Offensive cyber operations
Recent Additions to Entity List Part of Broader U.S. Effort Targeting Spyware
On Nov. 4, the Commerce Department added four companies to the Entity List after concluding that their cyber activities were harmful to the national security of the United States. The action reflects the U.S. government’s accelerated efforts to target companies and individuals that provide offensive cyber services or exploits to certain foreign governments and foreign companies for uses that violate human rights. The listings also demonstrate the U.S. government’s willingness to adapt existing national security tools to address new priorities and highlight a key trend in the Biden administration—treating intelligence collection operations as a potential national security threat.
In explaining its listing decision, the Commerce Department cited “investigative information” allegedly showing that Israeli companies NSO Group and Candiru developed and supplied spyware to foreign governments that used the tools to target government officials, journalists, activists and academics. Third-party reports describe some of the malicious activity, including one university laboratory group that concluded that foreign governments’ use of Candiru’s spyware infrastructure harmed at least 100 people, including human rights defenders, dissidents, journalists and activists. Another group, a global consortium of news organizations, determined that foreign governments misused NSO’s Pegasus spyware to hack dozens of private smartphones belonging to journalists, activists and persons close to Jamal Khashoggi, the murdered Saudi journalist.
With respect to the other two listed entities, Positive Technologies (a Russian company) and Computer Security Initiative Consultancy (a Singaporean company), the Commerce Department asserted that they had trafficked in cyber exploits used to gain access to information systems, threatening the privacy and security of individuals and organizations across the globe. Positive Technologies was also recently sanctioned pursuant to an executive order to counter malicious cyber activities by the Russian government.
Designating a company on the Entity List, which is administered by the Commerce Department’s Bureau of Industry and Security, can cripple a company because it empowers the U.S. government to restrict parties from accessing U.S.-origin products or technology. In effect, a company on the Entity List is banned from directly or indirectly obtaining items subject to the Export Administration Regulations (such as telecommunications equipment) without U.S. government approval. The Entity List provides specific license requirements for each listed entity, typically requiring that the entity obtain a license to access every item subject to the Export Administration Regulations. In addition, parties to transactions involving companies on the Entity List cannot rely on general license exceptions.
Historically, the U.S. government viewed the Entity List principally as an instrument to penalize parties that had violated or were suspected of violating export control, proliferation or sanctions authorities. However, the Entity List grants the U.S. government the authority to list an entity for which there is “reasonable cause to believe ... that the entity has been involved ... in activities that are contrary to the national security or foreign policy interests of the United States.” During the Obama administration, the U.S. government leaned on the broad language in 15 CFR § 744 to target an expanded range of companies for conduct it perceived as threatening U.S. national security and foreign policy interests. In 2016, the Bureau of Industry and Security added ZTE Corporation and affiliates to the Entity List, signaling a shift in the government’s willingness to designate large, multinational corporations to mitigate broader national security threats and further policy goals. Although ZTE has since been removed from the Entity List, this trend escalated in 2019 when the Bureau of Industry and Security added Huawei Technologies and hundreds of its affiliates to the Entity List, where they remain today.
More recently, the U.S. government began listing companies with connections to alleged human rights violations, essentially adding human rights abuses to its list of national security and foreign policy concerns to address with export controls. For instance, in 2019, the Trump administration added multiple entities based in China to the Entity List because of alleged involvement in human rights abuses, including those against the Uighurs and other Muslim minority groups in the Xinjiang Uighur Autonomous Region of China. The Biden administration subsequently added 34 entities to the list, 14 of which are based in China and allegedly enabled the human rights abuses against the Uighurs and other minority groups. The increased use of export control mechanisms to pressure foreign corporations that allegedly enable human rights abuses is part and parcel of broader U.S. government efforts to stop human rights abuses by foreign governments, such as through the use of sanctions.
The direct impact of the listing on the four companies depends on the extent to which their businesses rely on items subject to the Export Administration Regulations—upstream and down. For example, the listing could harm NSO Group by inhibiting its ability to use certain computing and software services or by rendering the company less attractive to investors. But the overall consequences for the companies will not be nearly as severe as the designation of major, global conglomerates like Huawei. That’s because, unlike Huawei, which relies to some extent on chip technology that is a product of U.S.-origin software and technology, these companies may be able to find alternate sources of components and technology not subject to the Export Administration Regulations.
While the direct impact of the listings on these companies’ businesses and the broader impact on the economy may thus not be as significant as for some prior listings, the fact that these entities were listed is noteworthy for what it says about the U.S. government’s evolving use of the Entity List. First, the addition of the four companies signals a willingness to list foreign entities and countries beyond the typical targets of the U.S. government. It is unusual for the Bureau of Industry and Security to target companies headquartered in U.S.-allied countries, like Israel and Singapore; there are relatively few Israeli and Singaporean entities on the list. Additionally, both NSO Group and Candiru purportedly have ties to Israel’s intelligence arm, Unit 8200. Such a close affinity with Israel intelligence means the addition of NSO Group and Candiru to the Entity List could put some strain on U.S.-Israel relations, although the U.S. government reportedly provided the Israeli government with some advance warning of the listing.
Second, this action sends a clear message that the U.S. government views computer network exploitation operations as a national security issue in which it will insert itself when certain foreign governments or human rights issues are reportedly involved. In the past two months alone, the United States has made aggressive advances against individuals and entities providing offensive cyber services on behalf of foreign governments, relying on a variety of legal and foreign policy tools.
For instance, in mid-September, the U.S. Department of Justice brought an unprecedented criminal prosecution against three former U.S. military and intelligence members for conspiring to conduct hacking services on behalf of the United Arab Emirates (UAE). Dubbed the “Project Raven Prosecution,” the criminal charges were ultimately resolved with a deferred prosecution agreement with the three defendants, who had provided cyber services to the UAE and ultimately gave UAE intelligence services the ability to access smartphones and mobile devices remotely using “zero-click” exploits.
Also, in October, the Commerce Department targeted offensive cyber operations through an interim final rule establishing export controls on a range of cybersecurity items, including software, hardware and technology designed to deliver or generate “intrusion software.” The rule will make it more difficult for foreign companies and individuals to provide services to foreign governments conducting malicious cyber activity.
Although the four recent listings will have consequences for the designated companies, this move has significant implications for the cybersecurity industry. The U.S. government deployed the Entity List in a manner that many observers did not expect, demonstrating a willingness to go to great lengths to stem cyber activities and operations that it deems contrary to its interests. The government’s impulse to use national security tools in novel ways is particularly strong when those operations are allegedly connected to human rights abuses, such as targeting dissidents, journalists and activists. While all too often export controls and sanctions do not appear to result in the desired change in behavior, this may be an exception.