Reflects the broad spectrum #spyware harms happen.
But *also* and critically, situations where vendors should expect that their product, once sold, will inevitably be abused.
#Pegasus factor: Ouch. NSO again would get dinged.
7/ I initially expected #SpywareEO to look like a allow/deny aka "blacklist" of spyware sellers..
But the EO's conduct based definitions = constant shell game of vendors corporate identities is blunted.
Even applies to companies that haven't been formed yet.
Probably better.
8/ Lots of spyware companies absolutely know what they are doing.
What's especially interesting is the term "remove" to describe risks.
Not the milquetoast & unverifiable "mitigate."
#SpywareEO is saying: cancel the contracts & more.
And you may still be toast. Do it now.
9/ Reports in the past that USG entities may have occasionally facilitated spyware purchases / acquisition by other governments.
If the #SpywareEO abuse/natsec/counterintelligence triggers are met... that door now closes.
10/ How does the USG know if #spyware vendors hit the #SpywareEO's triggers?
The EO contains a robust set of reporting requirements around misuses from the Intel community & procurement reporting.
Seems intended to prevent vendors from slipping through the cracks.
11/ Use of the "operational use" term is interesting.
And creates carve outs for things like testing & analysis.
Analogy: USG can buy an anti-tank missile from a shady entity to test it against armor, but can't reward the vendor by equipping the whole military with them.
12/ Takeaway: The #SpywareEO is the first comprehensive action by any government on #spyware.
It was clearly drafted to pump the breaks on proliferation & is written with a good understanding the slippery nature of the industry.
It closes many loopholes.
13/ Whenever the USG regulates there's always temptation to speculate about protectionism for American companies.
But reading the #SpywareEO...these provisions hit US-based spyware companies just as hard if they meet the triggers / contribute to proliferation.
Good.
14/ Every government wants to not tie their hands too tightly, so there is a waiver provision.
But what's interesting is how restricted this is. This is a very high bar.
The #SpywareEO is not designed to be easily circumvented by someone in a corner of the USG bureaucracy.
15/ I've spent over a decade researching commercial spyware.
The #spywareEO is one of the most consequential actions to blunt proliferation that I've seen a government take.
So, where do we go from here?
16/ While the #SpywareEO addresses federal procurement, it doesn't hit state & local agencies.
And we know these are targets for sales by NSO Group & others.
This is going to be a really important area in coming years.
NOW: US court permanently bans Pegasus spyware maker from hacking WhatsApp.
NSO Group can't help their customers hack @WhatsApp, etc ether. Must delete exploits...
Bad news for NSO. Huge competitive disadvantage for the notorious company.
Big additional win for WhatsApp 1 /
2/ Although the massive punitive damages jury award against NSO Group ($167m) got reduced by the court, as is expected in cases where it is so large (to 9x compensatory damages)...
This is likely cold comfort to NSO since I think the injunction is going to have a huge impact on the value of NSO's spyware product.
Comes as NSO Group has been making noises about getting acquired by a US investor & some unnamed backers...
3/ NSO also emerges from the @WhatsApp v NSO case with just an absolute TON of their business splashed all over the court records..
NEW: fresh trouble for mercenary spyware companies like NSO Group.
@Apple launching substantial bounties on the zero-click exploits that feed the supply chain behind products like Pegasus & Paragon's Graphite.
With bonuses, exploit developers can hit $5 million payouts. 1/
2/ Apple is introducing Target Flags which speeds the process of getting exploits found & submitters rewarded.
This faster tempo is also a strike against the mercenary spyware ecosystem.
And the expanded categories also hit more widely against commercial surveillance vendors.
3/ If I contemplating investing in spyware companies I'd want to carefully evaluate whether their exploit pipeline can match what @apple just threw down.
NEW: @WhatsApp caught & fixed a sophisticated zero click attack...
Now they've published an advisory about it.
Say attackers combined the exploit with an @Apple vulnerability to hack a specific group of targets (i.e. this wasn't pointed at everybody)
Quick thoughts 1/
Wait, you say, haven't I heard of @WhatsApp zero-click exploits before?
You have.
A big user base makes a platform big target for exploit development.
Think about it from the attacker's perspective: an exploit against a popular messenger gives you potential access to a lot of devices.
You probably want maximum mileage from that painstakingly developed, weaponized, and tested exploit code you created/ purchased (or got bundled into your Pegasus subscription).
3/ The regular tempo of large platforms catching sophisticated exploits is a good sign.
They're paying attention & devoting resources to this growing category of highly targeted, sophisticated attacks.
But it's also a reminder of the magnitude of the threat out there...