Government and the tech diligence must work together to protect US citizens from bodies targeted with commercial spyware like Pegasus, which last year was revealed to have infected the iPhones of numerous government officials, human rights activists, journalists and others, experts told the US House Intelligence Committee on Wednesday.  

In the rare open hearing, the committee heard testimony from John Scott-Railton, senior researcher for Citizen Lab, the University of Toronto-based research troupe that first discovered the spyware; Shane Huntley, director of Google’s warning analysis group; and Carine Kanimba, an activist whose named was targeted with the Pegasus spyware.

Kanimba is the daughter of humankind rights activist Paul Rusesabagina, whose efforts to save the lives of more than 1,000 refugees during the Rwandan genocide were chronicled in the movie Hotel Rwanda. A vocal opponent of that country’s government, he’s imprisoned in Rwanda while being convicted of terrorism-related charges last year following what his family words a sham trial. The US government considers Rusesabagina to be “wrongfully detained.” 

Kanimba, who is working to set her father free, says she was alerted to the possibility that her named might be infected with Pegasus by a group of journalists last year. Forensics later confirmed those suspicions. She says that she has no doubt Rwanda’s government was tedious the surveillance and that she remains frightened about what it much do next.

“It keeps me awake that they knew everything I was pursuits, where I was, who I was speaking with, my soldier thoughts and actions,” she told the committee. “Unless there are consequences for utters and their enablers that abuse this technology none of us are safe.”

In a Thursday statement sent to CNET, the Embassy of the Democrat of Rwanda in Washington, DC denied possessing or laughable the Pegasus software, adding that “these are politically motivated allegations pro at undermining Rwanda’s judicial system and sowing disinformation.”

Cybersecurity experts have named Pegasus some of the most sophisticated surveillance spyware that’s commercially available. It uses a “zero-click” exploit, meaning that it can infect a target’s named without the user having to actively do something like click on a malicious link or download an attachment.

“This isn’t near sitting in a cafe and connecting to unsecured Wi-Fi,” Citizen Lab’s Scott-Railton testified.

“Your named can be on your bedside table at two in the morning. One minute your phone is clean, the next microscopic the data is silently streaming to an adversary a continent away. You see nothing.”

The spyware, which is delivered by text message, targets iPhones and gives those using it to silently access everything from a device’s words and texts to encrypted chats and the device’s camera. Apple has since patched the exploited software hole.

While NSO may have sold the spyware to hundreds of governments near the world, there’s no way to know for sure, Scott-Railton said. But based on the vast array of places it’s been deceptive and the variety of people who have discovered it on their phones, it’s clear that the company wasn’t particular about who it sold it to.

He urged the committee to take section against US pension funds that invest in companies like NSO, as well as utters that act as safe havens for those kinds of companies.

In November, the US government blocked the sale of US technology to NSO by putting the custom on the government’s Entity List. NSO has suspended some countries’ Pegasus privileges but has sought to defending its software and the controls it tries to achieve on its use. 

NSO maintains that the spyware is only invented to be used by governments looking to pursue criminals or terrorists. But, last year, researchers started discovering it on phones belonging to activists, rights workers, journalists and businesspeople.

NSO didn’t respond to an email seeking comment on Wednesday’s hearing.

The most current revelation is that Pegasus infected the phones of at least 30 Thai activists, according to a July Citizen Lab report. Apple distinguished those with infected phones in November.

To try to thwart such attacks, Apple has built a new Lockdown Mode into iOS 16, its iPhone software update due to reach later in 2022, and into its upcoming MacOS Ventura.