Israel tightens cyber exports

The Ministry of Defense, which oversees the export of all offensive cyber tools, announced it has toughened export restrictions after alleged misuse of Israeli spyware.

By Erin Viner

The Defense Export Controls Agency (DECA) of the Israel Ministry of Defense (IMoD) published an updated version of the “End User Declaration,” which must be signed by any state interested in acquiring a cyber or intelligence system as a condition for applying for an export license.

The updated user declaration was “formulated by the Ministries of Defense and Foreign Affairs, as part of the State of Israel’s update of its export control policy with regard to cyber systems,” said a statement obtained by TV7 from the IMoD Spokesperson.

While the statement underscored that the latest version of the User Declaration is “part of a series of measures taken in the last several years regarding cyber export controls,” the move comes in the wake of allegations that Israel’s Candiru and the NSO Group sold hacking tools to authoritarian regimes.  The United States added both technologic firms to its Entity List for Malicious Cyber Activities last month, based on what the State Department said was “a determination that they developed and supplied spyware to foreign governments that used this tool to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers.”

Israel’s classification of the NSO’s Pegasus software as a weapon mandates government approval of all exports. The Herzliya-based company denied accusations of wrongdoing, maintaining that the reports were “full of wrong assumptions and uncorroborated theories.”

The IMoD announcement underscored that “As part of the controls mechanism, Israel approves the export of cyber systems solely to governments for the purposes of investigation and prevention of terrorism and crime.. “in accordance with the Munitions Export Control Order, which is based on the Wassenaar Arrangement.”

The updated declaration includes clarified definitions of terrorism, stipulating that it is “committed with the aim of seriously intimidating a population and may cause death, injury, taking hostages or additional intentional acts.” The full text also states circumstances under which the use of Israeli cyber systems is prohibited, and explicitly specifics possible sanctions in the event of non-compliance with the obligations set forth in the declaration.

Israeli Prime Minister Bennett reportedly discussed reports that French President Emmanuel Macron had been targeted by Pegasus during the two leaders first meeting in early November on the sidelines of the 26th United Nations Climate Change Conference of the Parties (COP26). They agreed to handle the alleged misuse of spyware “discreetly and professionally, and with the spirit of transparency between the two sides,” said an Israeli official speaking to Reuters on condition of anonymity.