Zero-Day Hoarding Aids Advanced Spyware, PEGA Committee ToldGoogle's Shane Huntley Urges EU to 'Lead a Diplomatic Effort' to Curb Spyware
Exploitation of zero-day vulnerabilities by commercial makers of advanced spyware threatens global internet security to the point that it needs urgent attention from governments across the world, a Google cybersecurity executive told a European Parliament panel.
Shane Huntley, head of Google's Threat Analysis Group, urged the European Union to "lead a diplomatic effort" to limit the harms of advanced spyware apps such as Pegasus, the flagship product of Israel's NSO Group.
More and more countries seek the surveillance capabilities granted by Pegasus and its competitors "because they see it works," Huntley told the parliamentary committee investigating European Union member countries' use of digital surveillance tools. Pegasus has been capable of infecting smartphones without the user having to click on a malicious phishing link.
"Very small countries with very poor records of human rights are able to get top-tier capabilities because companies like NSO will sell it to them," he said.
The Parliament overwhelmingly voted in March to empanel the 38-member PEGA committee after reports surfaced that authorities in Poland, Greece, Hungary and Spain had used Pegasus to target politicians, journalists and activists. Committee head Jeroen Lenaers, a Netherlands member from the European People's Party, lamented Tuesday that the investigation is running into opposition in European capitals (see: European Parliament Pegasus Investigation Faces Resistance).
The root cause of advanced spyware's infiltration capabilities lies with zero-days - unpatched flaws in the iOS or Android operating systems that attackers exploit to bypass security protections. New discoveries of zero-days can command deals worth millions in the gray market of vulnerability brokers. Governments may hoard them for their own purposes.
"Stockpiling of vulnerabilities and its focus on developing and hoarding vulnerabilities is a real harm to society because it increases risk," said Huntley. Zero-days have escaped the secret confines of government while their use by entities such as NSO can create global levels of risk, he added.
An April 2022 study by the European Union Agency for Cybersecurity shows substantial differences across member states when it comes to the coordinated disclosure of vulnerabilities. Only the Netherlands, France, Belgium and Lithuania have a "fully established" national coordinated vulnerability disclosure policy, the report concluded.
During the hearing, Jo De Muynck, head of ENISA's operational cooperation unit, told the committee that his agency is working with the member states to encourage more uptake of coordinated vulnerability disclosure practices.
De Muynck also touted the Cyber Resilience Act, legislation proposed by the European Commission that would require software and hardware manufacturers to meet a minimum set of cybersecurity standards.
"Only by promoting cybersecurity by design and privacy by design, and by making the IT products we buy resilient to attacks and intrusion, we can set the economic incentives needed for tackling the commercial spyware market and prevent further undermining of the trust," he said.