relations. watch "washington journal" on c-span or c-span now, our free mobile app. join the conversation with your facebook comments, text messages and tweets. >> c-span now is a free mobile app featuring your unfiltered view of what is happening in washington live and on-demand. keep up with live streams of hearings from the u.s. congress, white house events, the courts, campaigns and more from the world of politics. stay current with the latest episodes of "washington journal" and find a scheduling information for the tv network, plus a range of compelling podcasts. c-span now is available on the apple store store and google play.

c-span, your front row view to washington anytime and anywhere. >> a hearing now on threats posed by foreign-made commercial spyware that allows nationstates to access consumer tech, phone calls, encrypted chat, and photos. the house intelligence committee hearing is just under an hour and a half. >> good morning and welcome. without objection, the chair may call a recess at any time. the session will be held on unclassified classified basis. all participants are asked to decline from discussing national security information a. we are holding a hearing on the rapid threat posed by foreign commercial spyware. reports have shined a bright

light on the market for spying tools sold on the open market, offering sophisticated signals intelligence capabilities as an end to end service. the most sophisticated tools provide zero click access to all the information on a laptop or phone or internet connected device. emails, photographs, messages sent via encrypted apps, even a microphone, nothing is out of reach. this spyware could be used against every employee of the executive branch, every journalist and political activist, every citizen of the world with an electronic device. instead of updating software on the devices, there is little you can do to protect yourself from being compromised. the availability of these tools in the hands of governments who

lack robust surveillance capabilities is a game changer for u.s. national security, which makes it an issue of concern for this committee. it's a game changer for our regimes that are looking for new means to surveilled, intimidate, imprison, or kill dissidents, journalists, and others they view as a threat. a group of news organizations and researchers acting under the banner of the pegasus project sounded an alarm about the potential for these tools to be abused. their starting point was a linked list of 50,000 phone numbers that have been targeted. since the disclosure, a stream of disturbing reports has revealed that thousands of journalists, activists and others have had devices compromised by those tools. one of those individuals is here

with us today. she will share the consequences of being targeted with spyware and what it has meant for her family. she served -- her experience should serve as a stark warning to the future that awaits us if the private sector doesn't band together to rein in foreign spyware companies. it is also a threat to millions of americans and others around the world, particularly u.s. government personnel serving overseas. last year, news organizations reported that mobile phones used by u.s. diplomats in uganda had been compromised by the pegasus tool. it is my belief we are looking at the tip of the iceberg and other u.s. government personnel had devices compromised either by a nationstate using the services.

the biden administration has recognized the national security threat posed by commercial spyware and has taken action appear the commerce department added four companies, including nso group, to its entity list, which blocked them from accessing this technology. the commerce department stated this action was based on evidence that these entities developed and supplied spyware to foreign governments and these companies' activities were contrary to the foreign policy interest of the united states. these listings have not deterred nso or other spyware companies from selling tools to countries that could otherwise never develop such sophisticated surveillance capabilities indigenously. additional action is needed. the intelligence authorization act voted out of committee last week provides the director of national intelligence and

president with additional tools to rein in spyware companies and to ensure that foreign governments that target american officials pay a heavy price. among the measures are sweeping new measures for the dni to prohibit the intelligence community from acquiring and using foreign spyware. the legislation authorizes the dna -- dni to block contracts with companies that acquire foreign spyware tools. we granted the president new authority to sanction foreign spyware companies, their executives and foreign government officials who target american officials with spyware. the nature of these tools makes them exceptionally hard to track and combat, and that is why the united states needs to put a greater on this threat. with the intelligence community playing a critical wool. i look forward to the testimony to assist this committee in making sure we respond to this threat with urgency.

i recognize ranking member turner for his statement. rep. turner: i want to thank all of the witnesses today. today, we will hear about the threats associated with foreign commercial spyware technology and how it has been used to target journalists, protesters, advocates and others, including u.s. citizens. spyware is not a threat. however, the foreign spyware is focused on the ability of nationstates and others to purchase a complete surveillance apparatus that they may abuse to target opponents and dissidents. it is commonplace to hear about this when talking about china, north korea or iran, but more shocking to read about abuses of this technology from democratic governments, even those we consider allies. there are growing counterintelligence concerns with regard to the targeting of

u.s. citizens. addressing these threats must involve a mix of government and industry action. the white house has indicated plans to release an executive order further placing limits on this technology. this committee has passed legislation to increase intelligence community collection on this threat. the private sector must also do more to detect these threats, address vulnerabilities in technology, and provide users with the tools to keep data secure. this is true whether the threat is coming from a criminal actor or from a nationstate. i look forward to hearing from the witnesses about the impact of foreign commercial spyware and what more can be done to mitigate the threat. i yield to the balance of my time.

rep. schiff:rep. schiff: we will proceed with brief opening statements. mr. huntley leads googles a threat analysis group, miss kanimba who has been targeted by spyware. scott, you -- mr. scott-railton, you are recognized for your opening remarks. mr. scott-railton: thank you for the opportunity to testify this morning and for your continuing efforts to address the problem of mercenary spyware. i am a senior researcher at the citizen lab.

in the past decade, a new tier of operators has emerged. this is pay to play government-supplied by mercenary spyware companies. google tracks over 30 such vendors. there may be hundreds of those governments -- government customers around the world, but the scale of the user base is unknown. all the big players in the industry claim to only sell to governments, their actions suggest comfort with blurred lines. slide, please. here is a privately owned heavy machinery warehouse in a dusty section of ghana. a pegasus symptom -- system was installed here to monitor the

opposition in the run-up to the presidential election. the spyware industry is getting ready to spread more advanced capabilities. take the zero click exploits being incorporated. zero-click means that the victim doesn't have to click, open a file or perform any action to be infected. this is not about sitting at a cafe and connecting to an unsecured wi-fi. your bed could be on your bedside table. one minute, your phone is clean. the second, your data is streaming to an adversary. googles project zero calls this technology one of the most technically sophisticated exploits they've ever seen and said those were capabilities available only to a handful of nationstates. here is what mercenary spyware can do. it can access your texts and phone calls.

it can access your encrypted chats, pictures, voice notes. anything you can do on your phone, pegasus can do, and some things you can't, like silently enabling your microphone or camera or getting access to our cloud accounts. it is clear the united states government is not immune. at least 11 u.s. officials were targeted with pegasus in uganda last year. this remained undetected until apple contacted and made this discovery while investigating a zero click exploits we shared. mercenary spyware industry has a track record of hacking u.s. officials. for example, nearly a decade ago in a case that has gotten little attention, u.s. diplomats in panama were infected with mercenary spyware. some of america's closest allies like the united kingdom have been targeted. in fact we found evidence of an infection within the networks of

the office of the prime minister . i believe these cases are the tip of the iceberg, and there are many more yet to be discovered. recently the biden administration the threat to america's national security and foreign policy when it added several vendors to the entity list. this was progress. when the administration announced the designation, there have been an avalanche of abuses that are contrary to democratic values. we confirmed pegasus infections of activists and lawmakers in thailand. before that, journalists in el salvador, polish lawmakers targeted during elections, christian religious leaders in africa. yesterday, we learned that --

when the deployment in ghana was taken down, pegasus servers were hidden at a private location and were found during a police raid. today, microsoft announced they disrupted a mercenary spyware actor that sells to private pears. in mexico, we also see a nexus between cartel killings and spyware. that only scratches the surface. unfortunately, we cannot trust the vendors to protect their capabilities either. on nso group employee stole source code for personal gain. another used the technology to target a love interest. it has taken us too long to have the conversation, but i'm glad to have it. we must make sure it moves at the pace of proliferation. it is too late to put the tech

into the bottle, so we must pump the brakes on proliferation to protect national security and human rights. financial investments, including from pension funds in the united states, have supercharged this problem. when the united states government added nso group and another vendor to the entity list, this sent a strong signal, which was powerful, and it impacted both nso group's evaluation and investor confidence. congress should send the signal to all accountable players within the industry. congress should direct the intelligence community to identify and use all tools at their disposal to counter and disrupt problem companies. problem companies should be barred from business with federal entities, and american companies should be blocked from acquiring them. the u.s. must also expand the tools available to hold problem

companies and their officers and executives and owners accountable and work to coordinate these activities with allies. finally, the u.s. should apply diplomatic pressure to countries that have become safe havens for these companies. i think you for your time. rep. schiff: thank you very much, mr. huntley. -- mr. huntley? mr. huntley: esteemed members of the committee, my name is shane huntley, and i am the director of googles threat analysis group. tag is the team within google whose mission it is to analyze and disrupt serious and targeted threats against google's users p this includes government-backed actors, serious cybercrime, and disinformation threat actors. tag is one part of google's latest investment in making the internet more secure. we work with many other teams, including android and chrome

security, and we work across the industry, civil society and with governments to keep users safe. thank you for inviting me to appear before you. i appreciate the opportunity to explain how the commercial spyware industry is thriving, creating risk to americans and users across the globe. the business model of commercial spyware is to make money by providing comprehensive and sophisticated cyber espionage capability to foreign governments, including the exploits to gain control of the device and the software itself, which can collect information. what we have observed in tag is consistent with other reporting that again and again, these tools are found to be used by governments for purposes antithetical to democratic governments, targeting journalists, human rights workers and politicians.

we've been working for years to counter the threat and mitigate the damage. in 2017, google's android was the first mobile platform to warn users about pegasus spyware. at the time, our android team researched -- released research about a targeted attack against a small number of android users. we implemented controls across all of android to ensure further users were not infected by this. later in 2019, we were able to fix a vulnerability that was discovered by finding some leaked marketing information from nso. in 2021, our team published research about the novel techniques used by nso group to compromise i message users. this was a zero click exploit, meaning iphone users could be

compromised by receiving a malicious i message text without needing to click on a link. nso is certainly not the only actor in this space. tag is actively tracking more than 30 vendors with various levels of sophistication of public exposure. we have publicly taken action to discover and counter exploits, and countering these threat actors is becoming a bigger part of our work. in 2021, my team discovered 90 day vulnerabilities being used in the wild, and seven were developed by commercial surveillance vendors. this is threatening our digital society and national security. we also have worked to develop

and deploy industry-leading security features to protect our users, which is detailed in my written testimony. this includes programs targeted for high-risk users, such as our advanced protection program, and project shield. we appreciate the committee's focus on this issue, and we recommend intelligence community prioritize identifying and countering threats from foreign commercial surveillance vendors. we believe it is time that government, industry and civil society should come together to change the incentive structure that has a lot of these technologies to spread in secret. we welcome the sanctions against nso group, and we recommend the government consider further sanctions to limit vendors' ability to receive u.s. funding. we urge the united states to lead a diplomatic effort to work with other countries that harbor these problematic vendors.

we need to build support for measures that limit harms from this capability. while we fight these threats on a technical level, these providers will open -- operate openly in undemocratic countries. thank you for convening this hearing. google is committed to disrupting the threats posed by these commercial spyware vendors. i look forward to answering the committee's questions. rep. schiff: thank. ms. kanimba? ms. kanimba: mr. chairman, ranking member, members of the community, thank you for allowing me to come today. my name is carine kanimba. i am an american citizen. the u.s. welcomed my family when

it's hot security, and we found it within its borders. i am a proud graduate of northwestern, and until two years ago, i was working at a job i loved in finance based out of new york city. in august of 2020, everything changed. nearly 700 days ago, my father was lured from my family home in san antonio, texas buying intelligence operation directed by the rwandan government. he was kidnapped in dubai and illegally rendered by the office of the rwandan president. he was tortured, subjected to a sham trial, and sentenced to 25 years imprisonment. united states government has designated him as wrongfully detained and has backed two resolutions in support of my father and calling for his release. my family is grateful to the house and to congressman castro and congresswoman kim for

leading the effort to adopt the resolution. in 2021, i became the victim of nso pegasus spyware. i was born in rwanda just prior to the 1994 genocide that made me an orphan. my birth parents were among the first victims of nearly one million people killed during the genocide, leaving my sister and i orphans. she is a graduate of georgetown university in washington and is here with me today. my father paul rusesabagina. he was manager of the hotel inco galley and gave refuge to 1268 people in his hotel, risking his life every single day to push back the militia at side, and not a single person was killed. once the killing ended, my adopted parents heard that my

parents had been killed, and they found us in a refugee camp, raised us and loved us as their own, along with my new brothers and sisters. my mother tatiana is here with us today. in 2004, the story was portrayed in the film "total, -- "hotel rwanda." he was awarded the u.s. presidential medal of freedom. my father was given a platform and used it for good. he was critical of the increasing violations of human rights of rwandans, calling for democracy, freedom of speech and press, as well as truth and reconciliation for all rwandans. this criticism turned him into a target of the rwandan president paul kagame. the campaign was targeted and

brutal. an assassination attempt against my father in belgium, house break-ins, intimidation attempts, but my father was never intimidated because he knew he had a responsibility to use his platform to be a voice for the silenced victims of the 30-year rwandan dictatorship. president kagame called my father's kidnapping a flawless operation appear they surveillance my father in texas and boasted about doing so. in february 2021, i was contacted by a collection of journalists called for stories, working on the pegasus project. their research on rwanda and pegasus gave them reasons to

believe i was being spied on. they asked to conduct forensic analysis on my phone, and i agreed. it was discovered that the pegasus surveillance was used to target me. i was mortified. i am terrified. the forensics report has been presented to this committee, and it shows the spyware was triggered as i walked in with my mom into a meeting with the belgian minister of foreign affairs. it was active during calls with the u.s. presidential on they -- on the way for hostage affairs as well as human rights groups. this surveillance is illegal under u.s. law and allowed the rwandan government information. i was told my surveillance would cost the rwandan government millions of dollars. rwanda is the third most aid-dependent country in the world. foreign aid makes up to 70% of national expenditure, and the

u.s. provided 160 million dollars in aid to rwanda last year. all of you, members of congress and american taxpayers, deserve to know how the government of rwanda is spending humanitarian aid. two months ago, citizen lab discovered that my cousin has been infected. jean-paul and i live in the same house. now two phones in the same household being targeted by the same software by the same repressive regime. i am frightened by what the rwandan government will do to me and my family next. it keeps me awake that they knew everything i was doing, where i was, who i was speaking with, my private thoughts and actions, at any moment i wanted. unless there are consequences for countries and their enablers who abuse this technology, none of us are safe. thank you for letting me share my story and the story of my

father. i hope if you find it useful in considering how to regulate the types of tools to target my family and my father. i promise you all that we will not stop advocating for him until he is home. thank you. rep. schiff: thank you for that very powerful testimony. i deeply regret what you have gone through, what your father is going through, what your whole family has experienced, and i appreciate your willingness to come in and speak with us today. i now recognize myself as we begin the question period. let me start, mr. huntley, let me ask you about the zero exploits. how common are they? do we have any idea, and is there anything that individual

users, consumers can do to protect themselves from these exploits? mr. huntley: the discovery of these exploits is fairly rare. it is maybe open to debate debaw common they are. we believe they are rare. as we said, this was one of the most sophisticated exploits we've seen. one of the challenges with such exploits is there is no sign. if it is being used in a limited way, we do not have -- what happened. we believe that what users can do is limited as well. our approach very much is that we want to make it harder for zero day exploits. meaning these exploits where there is no patch available in the platform to the unit is vulnerable. zero day exploits in the wild,

the manufacturer or ourselves get seven days and we fix it quickly. mr. huntley: the primary mechanism we have to protect users. the exploit in this case, the analysis actually showed it had been used for months. that means over that period of months, customers were able to silently target any iphone user they wanted. sen. schatz: -- >> because users can be full by some spear should -- spearfishing effort, sounds like other than keeping your phone up-to-date, there's really nothing you can do to protect yourself. mr. huntley: zero quick site is very limited in what you can do. that doesn't mean the users should give up and we should not focus on other protections

because there are other protections you can do. i do not want to push the message of helplessness. but there is very little laser can do. >> i'm not sure how much you are able to discuss in an open setting like this, how does google or other entities discover a zero click exploit? mr. huntley: citizen lab found the exploit. rep. schiff: scott ray learned are you a roles to discuss how these things are discovered? >> citizen lab focuses on understanding threats to high-risk groups. sometimes these individuals come to us with a question. more often we go to them. we work with them very closely to understand the threats they face. this means analyzing their devices. sometimes analyzing their network traffic.

ultimately it is a needle in a haystack. what is interesting about this exploit is that it was found on the phone of a woman who was one of the major advocates for the women's right to drive in saudi arabia. it was her vigilant and contribution to this effort that ultimately led to this cascade of discovery that protected over 2 billion apple users. my team has discovered over 30 different exploits. often against a range of platforms from a range of vendors. a range of techniques for how we find them. often the attacker makes a mistake. they are subject to restrictions as well. they made some mistaken we were able to discover it. in other cases, the user is able to contact us and we are able to investigate from there. rep. schiff: but with that look like?

what would you be observing? would you be observing your phone turning on by itself? it does not show any visible signs that it is recording? >> one of the truisms about surveillance is that people, when things happen on their phones they don't understand, of -- often conclude that it is surveillance, which speaks to the pernicious nature of the problem. typically with this sophisticated stuff, there would be no sign. there are exceptions. we investigated a case where an individual was co-infected with two pieces of spyware. pegasus, made by nso group, and predator, made by a company called hydroxy. it was running hot. besides that, usually very little the user can see. rep. schiff: who do you think is

responsible within the rwandan government for using this technology against you? >> within the rwandan government, i am not sure. i know they are responsible, the same people who kidnapped and tortured my father and surveilled him for years and attempted to assassinate him. the only government responsible for this is the rwandan government. rep. schiff: with respect to the rwandan government, what is the u.s. government's response to both your father's situation but also the surveillance of your own phones? given we provide a lot of economic support to rwanda. >> the u.s. government has designated my father a case of wrongful detention. ambassador carstens, the u.s.

special envoy, is dealing with my father's case. we are preparing grateful for the efforts being led by the state department and the -- office working to secure my father's release. as it relates to spyware, i have been contacted by the fbi and other members of the intelligence in europe, working to help protect me and try to make us safe. however, this technology is hard to detect and they can always reinfected my phone if they wanted. i still do not feel safe. rep. schiff: has there been any public or other response by nso group? they had been making the claim their technology was not used to spy on americans. you are an american. have they made any comment about why they provided the rwandan government?

>> i do not know. rep. schiff: thank you very much. mr. turner? >> thank you for your compelling story and for the heroism of your entire family. when you are having conversations with the u.s. government on the issues of your father and logistics, and the fact that -- and your angst that those conversations and communications would become compromised. i would like you to speak to that for a moment because it really shows the expansive net that this type of spyware casts. by infecting those who are interfacing, even with our government itself, it makes it even greater threat to you and your family. speak for a moment about how those communications, you have

the private aspect of your life, the aspect of family safety but even as you worked to try to make your family more safe, you were still vulnerable. >> thank you for the question. it has been 699 days that my father was kidnapped. from the first day we learned he was in rwanda, my entire family stop what we were doing and have been working hard to get my father back home. calling government officials all over the united states, sending emails, talking to as many people as we can. we know the rwandan government has also been trying to stop these efforts, whether it is trying to intimidate individuals like the congresswoman who is speaking out, or printing lies in the media, or trying to intimidate us into silence so

that we do not reach all the individuals we would like to reach to help us put pressure on the government into letting my father go. knowing they had been listening to these conversations, these efforts to secure my father's release, it is our right to contact government officials. it is our right to advocate for human rights. the fact they felt they had to permission to listen to these conversations in an attempt to stop these efforts is unconscionable. it is very scary to know they had this much access to us. my father is sick. he has had a stroke recently in prison. the urgency is here. the urgency is for my father to be allowed to come home. we know that we have to continue to speak out and continue our work, regardless -- with or without pegasus in my phone. this has definitely scared us

and put us -- set is back in these efforts. on a personal level, i am a 29-year-old woman and i use my phone quite often. not only in the efforts to secure my father's release, but private conversations with friends. the fact that the same government that tortured my father and has been trying to challenge him also has access to my private conversations, it is very scary. >> that is part of the intimidation and the attempt to control. thank you for your story. you are identified as being able to find some of this spyware. you cited the commerce designation for the entity list. you gave some incidences of

where you believe it was working. do you believe it works if the commerce department places companies like this on the list? >> i see it as a signal. ultimately, the entity list is not an individual sanction, not a comprehensive package. nobody is losing the rooftop swimming pool. it shows investors, some of whom are based in the u.s., pete -- pension funds, permanent funds, that this industry is risky for them. that kind of signaling is extremely powerful and we saw it have an effect. we sell reports that the debt valuation of nso per to -- precipitously dropped. the company now appears to be in a tailspin. rep. schiff: you made a comment i thought was surprising. first you indicated that a lot of the times these are end of -- identified by individuals. you called on the government to do more.

by scale, google and its resources and its interfaces and in the work you are doing in threat analysis, you are going to have more information than the government does. or individuals -- and i don't mean to characterize you were saying it is only in the individuals and that you are not doing work, because you are. as you have used google resources and find out this information from individuals, what is your interface with the u.s. government? how do you share what you do find? what is the work you do with google resources to find them to let the ic know and the government no and the commerce department know so that they can take actions beyond just the technical patches? >> so, i should clarify that many of these exploits are found. these were 30 different exploits

found for us. this specific one was found by citizen lab. in some cases users point us in the right direction but in many cases we find them ourselves. yes i have built a great team and google has put a great investment in understanding these threats and we have a unique visibility and a lot of resources we can put against this problem. but whether these threats or other cyber threats, i think taking the mom has to be a team sport. you look at the organizations taking on these threats, they -- visibility. we have the responsibility of doing the -- with all the -- we have. we do not have some of the capabilities the intelligence committee does. things that they are authorized to do to learn information. similarly, citizen lab and other groups are working directly with users that are targeted and then

there are industry partners. there is very good cooperation amongst this community present and it needs to be that cooperation because each of us see some part of the picture and only by putting those pieces together and working together are we able to take on the adversaries. we cannot let the adversaries take advantage of the disconnection of us only seeing part of the problem. when we discover things with regards to the exploits and spyware, we try to be as open as possible about publishing details so that other researchers and entities are able to investigate further. we believe shining a light on this is important. we also work out who are the best people to contact in different -- if it is chrome or microsoft or apple, we will contact them directly in the first instance to make sure they can fix the vulnerabilities as soon as possible.

in other cases, we do make referrals through law enforcement or the u.s. government and we also have discussions with the u.s. government and other governments in order to take on these threats. i would say the corporation and the passing of -- the cooperation has gotten better. rep. schiff: further work you are doing to make people aware of what you are discovering and what you are seeing, great technical expertise. you did mention the word public -- proliferation. once you discovered this was happening, we understand bad actors and nationstates, now we have criminal organizations and nonstate actors. how do you see the proliferation of this becoming a threat and what do we do? >> icd threat from proliferation as inevitable. when we started, we saw a handful of companies work with a

handful of states. now it is totally under control. -- out of control. it is inevitable that as more states and entities gain access to this technology, it will be pointed against the united states. and it already has been. i also believe it is inevitable that transnational criminal organizations and other non-fit actors will gain access to the stock -- this technology. some of it may show up in ransomware with consequences to everyone in the room. there are three legs. civil society has been raising the alarm for years. tech companies, for years, have been trying technical control member -- measures. they realized that was not enough so they started looking to u.s. courts. whatsapp sued nso. others joined the lawsuit and apple followed suit last year. we need the third leg, government. there is a powerful host of tools both legislative and in

terms of empowering the intelligence community to disrupt and degrade the community -- capabilities of problem actors. >> mr. -- >> thank you. thank you to all of our witnesses. ms. -- in particular for your startling testimony. we are doing this because we are trying to figure out what our response might be and you gave me an idea. i do not know the nuances of our relationship with rwanda but it seems if you attack our people with surveillance tools for nefarious ends, or any ends, maybe not just our people, but civilians or anyone else, you will not get one red cent from the american taxpayer.

the institution that holds the purse strings thanks you for that. i will note, your story and stories like yours turn our stomachs because we are a society that puts a premium on the dignity and rights of the individual. societies that do that also tend to express their political will through democracy. it has not come out enough today but this feels to me like a very serious threat to our democracy and to democracies around the world charter today hanging in the balance in places like hungary, poland, brazil and the united states. you can imagine that if this can be in a warehouse in ghana, that nobody, not mike pence, not nancy pelosi, not the ranking member are immune from having their most private deliberations watched. that may be just enough to interfere in our elections, just

enough to end our democracy. depaul's me that there are institutions that live only because of the contract law and the rule of law in a democracy. you said there were pension funds and you note in your written testimony that you think if nso might attract venture capital, you said there were pension funds that had invested in these entities. would you name them? >> with pleasure. the largest owner of the majority owner of nso group is the aura gone public employee retirement system. another one, alaska's permanent fund. i think some investors have gotten into this without fully understanding what is going on, without doing due diligence. >> is that the complete list of investors? >> that is the complete list for nso group. >> what about the other ones? >> for those, and this speaks of

the problem of the industry, we have no idea who some of those owners are and what that ownership looks like. we do know there have been attempts to acquire companies like nso. >> venture capitalists, name the venture capitalist you know of that have invested in these entities. >> one of the biggest concerns about this technology is that sometimes the companies that are building it are just down the road from the capital. the owner of nso group was francisco partners in san francisco. >> the others? >> that's all i can name right now. >> i am going to ask you to follow up with a complete list of possible western investors. the notion you would live in a legal superstructure of rule of law, then use that structure to invest in a company that might

end that rule of law, we need that list because people need to get famous on this issue. we are talking a lot about sanctions, etc. once it is out of the bottle, it is out of the bottle. innate -- if a dusty warehouse can host one of these things, were not putting it back in the bottle. in my remaining minute, what do we need to be doing in terms of research and development to make sure we are technologically one step ahead of this technology? >> i can take that one. the good news on some of these exploits is once we fix the bug being used, they have to find another one. they see it as a game. it is something we need to stay ahead. what we are doing in google and elsewhere is to across-the-board

work on developing secure systems and make exploits harder to find. that is why we created project zero. it will never be impossible, but much harder to find exploits. and we are able to build secure systems in the future because they are investing in the research to find the holes, we need to research much more to build a more secure systems. >> this is really important and i will just observe -- make the observation to the investors out there, we are not putting this back in the bottle anymore than we are doing away with nuclear technology or anything else. i would suggest that those venture capitalists that actually develop the technology would be is -- >> thank you. mr. crawford? >> thank you. >> mr. huntley, i was wondering if you could tell me how google

is alerted to zero day vulnerabilities? mr. huntley: we have a range of ways. one of our major projects is safe browsing where we try and discover all forms of activity on the web. you may have seen trying to visit a site that puts up a big red warning. we have put a lot of investment in understanding what is on the internet. that is one of our primary purposes in how we build a search engine. one of the things it we do is look across the entire internet. occasionally we find the needles of these exploits. that is one way we find it, we also have reports and details coming from our protections in android and we are able to get information and reports, sometimes by users, then our

researchers are able to determine if it is an exploit. >> how many come from your own capability versus tips that are provided? >> it is hard to draw a hard line because this is very much a team sport. i would say 30 over the last 10 years we have been credited for directly and we only take credit if we discover them. >> do you receive tips from other tech companies? government entities? >> certainly. in this case, we were the ones on the -- exploit. we provide information back and forth. we provide information to apple. this is an area where we are collaborating closely because we have a common enemy. >> if the u.s. intelligence community, with its considerable capabilities, identified them

being used by problem actors, and submitted them to big tech, you could burn their house down. >> that brings up the next question, how would you create information sharing between the industry and the government regarding known vulnerabilities? >> i would say the channels are there to pass the information. the biggest place for this you might want to look is actually about the release of information and how we make those balances we have this complex process that the u.s. is an offensive cyber actor in their own right and have to make decisions about when to keep capabilities and when to report them. i would encourage we do that thoughtfully and in a way that takes into account the real risks of having exploits out there. one of the things we can -- to make sure there is pressure on the intelligence community.

>> do you have recommendations? >> not specifically. the process is relatively nontransparent. it is hard to determine how those decisions are very big. >> -- >> the full representation -- that it is not just the people there doing decisions, but the people who have a full understanding of the cost, potentially. there can be real costs. some related effort we talked on last year's we actually discovered the north korean government targeting -- two providers that work for western governments. we know the people that are targeting and creating these exploits are also being targeted themselves. >> let me shift gears. this is not tech related, i am just curious.

your father is a belgian citizen, permanent resident in the united states. has he made an application for citizenship in the u.s.? >> i believe he had started. >> when did he start? >> 2020, the beginning of 20. >> the basically the same year he was abducted? >> yes. >> do you think that was a contributing factor? prior him to becoming a citizen? >> that is a possibility. we know that for many years they had targeted him and attempted to assassinate him and the kidnapping was an >> i yield back. >> mr. carson. thank you chairman. ms. kanimba, -- in america.

you know, we at least try to walk the line, the fine line between providing for the security and safety of our citizens, but not impeding on anyone's first amendment right. but what is your perspective, ma'am, on the monitoring of domestic terrorists intent on on harming us versus those like yourself who are fighting for human rights? >> i'm sorry, could you repeat the question? >> what is your perspective on tracking domestic terrorist intent on causing harm to people in the traditional context, versus those like yourself who

are fighting for basic human right? >> my story has just my experience has been about of course standing up for the human rights of my father. i am not an expert in policy, i am an expert in in what has happened to my father. in following it, what i know is that americans need to feel safe, we need to feel safe in our country, we need to feel safe when we travel and the spyware is like the pegasus -- the pegasus spyware is not something that the rwandan government, and oppressive regime cannot get their hands on this software. and use it against us. however, in terms of how to monitor security in the united states, i wouldn't be able to to provide advice on this. >> well, thank you mr wilton,

what is your perspective sir, on other nations using pegasus to monitor u-s citizens at home and abroad. >> thank you for your question. mr carson, when confronted with abuses, the mercenary spyware industry typically has a message. click -- and as we've discussed today, the crime and terror narrative amidst the fact that a significant proportion of the use that we see of mercenary. spyware is state on state espionage, government's targeting other governments. and of course, the united states has been one of those targets. >> mr. molen. >> thank you, mr chairman, mr

huntley, you might have answered this question already, but maybe i was just over here doodling on a piece of paper and i didn't understand it. but what size is google's threat analysis group tag? so we are -- >> so we are just one small part of people who, just over 50 people, but we are like a very small part that actually is supported by many thousands of people across the company that are working on security and security issues. we are there to sort of like identify and provide some deep expertise on these threats. but also as i mentioned, work very closely with project zero chrome security, android security. the people securing our own systems, safe browsing. so, the overall effort on security that actually in some ways contributes to this is very huge. >> so it's a team effort. but the serious issues come to you, to the group of 50. >> my team is specifically focused on gaining that understanding of adversaries were the people, who are you know, built to be the experts on the threat actors and able to

provide that information about the threat actors, and what exhaustion -- what exactly they are doing. the biggest outcomes of that is so we can actually use that to defend our products, make our products more secure and actually make changes across the ecosystem. >> so when did tag get stood up? >> so my team was formed in 2010, 12 years ago and i was there at the founding it actually sprung out of google being targeted by china, an incident called the aurora incident in 2009 and at that time google was quite forward leaning and deciding that it really needed to have a professional team working on this fully dedicated and then the team was founded then. >> do you know about the amount of resources that google puts towards this? >> it's difficult to add up, but it's not cheap, there are lots of resources.

>> google is putting capital into going after this. >> absolutely. and we see that like keeping users safe is like a key part of not just the moral implications which are very clear by the , testimony today, but also the commercial implications of like the tech industry and our society and the economy in general has to rely on a secure system. >> does does google have a policy in place to alert customers or others. -- others? and how do you go about that? >> yeah. actually we just hit the 10 year anniversary of a program that i developed that we set a policy 10 years ago that whenever we detect a user base being targeted by a government backed threat, whether it was successful or not, we provide a prominent warning that they have a target of government backed threats and we actually provide them specific security advice. we want to make sure that we never in the position where we know that the user is being targeted by a government threat and that user doesn't. so we believe we have a moral imperative to tell those users . >> i have an observation about

those notifications. they are great for us as researchers because when they land on people's phones they know something has happened. they need to take some action. but i believe that the industry still must do more. one challenge with those notifications is that users are typically not provided with any information about who did it. how, or when. i understand the industry faces many challenges around disclosing some of their sensitive methods for identifying threat actors. but unfortunately i think there's more that can happen with the notification so that victims know who to look to for , who is responsible and to hold people accountable for it. >> so earlier in your in your testimony, you had said that you identified targets vulnerable individuals and then you alert them. how do you do that? how do you know which ones are the most vulnerable and then how do you how do you know i'm talking, i'm sorry, it's

relative. >> one of the ways we identify potential targets is the same way that the governments to target them do who's in the press criticizing them. and sure enough, if you talk to those people, there's a good chance they get targeted. there's a good chance that high profile dissidents and human rights defenders, especially in repressive regimes get targeted. but sometimes we're in a position to work with large sets of targeting information that happened in 2019, when whatsapp asked us to help understand an attack against their users. and that's how we saw a full set of targeting, including a lot of government on government targeting. >> mr huntley. >> from our perspective, like we just we have the have the advantage of the visibility of our scale, we're able to see some of the times the large scale operations of these actors again start users. then we're able to put the pieces together and were able to sort of expand out and understand the scope of what these actors are doing and then we have a team dedicated to this and every single use against the warning. >> thank you, mr chairman, i

yield back thank you. >> and just some members know we're in the middle of the first vote and we'll go up until we think we need to recess and then will come back. >> thank you. mr chairman, thank you all for your testimony. mr your testimony was riveting and we need to take action to get your father out of prison and i would concur with mr. himes. i think recalling the funds of foreign aid would be a good step in that direction. you are a uterus -- you are a u.s. citizen, correct? and yet you were in fact spied on an nso says that they do not spy on us citizens. mr. scott, in the course of your research, have you identified additional american citizens or u-s government officials infected by pegasus or another company. spyware. >> in the course of our research we have identified the targeting of other u-s citizens. >> can you name them please?

>> the citizens who are targeted in some cases i'm not able to do , that because we have a responsibility of confidentiality. but i would be more than happy to provide a list of public reporting of the many us citizens who've been targeted over the years. it goes back to americans working in nonprofits in mexico supporting local groups. two people working on electoral consulting in places like panama right up until the present. >> how about public officials? >> i am not in a position to talk about other american public officials, but i will highlight with a big underline under one other category which is american journalists regularly get targeted with pegasus ben -- pegasus. ben hubbard a good example. he was targeted not once but two separate times and in fact the second time he was targeted, it was after the fact of his targeting had been publicly reported. >> and jamal khashoggi was targeted? >> click -- >> jamal khashoggi

was targeted as well. and his fiancee were targeted with pegasus spyware. this is not uncommon to see targeting around a person in the case of jamal specifically we don't have access to a device in order to do that analysis. >> should the list made public to these companies? >> i see no reason why not to make this public. i think the drawing attention where we can to who we consider these threats are. i think as mr. scott spoke about, a lot of message and i think it is about incentives as well. and i think one of the incentives that you know, i've been pushing when i've been speaking externally is also on the talent as well. i want to make it so that you know, people think twice before accepting jobs with them or without putting their careers or their reputation and working with these companies if you're a -- with these companies. if you're a talented security researcher like i want to make it so you really think twice before accepting a job with someone like nso and you do something more productive with your life.

>> do you believe the nso s public claims that it does not have access to any of the data that its customers gather with pegasus. >> i would be struggling to find direct evidence but you know, tangentially, i find that difficult to believe. there's also seems from my perspective from the outside, it seems that there are sort of conflicting claims as well. they're both seem to be making strong claims about how they're controlling the use of their technology but also having no visibility of how the technology is used and i can't understand how you can make both claims at the same time. they are either handing full control over to their end users in which they are making the decisions on them and they do not have any visibility or they are actually enforcing strong controls. i don't see how they can be doing both. >> what can companies like google do to protect users from these threats? >> the biggest things we can do at the moment, is to build secure platforms. we are working tirelessly to make android chrome all our

other products more secure. so it is harder for these companies to target them. we build protections into the android operating system, google play protect. we were making it more difficult for them to operate and then a very small part of the work as a team my team does of trying to understand everything possible we can do about the specific threats and then taking them on individually to deny them the use of vulnerabilities malware and to actually build specific protections against their actual technology. >> can you build a way that the average consumer can go to a website and determine whether their phone is being spied on? >> i think it's a very difficult task and i think it's it's very hard to do in a comprehensive way because as soon as you make it super public way like that then we know that the nso people , will be testing against as well. so we always we're not claiming we actually have perfect understanding as well. so at the moment some of these , we can produce some scanning. we deploy some of it at scale

too. if we were able to detect it on every phone and in some cases we can we don't wait to create a website or make it so the user has to do something. we push these protections into the protections on the phone such as android play protect >> yes. mr. scott? pegasus like other viruses has a different feature than going after. for example trying to find a bacteria and infectious disease which is it can read the papers and when companies produce tools to detect pegasus. the first thing that happens is those companies engineer their products to avoid them. and this is part of why it is so hard for the antivirus industry model for example to find this stuff and why it really requires serious government action. >> thank you. my time is expired. >> mr. gallagher. >> thank you all for being here and discussing this important topic. when we talk about commercial spyware, i think we need to broaden the aperture to also include software like wechat , tiktok and other chinese apps where we have increasingly compelling evidence that the chinese communist party is collecting or censoring information. it's also worth bearing mentioned that through its

digital silk road in particular the ccp is exporting surveillance technologies through proxies like huawei zte -- hick vision, just to name a few. and the goal is to create client authoritarian leaders who owe much of their ability to monitor and oppress their populations to the chinese communist party and its technologies. i know that citizen lab has done a lot of great work on wechat in particular. there was a recent report on wechat where you found that quote, wechat communications are conducted entirely among non china registered accounts. are subject to content surveillance. and in fact can contribute to further oppression in china. i understand this was not yours but one of your colleagues reports but i was hoping you could speak a bit more about the threat as you see it posed by software such as web chats? -- such as we chat? >> well, thank you for that

question. i would say the take home discovery there is that we found that users of non chinese versions of wechat, their communications with each other were mind to train the censorship system used against chinese users. so people in democracies having their communications mind for -- mined for censorship back home and the increase of authoritarian activity there. thank you. >> additionally, the report again, i recognize it's not one that you authored but you're well acquainted with it uh -- with it. it concluded that future work is required to understand that this behavior is unique to tencent or if it is common for internationally operating chinese social media companies to use communications among their non chinese users to implement chinese political censorship was related to the point you just made. so i assume you agree that this is an area that bears further examination talking more about the role that chinese software, particularly apps like tiktok

could play and contributing to ccp surveillance or influence globally as you said, mr -- contributing to ccp. >> as you said, mr gallagher, not really my area, but in general, i agree this topic deserves much scrutiny. >> could you talk a bit about actually maybe a question for mr huntley talk a bit about how the threat analysis group approaches chinese software, apps like tiktok or wechat for example, do you conduct any sort of vulnerability analysis surrounding these type of apps? does your feedback play a role in terms of which apps might be available for download? for example, in the android store. >> thanks the question congressman. so you know, we, we certainly have like one of our goals is to actually look at security across the board, both for our users, which we have like our, you know, corporate users of like of over 100,000 and also for the internet at large. we have multiple programs to actually look for vulnerabilities in software and project zero is actually like i -- like, i think, a leading effort where they actually don't just look at our own products but actually look at products

across the board looking for vulnerabilities and you know, published research on many, many different areas and those would be in scope to examine as well. and also we have try and maintain, we maintain strong restrictions on sort of like what software can go into the play store and if like vulnerabilities or, things operating outside privacy guidelines, then they are subject to removal. >> do you think tiktok is a threat? >> i certainly don't use it, but i'm not outside the targeting demographic but uh, you need to answer that one. i think it is worth examining. i think it's, i think it's my place to speak on speak on you know competitor in this place. but i think it is you raise points that is worth very much examining under what rule of law they are operating well. -- operating. well, -- >> well i think the evidence is , mounting to suggest that it is as well as what we know about the company that owns tiktok, i

believe tiktok is the most popular social media app in the united states right now. so in a very real sense when we look at the chinese communist party's strategy, it's been one not only of military intimidation in the south china sea or economic coercion against taiwan or other countries that recognize taiwan, but a a united -- a united front strategy aimed against one million of americans. intentional or not, addicting americans to cheap chinese goods. that money from china. addicting americans to fentanyl with precursors met -- made in china and addicting america's kids to an incredibly addictive social media app that is not good for them. it's destroying their brains. i hate to sound like the old buzzkill in the room. i used to be like the youngest member of congress, but exactly used to be a young buzzkill. yeah, that's right. that will go on my gravestone. but my time is expired.

thank you, mr. chairman. >> i hate to cut you off on that note. mr. castro, and i think we'll see how many -- are get to vote. we still have 320 hopefully we'll get to mr maloney as well before we were sure, thank you. >> chairman, thank you. chairman schiff for holding this important hearing and also to our witnesses for your testimony. ms kanimba, your father paul rusesabagina is a resident of san antonio and a constituent of mine and for two years my staff and i have worked with you and your family to secure his release from prison in rwanda. this month, the house of representatives passed a bipartisan resolution condemning his arrest and calling for his release on humanitarian grounds. i raise this because nso group claims that spyware cannot be used against americans and you said earlier very clearly that you are an american citizen. your experience is clear evidence that this is simply not true. as does the experience of u-s diplomats in uganda and other locations who had their phones hacked with nso spyware. and you mentioned in your opening statement that that

belgian intelligence among others, confirm that your phone was compromised. and the forensic evidence that you submitted for the record indicates that your phone was accessed numerous times on and before april 2021. that that timeline matches up with the specific email communications between my staff and you regarding what actions i and other members of congress were taking to raise your father's imprisonment with the rwandan government, the fbi and this committee. we've seen the reports that this software was used against us. -- u.s. state department employees, also in uganda. it's clearly being used against human rights and civil society activists such as yourself in -- such as yourself. and your testimony today, raises the prospect that communications between congress, you and your lawyers may have also been wrongfully accessed by the entity that targeted you with pegasus. and after news about practices -- after the news about pegasus

broke, i worked with my colleagues including rep malinowski to urge the commerce department to put the nso group on the entity list, which would block them from doing business with the united states. in response to our inquiry. the commerce department did just that in november of 2021. it's essential that the nso nso -- that the nso group remain on the entity list given their role in enabling surveillance of us citizens. and miss kanimba, the uso group claims that their software was sold to countries like rwanda for law enforcement purposes, given the kagami regime's abysmal record on human rights and the rule of law. do you think the nso group could seriously have believed that the rwandan government wouldn't abuse this software? or is it just a convenient excuse ? >> thank you, very much congressman. and thank you, so much for all the work that you have done with

our family to help save our father's life. i believe that the nso group must not be telling the truth about rwanda and its use of some of the software. rwanda is reported as having uh many reports have been written about rwanda's human rights abuses by the united states, by the human rights, by human rights organizations and by many people across the world, including victims like ourselves. and so it is a known fact that the rwandan government perpetrates these abuses internationally. and most recently the freedom house released a report on transnational repression, the detailing how the rwandan government perpetrates transnational repression on u.s. soil. so i believe that nso group must know this. >> thank you. mr. scott, i want to ask you about the host nation's, what are the leading host nations for spyware companies? >> thank you for your question and for your continued focus on this critical issue. it's an interesting thing that over the last decade we've seen the centers of gravity move in

the spyware world. a decade ago, we were looking at companies with names like hacking team based in italy fin fisher germany, the u. k. and more today. -- and more. today, one area that many have heard about is israel, which has a vibrant tech sector and has become a market leader in many interesting areas of technology, including spyware. another, which many are less familiar with, but which plays an outsized role in providing safe havens for problematic companies is cyprus through which many concerning transactions and pieces of spyware pass. in both cases, and more, bulgaria would be another citrix, macedonia. these are countries that could do a lot more to rein in their industry. >> i was going to ask, what are

the country's doing, what what are any of the countries doing to combat this. >> well, let's take cyprus. i don't think they're doing very much frankly. and it strikes me as an area where uh serious diplomatic efforts would be extremely helpful when it comes to israel, they have an export control authority that authority has authorized many of the sales that have led to these problematic cases. and so i think they're too there's an opportunity for diplomatic engagement and pressure. >> thank you. >> thank you. >> thank you. mr chairman. and i'll try to be brief since we we are under time pressure on the vote. but and i wanna add my my thanks -- i want to add my thanks and admiration -- for miss kanimba, your story is extraordinary and we're all proud of you and uh

-- and i want to ask you what actions if any the us government is not taking, you'd like it to take. >> so i just want my father home. i hope the u-s government will do everything possible to bring him home before it's too late. >> fair enough to our other witnesses. thanks for your work, obviously i assume you're supportive of the provisions in the i a that would try to get at this problem. and some of the information around it. but if you were writing the law and you could you could you could past any provision you wanted, what would you have the us government do beyond what's in the ia? >> well, i don't write laws and i'm not a lawyer. but what i will say is one area that seems to me to be critical is encouraging the intelligence community to identify and disrupt the activities of these companies. that seems like a real opportunity. another area that is critical right now, doing business with the federal government, getting

acquired by a u.s. company or even doing business with an american police department is the golden prize for many in the spyware industry. as long as that remains as a possibility for problematic actors, they're going to get support from investors because that is the prize. if we can chill that, if we can make it clear that the door closes, then we can accomplish a lot. so i would encourage congress to look at all of those issues as ways to engage. >> and wouldn't the foreign market be large enough even among all those companies, why would that chill their business model? >> this is a very interesting question. one of the interesting features of the spyware industry that we've learned from public reporting is that companies like nso tend to soak their golf clients, charging them hundreds of millions while charging european countries tens of millions of that. -- soak their golf clients, -- soak their gulf clients, charging them hundreds of millions while charging european countries tens of millions of

that. according to public reporting, presumably it is in the business interests of many of these companies to try to have their cake and eat it too to get business in the united states to get business in europe and to continue the money flow from problematic actors that us business legitimizes what they're doing and it's something that they can take to investors to say look the u-s government is not going to be on our back. we're working with them, we're selling to american police departments. if you can cut that possibility off, i think you can have tremendous impact. >> are you aware of any contracts of that kind? we know -- >> we know that the fbi acquired beyond the fbi case which i know it's been well documented. >> what about anybody else? >> know that nso group has made extensive efforts to sell to us police departments, but i'm not aware of any other contracts at this time. >> any evidence that these tools being used in the conflict in ukraine? >> none that i'm aware of. no, no congressman. >> all right, well thank you very much and he'll back mister -- thank you, very much. >> i want to thank our distinguished panel of witnesses for appearing before the committee today. the implications of what you've shared are profoundly troubling

for national security and for free and democratic societies around the world. your testimony only reinforces our strong conviction that the united states and other like minded countries must act in concert and with a greater sense of urgency to stop the spread of foreign spyware and before that window to act closes, numerous organizations have contacted the committee regarding the topic of foreign commercial spyware, including underscoring the relevance of our ongoing oversight. one company, microsoft, was unable to send a representative to testify today but submitted written statement for the record. i ask unanimous consent for microsoft statement to be added to the record. with that, i want to thank you once again for your testimony , and the committee stands adjourned.

[indiscernible conversations]

♪ >> c-span's washington journal, every day we take your calls live on the air about the days news and discuss policy decisions that impact you. susan milligan and fox news national political reporter speak on campaign 2022. and then mr. daley is on to speak on china's retaliation during speaker pelosi's taiwan visit. watch washington journal live sunday, or on our free mobile

app. join the conversation with your phone calls, facebook comments, text messages and tweets. >> over the past few months, the january 6 committee held a series of hearings regarding the findings of recent investigation. never before seen footage, depositions, on monday, caroline edwards who was knocked unconscious during the first breach of the capitol grounds shared her story along with nick fuentes. watch it anytime on demand at c-span.org. ♪ >> c-span now is a free mobile

app featuring your unfiltered view of what is happening in washington, live and in -- and on demand. keep up with white house events, courts, campaigns and more from the world of politics, all i your fingertips. you can also stay current with the latest episodes of washington journal. you can also keep up with c-span's tv network and radio. c-span now is available at the apple store and google play. download it for free. to be -- c-span now, your front row to washington anytime anywhere. >> c-span is your unfiltered view of government supported by these television companies and more including -- broadband. ♪

>> buckeye broadband support c-span along with these other television providers, giving you a front row seat to democracy. >> next, president biden signing the pack to act into law. it provides for veterans exposed to toxic exposure. it will provide a pathway to disability benefits. [indiscernible conversations]