Israel’s Defense Ministry on Monday issued a statement saying its Defense Export Controls Agency (DECA) has tightened the control of cyber exports and issued an updated version of end-user declarations regarding the purchase of made-in-Israel spyware.
According to the statement, “A state interested in acquiring a cyber or intelligence system is required to sign the declaration as a condition for issuing an export license. The updated user declaration was formulated by the Ministries of Defense and Foreign Affairs, as part of the State of Israel’s update of its export control policy with regard to cyber systems.”
The new protocol has been put in place in a great hurry after the NY Times reported last Friday (Israeli Company’s Spyware Is Used to Target U.S. Embassy Employees in Africa) that “the iPhones of 11 US Embassy employees working in Uganda were hacked using spyware developed by Israel’s NSO Group.”
A month ago, the surveillance firm NSO was blacklisted by the United States because its app, Pegasus, had allegedly been used by foreign governments to repress dissent. We reported in early November (Report: Israeli Pegasus Spyware Detected on Cellphones of Banned PFLP NGO Activists) that the Pegasus spyware, developed by the Israeli security company NSO Group, was detected on the cellphones of six Arab activists, three of whom belonged to NGOs that had been designated by Defense Minister Benny Gantz as terrorist-affiliated.
So Pegasus is equal-opportunity spyware and, needless to say, Israel’s greatest friend in the world (America) was not amused. Especially since, according to Reuters, the embassy staff in Uganda were notified about the hack in an email they received from Apple, the maker of their iPhones: “Apple believes you are being targeted by state-sponsored attackers who are trying to remotely compromise the iPhone associated with your Apple ID. These attackers are likely targeting you individually because of who you are or what you do. If your device is compromised by a state-sponsored attacker, they may be able to remotely access your sensitive data, communications, or even the camera and microphone. While it’s possible this is a false alarm, please take this warning seriously.”
It took Israel’s Defense Ministry three days, including Shabbat, to come up—rather breathlessly—with the fix: “The updated declaration implements the policy of the Ministry of Defense to control the end use of cyber systems. The declaration obligates the acquiring state to restrict the use of cyber systems for the investigation and prevention of crime and terrorism. The definition of serious crime and terrorism has been clarified in the declaration,” the DOM statement clarified.
The DOM also added this strange paragraph, which is possibly a leftover from an earlier version: “The updated declaration stipulates that terrorist acts, among other things, are committed with the aim of seriously intimidating a population and may cause death, injury, taking hostages or additional intentional acts.”
So? One would rather think that if Pegasus is a useful, albeit clandestine, weapon against terrorists, it deserves praise, not rebuke. With that in mind, the updated declaration also states the circumstances under which the use of made-in-Israel cyber systems is prohibited, and details explicitly the possible sanctions in the event of noncompliance – including restricting the use of the cyber system in question or its being shut down altogether.