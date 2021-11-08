“NSO Group and Candiru (Israel) were added to the Entity List based on evidence that these entities developed and supplied spyware to foreign governments that used these tools to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers,” read a press release by the US Department of Commerce. The announcement was made as part of the Bureau of Industry and Security’s (BIS) final rule which added four foreign companies to the Entity List for ”engaging in activities that are contrary to the national security or foreign policy interests of the United States”.

The ruling ensures that BIS will impose a license requirement that applies to all items under EAR (Export Administration Regulations). The commerce department added that there are no license exceptions for entities under the List. Moreover, these entities will be subject to a presumption of denial by the BIS for license review.

The move can be considered as a fallout of the investigation conducted by the Pegasus Project. This is a rare indictment by a major country acknowledging the problematic dealings of the NSO Group, the cyber-espionage firm behind the Pegasus spyware which was found to have been deployed against politicians, civil society activists, and others around the world.

Why did the US Government spring into action?

The department explained the sophisticated tools sold by these companies helped foreign governments to “conduct transnational repression, which is the practice of authoritarian governments targeting dissidents, journalists and activists outside of their sovereign borders to silence dissent,” according to the document.

“Such practices threaten the rules-based international order,” read the statement.

U.S. Secretary of Commerce Gina M. Raimondo said that the US plans to use export controls aggressively to hold companies, which threaten the cybersecurity of members of civil society, dissidents, government officials, and organisations, accountable.

Which were the other companies targeted by the ruling?

The two remaining entities hail from Russia and Singapore.

Positive Technologies from Russia and Computer Security Initiative Consultancy from Singapore feature on the list because “they traffic in cyber tools used to gain unauthorised access to information systems, threatening the privacy and security of individuals and organisations worldwide”, as reasoned by the BIS.

A committee chaired by the Department of Commerce and includes the Departments of Defense, State, Energy, and Treasury, found the conduct of these four entities concerning enough to warrant action.

Export controls announced by the US earlier

The addition of companies to the Entity List comes in the wake of the announcement a couple of weeks ago. The United States (US) had announced export controls as an interim measure for products that can be used for “malicious cyber activities”, according to a press release by the US government’s commerce department.

It meant that American exporters required a license to sell cybersecurity products to countries of national security or weapons of mass destruction concern, it added. The license was also made mandatory for countries under a U.S. arms embargo. The new rules will be effective in 90 days (January 2022) as the department’s BIS invited public comments.

Here are some of the details of the proposed measures:

BIS has explained that end users targeted by this interim rule include a ‘government end user’.

The License Exception ACE imposes an end-use restriction in situations where the exporter has reason to believe that the ‘cybersecurity item’ will be used to affect the confidentiality and integrity of information without authorisation from the owner at the time of export.

US exporters must consult the US State Department’s guiding principles for transactions involving foreign governments for surveillance products to minimise the risk of misuse by governments to violate or abuse human rights.

