First, their presence increases the risk that the weapons they create fall into the wrong hands. Previously, sophisticated nation-state hacking capabilities resided in a small number of governments with well-funded agencies focused on developing these weapons. Even then, government-created espionage tools got into the hands of other governments who used them in attacks like WannaCry and NotPetya that spread like wildfire beyond the targeted victims and ultimately devastated lives and disrupted businesses around the world. Lowering the barrier for access to these weapons would guarantee that such catastrophes would be repeated.

Even if the tools are sold to governments who use them for narrowly targeted attacks, there are a variety of ways they can still fall into the wrong hands. For example, private actors like the NSO Group and their less sophisticated customers may lack the defenses some governments use to protect the weapons, making them more susceptible to cyber-theft. For example, an Italian company called Hacking Team – one of NSO’s competitors – was itself hacked in 2015. Additionally, targets of these weapons can observe, reverse-engineer and then use these tools for their own purposes.

Second, private-sector companies creating these weapons are not subject to the same constraints as governments. Many governments with offensive cyber capabilities are subject to international laws, diplomatic consequences and the need to protect their own citizens and economic interests from the indiscriminate use of these weapons. Additionally, some governments – like the United States – may share high-consequence vulnerabilities they discover with impacted technology providers so the providers can patch the vulnerability and protect their customers. Private actors like the NSO Group are only incented to keep these vulnerabilities to themselves so they can profit from them, and the exploits they create are constantly recycled by governments and cybercriminals once they get into the wild.

Third, companies like the NSO Group threaten human rights whether they seek to or not. An analysis of recent cyber-attacks was able to identify five countries using offensive cyber capabilities between 2012 and 2015: Russia, China, North Korea, France and Israel. Between 2016 and 2018, however, the cast of characters changed to include countries like the United Arab Emirates and Uzbekistan. And public reporting has identified clients of cyber-surveillance companies like the NSO Group to include Azerbaijan, Bahrain, Egypt, Ethiopia, Kazakhstan, Mexico, Morocco, Nigeria, Oman, Saudi Arabia and Sudan. Reporting also shows foreign governments are using those surveillance tools, bought from PSOAs, to spy on human rights defenders, journalists and others, including U.S. citizens. These tools allow the user to track someone’s whereabouts, listen in on their conversations, read their texts and emails, look at their photographs, steal their contacts list, download their data, review their internet search history and more. Just yesterday The Citizen Lab reported that between July and August of this year NSO’s Pegasus program was used to hack 36 phones belonging to journalists, producers, anchors and executives at Al Jazeera. Privacy is fundamental to the ability of journalists to report, of dissidents to speak their voices and of democracy to flourish and these tools threaten their rights and their lives.

The expansion of sovereign immunity that NSO seeks would further encourage the burgeoning cyber-surveillance industry to develop, sell and use tools to exploit vulnerabilities in violation of U.S. law. Private companies should remain subject to liability when they use their cyber-surveillance tools to break the law, or knowingly permit their use for such purposes, regardless of who their customers are or what they’re trying to achieve. We hope that standing together with our competitors today through this amicus brief will help protect our collective customers and global digital ecosystem from more indiscriminate attacks.