Crucial To Know Who Had Access To The Data: Cybersecurity Researcher

Shivam Shankar Singh, the author of The Art of Conjuring Alternate Realities: How Information Warfare Shapes Your World (HarperCollins, 2021), a book that deals with the impacts of information warfare and cybersecurity, spoke to Outlook on the ongoing controversy about the Indian government’s alleged snooping on politicians, constitutional authorities, journalists, and its leaders with the help of an Israel-based technology firm NSO group.

Co-authored with a cybersecurity researcher, Anand Venkatanarayanan, the book has received endorsements from global experts in the intelligence field such as Cody Gentry Barrow, a former intelligence officer of the US Pentagon; Group Captain Keith Dear, Former Intelligence Officer of the Royal Air Force and Advisor to the Prime Minister of UK on defence modernization and Pukhraj Singh, Cyber Intelligence Analyst and former cyber operator for the Indian government.  

Excerpts:

Q: When the Indian government allegedly bought a license or subscription from the Israel-based NSO group for spying on opposition leaders, journalists, constitutional authorities, and others, how did it work?

A: In 2018, Citizen Lab identified 45 countries that have used Pegasus. The way the spyware gets installed on a phone is either through a phishing attack, where a malicious link is sent to a person’s mobile, and Pegasus installs when the link is clicked, or it is installed through a missed call on services like WhatsApp or iMessage using vulnerabilities in these applications.

Once the spyware is installed on the mobile device of an individual, it can gain access to everything. It doesn’t just intercept calls and messages, it gets access to all files, keystrokes and can even remotely activate the camera and microphone of the compromised device.

Though the NSO group claims it does not retain any of the data, it is NSO who determines on what server the data from a targeted device would be sent. It could be NSO’s servers or those of its clients, but control over this would likely remain with NSO.

To provide this service, the NSO group charges a fee of $7-8 Million per year as per reports, which allows a client to gain access to 50 devices at any one time and a total of 500 devices in a year.

Q: So in this case, the data of Indian politicians or journalists went on the server of the NSO group, and then it was forwarded to the Indian government. Doesn’t it compromise our national security as people who were spied on are parliamentarians and constitutional authorities as well?

A: Looking at the people involved - ministers, judges, opposition politicians, and journalists who talk to many high profile sources due to their work - it indeed poses a challenge to national security. The NSO group can have access to the data even though it says it doesn’t, but more worryingly, this spyware generates a huge amount of data.

Someone has to go through all of it, and this would require a massive team. Who are these people who sift through the data becomes an important question. WhatsApp chats of individuals have been leaked by India’s investigative bodies in the past, and there is no guarantee the data gathered by Pegasus wouldn’t be resold to foreign governments, agencies, and business interests. This is especially true because we don’t even know if the data is only accessible to the government or if the analysis of it is outsourced to a private agency.  

Q: When the deal was between the governments and the NSO group, how has the names of people who were snooped on coming into the public domain, and how credible is the claim?

A: The names that have come out are the result of an investigation by the Paris-based media nonprofit Forbidden Stories and Amnesty International. It is a leaked list, that has likely leaked from NSOs end instead of being from anyone government as it involves so many different countries. It was shared with several media outlets around the world who have also done their vetting - The Wire, Le Monde, The Guardian, Washington Post, Die Zeit, Suddeutsche Zeitung, and 10 others.

The claims seem credible because at least on some mobile devices on the list, a forensic examination has found evidence of Pegasus being installed. Not every phone is available for verification as some individuals have changed phones since 2018-2019, when their name appears on the leak, or are unwilling to hand over their devices for examination. The subset of devices examined shows clear evidence of Pegasus usage, so all concerns remain valid even if all of the names on the list can’t be verified.  

Q: Do you suggest the only way to keep one's device safe from such spying is to keep changing it more frequently?

A: No. That is one way, but many precautions can be taken to reduce the likelihood of spyware and malware compromising your devices. One major way is to not click on unidentified links or connect unidentified USB drives and devices. It is important to remember tools like Pegasus is expensive, and not everyone will be a likely target. 

For most people, following basic precautions to prevent malware will be enough. For some, they might have to go a step further and stop using apps with known security vulnerabilities, and continuously changing numbers and devices is the only last resort for the truly vulnerable or paranoid.

Q: Some of the strong critics of the government such as some tv anchors are not on the snooping list. Does it surprise you? 

A: It is clear that these names aren’t the kind that should be on a list for national security purposes. The names show a clear political intent for spying. What’s revealing is that it wasn’t just people deemed to be against the incumbent government, it was also people close to them or even their Ministers.

The intent here seems to have control over them. The list seems to be of people who would provide relevant political material. That’s why it doesn’t have the prominent TV news anchors that people identify as big names because they host debates. This list is dominated by journalists who would be doing investigative reporting, or at the very least talking to a lot of different people for inputs on stories.

Q: So far as the details are available in the Indian media, how many Indian citizens have been subjected to snooping by the government?  

The lists that are coming out in the public domain will reveal about 100 specific individuals who were targets. According to individuals working on the matter over 300 mobile phone numbers in India were targeted as per this list. What must be remembered though is that this is just one leak. The entire scale of the operation is unknown, all we have is the lower limit of at least 300 numbers.

Q: Do you think this calls for a global ban on this kind of activity as anyone can snoop on anyone. 

Yes. As we found while researching the book, power in the modern world is determined by controlling the information environment, and spyware is a major component of cyber warfare. It must be acknowledged globally that these are cyber weapons that must not be allowed to proliferate because they present a danger to all nations and individuals globally. A ban would remove the economic incentive for the creation of these weapons, thereby at least ensuring it doesn’t get into the hands of private operators willing to sell it to any regime, organization, or vested interest.