What is Pegasus, and why should we be concerned?
Project Pegasus has caused a great deal of global hype recently. After Wikileaks (2007-2017), the Snowden papers (2013), the Bangladesh Bank cyber heist (2016), and Cambridge Analytica (2018), Pegasus made big headlines in the cybersecurity space.
The spyware Pegasus, up until now, is by far the most invasive security phishing tool developed by NSO Group, an Israel-based software company. The company has upgraded Pegasus over the past few years since its inception in 2016, now to a military-grade cyber weapon system. As a matter of fact, initially it was designed and developed to cater for Israeli military intelligence and surveillance. NSO then gradually went on to commercialize the product and sold it to its “vetted” global clientele upon official approval from the government of Israel.
In a couple of years, NSO sold its Pegasus software to as many as 40 countries. However, these deals were made only through agreements at the government level mandating the spyware to be used solely for domestic cyber-surveillance and crime control.
Ironically, the way Pegasus has been used or abused showed it to be far from its ideal purposes. 50,000 mobile phone numbers from all around the world have reportedly come under Pegasus surveillance. What it means in reality is that those 50,000 personal phones -- belonging to statesmen, politicians, journalists, corporate executives, human rights activists, government officials -- are potentially subject to being hacked or snooped.
The hacking happens with a backdoor and in complete silence, leaving no traces behind for the victimized user. No doubt, in terms of sophistication, Pegasus can be rated as one of the best cybersecurity technologies, but one of the worst for how it can be abused.
The dark side of digital convenience
Needless to say, on a daily basis, we are soaked in the utter convenience that our modern-day technology, especially the internet-based technologies, such as smartphones and other hand-held devices, offer. As common users, we tend to forget that a piece of consumer technology can carry its inherent pitfalls.
But we simply go with the tech flow. While smartphones seem to be a blessing to our daily life, the over-dependency on them may not necessarily be so. The fact of the matter is that the sheer amount of personal data being stored on a smartphone coupled with all the social media data flowing in and out through the smartphones makes it (the phone) almost what we are as, individual social beings. In other words, smartphones have turned out to be a near representation of one’s entire personhood in mobility.
This is because what we typically do with our phones all through the day and what we have on our phones, eg photos and images, audio and video clips, document files, text data, communication logs, call and contact records, saved notes on sensitive information, the phone’s geo-location and keystrokes, all aggregate to reflect one’s overall personality, liking and disliking, relationships, social networks, interactivity, professional and business engagements, socio-political and religious alignment, and whatnot.
Therefore, while the digital convenience is taken for granted, one needs to remain aware that there are covert cybersecurity risks when it comes to data privacy and protection. Personal data -- whether sitting on our phone or the data in transit -- are prone to unwanted leaks, intercepts, snooping, or hacks, anytime. And, there can be serious ramifications from such security risks which will easily outweigh the benefits, comfort, and convenience that we continue to enjoy today.
How does Pegasus work?
Pegasus is essentially a piece of technology, an aggressive hacking spyware, to be more specific. There have already been a plethora of spyware and other hacking tools being in use for decades now. However, what makes Pegasus stand out vis-a-vis other pre-existing similar hacking tools is the way it penetrates a smartphone, iOS, or Android, using zero-click vulnerability. Zero click means the user of the phone in target will not be required to click on anything or take any actions from his/her side on the phone.
The spyware can enter the targeted phone device in a highly stealth manner, meaning the user will have no clue as to when and how his/her phone was affected. One even won’t have a way to scan and verify whether Pegasus is already sitting on his/her phone unless the phone is taken to a security lab for a total forensic inspection. The spyware’s entry in stealth mode is much like the asymptomatic Covid-19 infection, just to put that in perspective.
Once the spyware is placed on a phone, it sits there permanently as a “root” or super admin, taking full control of the phone as a system, including the entire user data as well as all the actions performed by the end user. As long as the phone is powered on and active while connected to the internet, the hidden spyware keeps collecting all user data from the phone and keeps sending the data to the remote attacker location, presumably to a collector server.
No security scan or anti-virus tool is available today for the user to detect or protect the entry of this spyware. If for some reason the user becomes suspicious that his or her phone is being snooped on by a spyware, the only way to stop snooping is for the user to replace the physical phone while adding a new phone number as well. In the meantime, the phone makers are to pick up the Pegasus security bug and fix it through patching their operating system software (iOS & Android).
For the first time in the history of cybersecurity, a successful phishing attack has been possible using zero-click through complete invisibility and in the most non-disruptive manner. Once the spyware is in, it becomes an irreversible exploit, meaning the genie cannot be put back into the bottle! No wiper software is able to remove it from the affected phone and even a system reset is to fail.
Through the internet, the attacker can utilize any attack vectors from a remote location, from anywhere on Earth, to inject the spyware into the phone in target. They would typically use social media communication tools such as WhatsApp. The scariest is when a one-way call is initiated by Pegasus on a target phone’s WhatsApp account, the attack becomes successful even without the user attending the call.
The spyware gets installed right away, and takes control of the phone while sitting inside completely in stealth mode. Thus, once the victim’s phone is fully compromised, that’s the end of part one of the story! In the next phase, all user data get automatically collected from the phone and sent back to the perpetrators from time to time, as long as the phone is active and connected to the internet. Once enough data is gathered at the backend, it can be used or shared or even sold to third parties for any purpose that the third parties will opt for.
Overall, the way Pegasus was released and unleashed on societies raises a series of bottom-line questions and concerns needing a deep-dive analysis from legal and political perspectives at the least.
Diffusion of technological innovations and their usage by individuals and societies tend to see a bumpy ride until they somewhat settle somewhere along the time trajectory. Information technology is no exception. However, the glory of a piece of technology rests in how it will be used by its consumers. It goes without saying that most technologies are designed and developed for the welfare of society and for enhancing the quality of our life.
But there are times when technologies, regardless of how benign and beneficial they are, succumb to detrimental uses if gone in the wrong directions or fallen into hands tainted with ill motivations. Similarly, when cyber technology goes to the rogue hands, one would expect rogue ways of its use with unknown consequences at any scale. Such is the case with Pegasus spyware, as per its recent orchestrations.
When it comes to cybersecurity, the distinction between ethical and unethical hacking is still blurry. In addition, definitions are not clear enough as to what is unethical and what is illegal in many instances facing cybercrimes. Some governments, for example India, enacted cyber laws which, for the sake of its national security interests, allow for “authorized” access to intercept citizen data in transit over telecom channels.
But there also exists this dilemma as to what type of access is and should be justified as authorized or unauthorized, and on what basis they become justified. Such gaps and lack of clarity in legal definitions create opportunities for cyber attackers to go after system abuse in varying degrees. There is also a lack of global consensus on jurisdictional boundaries of the cyber world, unlike in the maritime and aerospace boundaries.
This leads to issues when a cyber-attack is launched in one country targeting an organization in a different country. Even when a hacker or the hacker group is exposed, it becomes a genuine challenge to bring them under scrutiny, let alone set up an effective judicial probe due to the existing complexities in cross-border cyber laws. Time and again, we have seen cyber-warfare and cyber espionage taking place between the US and Russia, where the two sides always ended up blaming each other.
Nothing substantial could ever be done in terms of tracing or probing. Although many governments have devised local cybersecurity guidelines, directives, frameworks, and laws, they have mostly served to address domestic cybersecurity issues. So far, there are only a few established bilateral or multilateral arrangements among a handful of governments. Examples are: The US Patriot Act and the EU Cybersecurity Act and GDPR (General Data Protection Regulation).
But from a truly global perspective, cybersecurity legal frameworks, laws, and guidelines, are still inadequate and still a work in progress. Because most cyber-attacks and cyber-crimes are of global nature, it is critical to have clearly defined and solid international arrangements and legal frameworks that will allow governments to address large scale cyber-crimes globally.
There is yet another serious concern evident in the process of Pegasus’s international sale. Each deal with a foreign client was initially arranged between a non-state private entity (that is, the NSO Group) and state entity (the government of Israel). Although this process appears to have provided a formal approval by the Israeli government, this mechanism does not seem to be a steadfast one and, therefore is subject to legal vulnerability.
In the first place, no one would know the details of such internal arrangements. Secondly, while Pegasus itself is a legitimate spyware, no one can ensure this will not be used in illegitimate ways. Finally, who will control it if profit-motivated companies like NSO choose to sell Pegasus globally to other non-state entities, such as terrorist organizations, or to any underground activist groups through the black markets?
Failures in the overall governance and legal due-diligence will very likely result in much deeper cyber crises in the days to come. All this prompts a global concern that demands international bodies like the UN to call out governments to come together and work out a comprehensive cybersecurity legal framework.
Politically, the Pegasus controversy may well have systemic ramifications. NSO Group has so far sold its Pegasus spyware to 40 governments worldwide, while mandating that Pegasus can only be used in curbing subversive activities by terrorists, tracking and capturing drug trades, monitoring national security and border surveillance, etc. And, some 50,000 phone numbers of “high value” targets have been registered under Pegasus surveillance worldwide.
However, neither NSO nor the government of Israel which approves Pegasus sales has taken the responsibility to monitor how exactly the software is being used by its global clientele. One would even wonder and ask about the client selection criteria followed by Israeli government to sell out Pegasus. In lieu of this, what we have also seen is a peculiar list of countries where Pegasus already reached and is in use.
In the context of India, there has been a great deal of hue and cry by the mainstream media outlets in the past few weeks demanding hardcore probes into each aspect of India’s Pegasus deal. The voice of Shashi Tharoor, the Congress MP and chairman of the parliamentarian sub-committee on information technology, further bolstered this probe demand.
There were allegedly 300 Indian phone numbers under Pegasus surveillance covering a wide range of targets, which include opposition leaders including Rahul Gandhi and Mamata Banerjee, ministers and politicians, social critics and activists, government officials, lawyers, media personnel. No doubt, this has seriously undermined the fundamentals of democratic practice and process in India.
And not to mention, India’s launching of Pegasus against Imran Khan, the prime minister of Pakistan, will further risk the already rotten geo-political repercussions for South Asia. The revealing indications so far coming out of the public discourse have clearly made the Modi government to be the only accountable entity.
India being a hallmark of democracy, its Pegasus deal and the way the spyware has been used proves to be an underhanded attempt by the Modi government. With the story unfolding, it is becoming more and more evident that the government has used or abused Pegasus mainly to curb the opposition voices in order to secure personal and party interests, labelling India as a “surveillance state” in that process.
However, Prime Minister Modi remained in non-denial despite a series of demands for debates in parliament. At this point, one would really wonder: How could Modi and his BJP squad choose a non-denial mode when NSO itself made it very clear that they had approval of any sale of the spyware to governments only? Eventually the case had to go to the Indian supreme court for the ultimate judicial probe, and what verdict the court comes out with remains to be seen.
According to the public demand in India, their probes are simple, clear, and straightforward: Did Prime Minister Modi purchase Pegasus spyware? If so, when and on what basis did he decide to purchase the spyware? What was the approval process before buying the spyware at the cost of Indian tax-payer money?
Was there a discussion on justification in the parliament? How and on what basis did the government make the list of 300 “high profile” targets and who are these targets? Has the tool been deployed to secretly snoop on personal phones of its own citizens? And if so, what justifies the government snooping on private phones of its own citizens?
Pegasus clearly shakes up the democratic value system in which the state’s responsibility and accountability are at the core. Having said that, even an attempt to hack or snoop on a private citizen’s phone is not allowed by law. The current Indian IT Act, under Sections 43 and 66, allows the government only to intercept or tap certain data in emergency circumstances and in the interests of national security.
However, there is no permission or provision that allows hack or snoop on a private citizen’s phone. Pegasus is therefore a clear violation of data privacy law in India and thereby is subject to punishment. The question is: If the government itself is proven to be the violator of its own laws, who then is to be brought to justice?
During this ongoing Covid-19 global pandemic, two changes have clearly happened. First, an accelerated digital transformation across sectors. Organizations -- whether it’s e-commerce or logistics or media -- have fast moved to online services.
People being away from regular office have increasingly been settling with work-from-home, which is likely to continue in the foreseeable future as the new normal. As a result of these work-style changes, the use of mobile internet and dependency on mobile applications have spiked exponentially. Secondly, due to this high-speed digitization resulting in much more concentrated virtual presence, cyber-attacks and cyber-crimes have also increased with an ever-increasing pace. This was somewhat expected.
Pegasus rings the bell in the midst of worldwide security attacks that are a continuous phenomenon. Governments must activate rigorous programs in order to address the constantly evolving cybersecurity issues and to combat cyber-crimes. Developing the correct agenda has to follow a holistic roadmap by taking into account a long-term strategy, mission, and vision.
Catching up with the rapid evolution of information technology needs compatible resource development, industry best practices and frameworks, appropriate policy, legal support coverage, and an all-out awareness in the society.
Cybersecurity is primarily a technological problem, but it requires a political solution at the end. In order to establish a long-term, effective, and comprehensive solution, global cooperation and global frameworks are of utmost importance. The sooner it happens, the better.
Shamim Ahmed is an IT governance professional based in Australia. Sabbir Ahmed is Professor of Political Science at Dhaka University.