U.S. Adds NSO Group, Other Entities to Restrictive List Over Malicious Cyber Activities

Per Wednesday’s announcement, the Commerce Department’s Bureau of Industry and Security (BIS) released a final rule adding four foreign companies, including Israel’s NSO Group and Candiru, to a list of entities engaging in activities antagonistic to the country’s national security and foreign policy interests. The other additions are Russia’s Positive Technologies and Singapore’s Computer Security Initiative Consultancy.

As a result, the entities added to the “Entity List” of the Export Administration Regulations (EAR) will face tighter export, reexport, and in-country transfer measures on items subject to those regulations.

The Commerce Department explains that BIS’s “Entity List” is a tool used to restrict the movement of EAR items from individuals, organizations, and companies believed involved nefarious activities. In this case, the End-User Review Committee (ERC) which is chaired by the Department of Commerce and includes the Departments of Defense, State, Energy, and where appropriate, Treasury, concluded that the conduct of these four entities raised concerns warranting placement on the list.

NSO Group and Candiru were reportedly added based on evidence that they developed and supplied spyware to foreign governments that used the tools to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers. The Commerce Department further explained that the tools enabled foreign regimes to conduct “transnational repression,” a practice authoritarian governments use to target dissidents, journalists, and activists outside of their sovereignty to silence dissent. NSO has faced litigation over its software in recent years.

The other two entities, Positive Technologies of Russia, and Computer Security Initiative Consultancy PTE. LTD. of Singapore, were allegedly added to the Entity List due to the determination that they traffic in cyber tools. Those tools have reportedly been used to gain unauthorized access to information systems, thereby threatening the privacy and security of individuals and organizations worldwide, the news release said.

According to the Commerce Department, the measure was taken as part of the Biden-Harris Administration’s efforts to “put human rights at the center of U.S. foreign policy, including by working to stem the proliferation of digital tools used for repression.” The initiative reportedly works towards the more targeted goals of “improving citizens’ digital security, combating cyber threats, and mitigating unlawful surveillance.”