defended itself pleading for sovereign immunity since the product was sold to the Government and hence the company enjoys the same immunity that the sovereign government of any country enjoys.
Smith clearly debunks this claim and going one step forward has said that ‘the PSOAs is not an acronym that will make the world a better place’. However, Smith and other do not want to engage in the argument as to whether or not Spyware such as Pegasus play any role in the fight against digital crimes.
The other moot point that is not getting discussed is that all spyware, in the future, will be created by these PSOAs in a corporate structure. While the NSO group may claim today that it only sells to Governments, there is no system that can actually verify the claim, not just for NSO but for every creator of spyware or malware. Consequently, how do we hold the spyware creators accountable when they have the overt and covert support of governments across the world?
According to Microsoft data as published on their website, the IT companies are targeted around 44% of the time as compared to Governments which account for only 18% of the cyberattacks. This once again raises the stakes for the purveyors of technology as they continue to remain the most vulnerable from the PSOAs. This also means that the tech they sell, be it Cloud solution, Enterprise applications, Collaboration solutions et al are the primary targets of the spyware.
Taking this argument further, the customers of these tech companies should be a worried lot as their technology provider could be hacked anytime which will impact their (the enterprise customer’s) businesses. And this could be from the Government agencies, private hackers, lone-wolf cyber punks or in some cases, even their own competitors.
Interestingly, Smith’s narrative seeks to enjoin the very agencies who bought the Pegasus spyware – the governments, in the fight against spyware, reminding me of the old feature phone game called Snake where once the snake grows long, it bites its own head and dies.
Unfortunately, smartphones don’t have the game. And the spyware-government game is a lot smarter.
L Subramanyan is Founder and CEO of Trivone