WASHINGTON — Senior lawmakers said they would investigate the government’s purchase and use of powerful spyware made by two Israeli hacking firms, as Congress passed a measure in recent days to try to rein in the proliferation of the hacking tools.
Representative Adam Schiff, the California Democrat who is chairman of the House Intelligence Committee, sent a letter last week to the head of the Drug Enforcement Administration asking for detailed information about the agency’s use of Graphite, a spyware tool produced by the Israeli company Paragon.
“Such use could have potential implications for U.S. national security, as well as run contrary to efforts to deter the broad proliferation of powerful surveillance capabilities to autocratic regimes and others who may misuse them,” Mr. Schiff wrote in the letter.
Graphite, like the better-known Israeli hacking tool Pegasus, can penetrate the mobile phones of its targets and extract messages, videos, photos and other content. The New York Times revealed this month that the D.E.A. was using Graphite in its foreign operations. The agency has said it uses the tool legally and only outside the United States, but has not answered questions about whether American citizens can be targeted with the hacking tool.
Mr. Schiff asked Anne Milgram, the D.E.A. administrator, to respond by Jan. 15 to questions submitted in a classified addendum to the drug agency.
By then, Republicans will have taken power in the House and Mr. Schiff will no longer be chairman of the committee. But the committee’s efforts to curtail the spread of foreign spyware have been bipartisan, so the changeover is unlikely to affect its agenda on this issue.
Countries around the world have embraced commercial spyware for the new powers of surveillance it gives them. The Israeli firm NSO held a near monopoly in the industry for nearly a decade — selling Pegasus to Mexico, Saudi Arabia, India and other nations — but new companies peddling other hacking tools have found success as demand has exploded.
The omnibus spending bill that Congress passed last week includes provisions that give the director of national intelligence power to prohibit the intelligence community from purchasing foreign spyware, and requires the director of national intelligence to submit to Congress each year a “watch list” identifying foreign spyware firms that present a risk to American intelligence agencies.
Separately, Senator Ron Wyden, an Oregon Democrat on the Senate Intelligence Committee, is pressing the Federal Bureau of Investigation for information about the bureau’s purchase and testing of NSO’s Pegasus spyware. The Israeli firm’s hacking tools have been used by autocratic and democratic governments to target journalists, dissidents and human rights workers.
The Times reported last month that internal F.B.I. documents showed that the bureau’s criminal division in 2021 drew up guidelines for using Pegasus in criminal investigations — before the F.B.I.’s senior leadership decided against using the spyware in operations.
What we consider before using anonymous sources. Do the sources know the information? What’s their motivation for telling us? Have they proved reliable in the past? Can we corroborate the information? Even with these questions satisfied, The Times uses anonymous sources as a last resort. The reporter and at least one editor know the identity of the source.
In a letter last week to Christopher Wray, the F.B.I.’s director, Mr. Wyden asked the bureau for information about why it chose not to deploy Pegasus, and whether the bureau’s lawyers made a determination that would preclude the F.B.I. from using Pegasus or similar hacking tools.
“The American people have a right to know the scale of the F.B.I.’s hacking activities and the rules that govern the use of this controversial surveillance technique,” Mr. Wyden wrote.
A government legal brief related to a Times Freedom of Information Act lawsuit against the F.B.I. stated that “just because the F.B.I. ultimately decided not to deploy the tool in support of criminal investigations does not mean it would not test, evaluate and potentially deploy other similar tools for gaining access to encrypted communications used by criminals.”
The Biden administration late last year placed NSO and another Israeli hacking firm on a Commerce Department blacklist — prohibiting American companies from doing business with the two firms.
That move, as well as a decision by Israel’s ministry of defense to reduce the number of countries to which companies can potentially sell their hacking tools, has buffeted the Israeli hacking industry, drying up investment in companies amid fears that they, too, could land on the American blacklist. One senior Israeli military official estimates that, soon, only six offensive tech firms will be left standing — down from the 18 firms that had been operating in Israel before the NSO blacklisting.
But now, Israel’s defense ministry appears to be considering easing restrictions on companies to try to keep the industry from collapsing, according to two Israeli military officials who spoke on the condition of anonymity to discuss sensitive decision-making.
When asked whether Israel had made a final decision about the easing of restrictions, a spokesman for the defense ministry said that “the objective is to improve the monitoring of controlled cyber exports and to create more precise instructions for controlled cyber exporters, while reducing the risk of improper use of these systems and providing effective tools to ensure compliance with the purchaser’s license terms.”
The Israeli government requires all hacking firms in the country to obtain an export license to sell spyware tools to foreign governments. Some Israelis have tried to avoid these restrictions by moving their businesses outside Israel.
One of them, the retired Israeli general Tal Dilian, set up businesses in Greece and Cyprus, and his hacking tool — Predator — is at the center of a widening scandal involving allegations of spying by Greek government officials.
Israeli officials have publicly expressed frustration that they are powerless to regulate the business of Israelis operating outside the country. But after recent reports of Mr. Dilian’s growing hacking empire, the Israeli defense ministry convened a meeting to explore if any steps could be taken to better regulate the operations of Mr. Dilian and others who work outside Israel. Among the options explored was whether an investigation could be opened into Mr. Dilian or if other measures could be taken against Israeli hackers who use expertise they gained in the Israeli military to set up foreign companies beyond the government’s reach.