The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

European spyware investigative panel faces an uphill climb

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Welcome to The Cybersecurity 202!  Okay, Okay, Ja Morant travels. He’s still very fun to watch!

First: Maryland bans TikTok on government devices, and Apple faces a lawsuit over AirTags. First:

Europe’s spyware committee is barreling to its end

A European parliamentary panel probing abuses of sophisticated spyware technology on the continent is nearing the end of its mission. It aims to produce a final report and vote on it in March.

What comes after that is largely out of the hands of the PEGA Committee, named after the Pegasus spyware produced by Israel’s NSO Group.

Many of the recommendations, if the European Parliament approves the report, will then be up to member states to decide whether to implement them, Sandor Ronai, vice chair of the committee, told me in an interview Tuesday. That’s because individual nations are largely responsible for their own national security under the European Union, and they’re likely to deem this a national security issue.

That doesn’t mean the work of the committee is pointless. The European Commission does have some levers of power to exert over member nations that have abused spyware, namely financial levers, Ronai said.

Take Ronai’s home country of Hungary, one of four countries — along with Greece, Poland and Spain — that the PEGA Committee’s draft report singled out for “illegitimate use of spyware.” Committee members will visit Hungary in February on a “fact-finding mission.”

  • Last month, the European Commission recommended withholding 7.5 billion euros ($7.9 billion) from Hungary over rule of law concerns. 
  • Essentially, the European Union is telling Hungary, “We will get the money to you if you can give me some guarantees that you will improve,” such as restoring media freedom, Ronai said. The commission also could condition the funding on other behaviors, he said: “Maybe all spyware they’re using can be one of them.”

Then there’s the public perception side of things, Agnes Popovics, Ronai’s parliamentary assistant, told me.

“What’s also very important besides the political side is that the people — that everybody — knows that this problem exists,” she said. “Many of the people are not even aware how their freedom is being used out from the government. It’s also important for the victims.”

The map

Last month, the PEGA Committee called attention to widespread ties for spyware in Europe, including suspected use in Cyprus, in its draft investigative report.

“The spyware scandal is not a series of isolated national cases of abuse, but a full-blown European affair,” reads the report, submitted by its rapporteur Sophie in ‘t Veld, a Dutch member of the European Parliament. “E.U. Member State governments have been using spyware on their citizens for political purposes and to cover up corruption and criminal activity. Some went even further and embedded spyware in a system deliberately designed for authoritarian rule.”

One of the draft report’s recommendations, in fact, is a common European definition of “national security,” to determine when nations can invoke it as opposed to the current case-by-case setup.

Ronai said member nations have thrown up roadblocks to the panel’s investigation on matters as simple as a written questionnaire, which some didn’t answer.

Besides the planned fact-finding trip to Hungary, the committee has held similar visits to Cyprus, Greece, Israel and Poland. 

The industry

The committee’s work nears its completion at a time of change in the spyware business. NSO Group is banking on the notion that the pending return of Benjamin Netanyahu as Israeli prime minister after last month’s elections will bolster a company facing international pressure and financial problems, Mehul Srivastava and Kaye Wiggins reported for the Financial Times.

During Netanyahu’s previous tenure, he promoted NSO Group to foster security relationships with other countries, and company co-founder Shalev Hulio expects that Netanyahu will provide them political cover, the paper reported.

“Don’t worry,” Hulio reportedly told guests at a Tel Aviv dinner party this summer about the state of the company. “Netanyahu is coming back.” NSO told the Financial Times that “politically motivated sources based on hearsay” had given the paper false information regarding “alleged customers, conversations that never occurred, and the company’s financial condition.”

But NSO Group isn’t the only spyware industry player to draw attention in recent months.

  • The Greek government announced last month that it would ban the sale of spyware, following the discovery over the summer that Nikos Androulakis, a Greek politician and member of the European Parliament, had been targeted by Predator spyware. Around this time last year, the University of Toronto’s Citizen Lab said the manufacturer of Predator was North Macedonian developer Cytrox.
  • Spanish company Variston IT is linked to the Heliconia spyware, Google’s Threat Analysis Group said last week.

There was another development on the spyware front Tuesday: House and Senate negotiators reached agreement on an annual defense policy bill that includes language granting the director of national intelligence to forbid intelligence agencies from contracting with foreign commercial spyware companies.

The keys

Another state government bans government use of TikTok and other products

Maryland Gov. Larry Hogan (R) announced that the state government has banned executive branch use of TikTok, Huawei, ZTE, Tencent, Alibaba and Kaspersky technology. Under the “emergency directive,” state agencies have to “remove any of these products from state networks, implement measures to prevent installation of these products, and implement network-based restrictions to prevent the use of, or access to, prohibited services,” Hogan’s office said.

Maryland represents the latest state to impose restrictions related to TikTok and other software firms. Last week, South Dakota Gov. Kristi L. Noem (R) banned government employees and contractors from using TikTok on government devices. South Carolina Gov. Henry McMaster (R) also asked the state Department of Administration to block TikTok from its government devices, the Associated Press reported.

TikTok spokesperson Jamal Brown told the AP that the states’ concerns “are largely fueled by misinformation about our company.” Brown added that “we are always happy to meet with state policymakers to discuss our privacy and security practices.” Brown said the company is “disappointed that the many state agencies, offices, and universities that have been using TikTok to build communities and connect with constituents will no longer have access to our platform.”

Apple faces lawsuit by women who say AirTags facilitated stalking

The two women, who said Apple failed to make its AirTags “stalker proof,” accused Apple of negligence, design defects and privacy violations, the New York Times reports. Since the portable tracking devices were launched last year, critics have argued that bad actors can easily use them for malicious purposes like stalking.

In February, Apple announced an update to the technology to help people find nearby AirTags when they’re alerted of them. When The Post asked for comment on the lawsuit, an Apple spokesperson pointed to its February update that said, “We condemn in the strongest possible terms any malicious use of our products.”

Amnesty International Canada says it was targeted by China-backed hackers

Amnesty International Canada said investigators from cybersecurity firm Secureworks found that the organization was probably hacked by “a threat group sponsored or tasked by the Chinese state,” the Record’s Jonathan Greig reports. The organization discovered the breach two months ago, when employees found suspicious activity on their systems.

“As an organization advocating for human rights globally, we are very aware that we may be the target of state-sponsored attempts to disrupt or surveil our work,” Amnesty International Canada Secretary General Ketty Nivyabandi said in a statement. “These will not intimidate us and the security and privacy of our activists, staff, donors, and stakeholders remain our utmost priority.” 

The announcement of the hack came a day after Human Rights Watch said an Iranian government-backed hacking group known as APT42 targeted two of its staff members and at least 18 journalists, activists, politicians and other people.

Government scan

DHS funds surveillance technology in U.S. cities, report says (Bloomberg News)

Global cyberspace

Massive DDoS attack takes Russia’s second-largest bank VTB offline (Bleeping Computer)

Don’t use Chinese X-ray machines on E.U. borders, MEPs say (Politico Europe)

Antwerp's city services down after hackers attack digital partner (Bleeping Computer)

Multiple government departments in New Zealand affected by ransomware attack on IT provider (The Record)

Inside the face-off between Russia and a small internet access firm (New York Times)

Cyber insecurity

Rackspace says ransomware attack caused outage (The Record)

Encryption wars

Suspects arrested for hacking US networks to steal employee data (Bleeping Computer)

Privacy patch

Meta cannot run ads based on personal data, E.U. privacy watchdog rules (Reuters)


  • U.S. and European officials speak at the Atlantic Council’s Digital Forensic Research Lab 360/Stratcom forum today.
  • Recorded Future hosts an intelligence briefing on Chinese threats today at 1 p.m. 

Secure log off

Thanks for reading. See you tomorrow.