Israel’s Defense Ministry on Monday announced that it was tightening supervision over cyber exports — a move that follows a series of scandals involving Israeli spyware company NSO Group.
The ministry said the countries purchasing Israeli cyber technology would have to sign a declaration pledging to use the products “for the investigation and prevention of terrorist acts and serious crimes only.”
The announcement made no mention of NSO. But it came just days after it was revealed that 11 U.S. State Department employees were hacked with NSO spyware. The employees were all located in Uganda and included some foreign service officers, said a person familiar with the matter, who was not authorized to speak publicly about an ongoing investigation.
It was the first known instance of NSO Group’s trademark Pegasus spyware being used against U.S. government personnel.
Last month, the U.S. Commerce Department blacklisted NSO, barring the company from using U.S. technology. The blacklisting has raised questions about NSO’s financial outlook and ability to survive, and the company has acknowledged that it is trying to reverse the decision.
Apple also sued NSO last week over its hacking of iPhones and other Apple products, calling the Israeli company “amoral 21st century mercenaries.” Facebook has filed a lawsuit over similar allegations that it intruded its popular WhatsApp messaging system.
Pegasus allows its operator to gain access to a target’s mobile phone, including contacts, text messages and real-time communications.
NSO says it sells its technologies to governments only to battle crime and terrorism and that it has strict safeguards to prevent abuse. Company officials have acknowledged cutting off several customers due to misuse.
However, human rights groups and outside researchers have said the company’s safeguards are insufficient. They say customers have abused Pegasus to keep tabs on journalists, human rights activists and political dissidents from Mexico to Saudi Arabia to the Israeli-occupied West Bank. Critics have also accused Israel of lax oversight over the digital surveillance industry.
NSO declined to comment on the Defense Ministry guidelines. Last week, however, it said it had immediately shut down customers “potentially relevant” to the Uganda case. It also vowed to take legal action against customers if a violation of their contract was found.
Israel has previously said that cyber exports are limited to fighting crime and terrorism. Under the new guidelines, the ministry said the definitions “have been sharpened, in order to avoid blurring boundaries in this context.”
“The updated statement states that terrorist acts are, among other things, acts that are intended to threaten a population and may result in death, injury, hostage-taking and more,” it said. It also said it was clarifying “the circumstances in which the operation of the cyber system is prohibited and explicitly clarifies the existence of the possibility of imposing sanctions in the event of a violation of the provisions.”
Related: Apple Slaps Lawsuit on NSO Group Over Pegasus iOS Exploitation
Related: Apple Ships Urgent Patch for FORCEDENTRY Zero-Days
Related: New iOS Zero-Click Exploit Defeats Apple ‘BlastDoor’ Sandbox
Related: Apple Adds ‘BlastDoor’ to Secure iPhones From Zero-Click Attacks
Related: Secretive Israeli Exploit Company Behind Wave of Zero-Day Exploits