Good morning and welcome. The committee will come to order. Without objection, the chair may declare a recess at any time. This session will be conducted entirely on an unclassified basis. Participants are reminded to refrain from discussing classified National Ready information protected from public disclosure. We convene a public hearing on the acute and rapidly evolving threat posed by foreign commercial spyware. Reports have shined a bright light sold on the open market. These tools provide a zero click access to all the information stored on a mobile phone, laptop, or other internet connected device. Emails, photographs, messages sent by encrypted at, literally nothing is out of reach. Every employee of the executive branch, every journalist or political activist, every american citizen. Every citizen of the world with an electronic device. Aside from updating, there is little you can do to protect yourself from being targeted and compromised. The availability of these tools in the hands of governments that previously lacked robust surveillance capabilities is truly a game changer for u. S. National security which makes it an issue of particular concern to this committee. It is also a game changer for autocratic means that look to surveilled, intimidate, imprison, or kill dissidents and others they view as a threat. A group of news organizations and researchers acting under the banner of the Pegasus Project sounded a public alarm about the potential for these hacking tools to be abused. Elite list of 50,000 phone numbers. Since that disclosure, reports have unveiled that many others have had their devices compromised. One such individual is here with us today. She will share the consequences of being targeted with spyware and what that has meant for her family. Her experience should serve as a stark warning of the future that awaits us if countries in the private sector do not band together to rein in foreign spyware companies. But the threat is not limited to people only like her, it is also a threat to move millions of americans and others around the world last year, news organizations reported that mobile phones used by u. S. Diplomats in uganda had been compromised by the pegasus tool. It is my belief we are looking at the tip of the iceberg and other u. S. Government personnel had devices compromised either by a nationstate using the services or tools offered by one of its lesser known or known about equally potent competitors. The Biden Administration has recognized the National Security threat posed by commercial spyware and has taken action. The Commerce Department added four companies, including nso group, to its entity list, which blocked them from accessing this technology. The Commerce Department stated this action was based on evidence that these entities developed and supplied spyware to Foreign Governments and these Companies Activities were contrary to the National Security or Foreign Policy interest of the United States. Interest of the United States. These listings have not deterred nso or other spyware companies from selling tools to countries that could otherwise never develop such sophisticated surveillance capabilities indigenously. Additional action is needed. The intelligence authorization act voted out of Committee Last week provides the director of National Intelligence and president with additional tools to rein in spyware companies and to ensure that Foreign Governments that target american officials pay a heavy price. Among the measures are sweeping new measures for the dni to prohibit the Intelligence Community from acquiring and using foreign spyware. The legislation authorizes the dna dni to block contracts with companies that acquire foreign spyware tools. We granted the president new authority to sanction foreign spyware companies, their executives and Foreign Government officials who target american officials with spyware. The nature of these tools makes them exceptionally hard to track and combat, and that is why the United States needs to put a greater on this threat. With the Intelligence Community playing a critical wool. I look forward to the testimony to assist this committee in making sure we respond to this threat with urgency. I recognize Ranking Member turner for his statement. Rep. Turner i want to thank all of the witnesses today. Today, we will hear about the Threats Associated with foreign commercial spyware technology and how it has been used to target journalists, protesters, advocates and others, including u. S. Citizens. Spyware is not a threat. However, the foreign spyware is focused on the ability of nationstates and others to purchase a complete surveillance apparatus that they may abuse to target opponents and dissidents. It is commonplace to hear about this when talking about china, north korea or iran, but more shocking to read about abuses of this technology from democratic governments, even those we consider allies. There are growing counterintelligence concerns with regard to the targeting of u. S. Citizens. Addressing these threats must involve a mix of government and industry action. The white house has indicated plans to release an executive order further placing limits on this technology. This committee has passed legislation to increase Intelligence Community collection on this threat. The private sector must also do more to detect these threats, address vulnerabilities in technology, and provide users with the tools to keep data secure. This is true whether the threat is coming from a criminal actor or from a nationstate. I look forward to hearing from the witnesses about the impact of foreign commercial spyware and what more can be done to mitigate the threat. I yield to the balance of my time. Rep. Schiff rep. Schiff we will proceed with brief Opening Statements. Mr. Huntley leads googles a Threat Analysis Group, miss kanimba who has been targeted by spyware. Scott, you mr. Scottrailton, you are recognized for your opening remarks. Mr. Scottrailton thank you for the opportunity to testify this morning and for your continuing efforts to address the problem of mercenary spyware. I am a Senior Researcher at the citizen lab. In the past decade, a new tier of operators has emerged. This is pay to play governmentsupplied by mercenary spyware companies. Google tracks over 30 such vendors. There may be hundreds of those governments government customers around the world, but the scale of the user base is unknown. All the big players in the industry claim to only sell to governments, their actions suggest comfort with blurred lines. Slide, please. Here is a privately owned heavy machinery warehouse in a dusty section of ghana. A pegasus symptom system was installed here to monitor the opposition in the runup to the president ial election. The spyware industry is getting ready to spread more advanced capabilities. Take the zero click exploits being incorporated. Zeroclick means that the victim doesnt have to click, open a file or perform any action to be infected. This is not about sitting at a cafe and connecting to an unsecured wifi. Your bed could be on your bedside table. One minute, your phone is clean. The second, your data is streaming to an adversary. Googles project zero calls this Technology One of the most technically sophisticated exploits theyve ever seen and said those were capabilities available only to a handful of nationstates. Here is what mercenary spyware can do. It can access your texts and phone calls. It can access your encrypted chats, pictures, voice notes. Anything you can do on your phone, pegasus can do, and some things you cant, like silently enabling your microphone or camera or getting access to our cloud accounts. It is clear the United States government is not immune. At least 11 u. S. Officials were targeted with pegasus in uganda last year. This remained undetected until apple contacted and made this discovery while investigating a zero click exploits we shared. Mercenary spyware industry has a track record of hacking u. S. Officials. For example, nearly a decade ago in a case that has gotten little attention, u. S. Diplomats in panama were infected with mercenary spyware. Some of americas closest allies like the United Kingdom have been targeted. In fact we found evidence of an infection within the networks of the office of the prime minister. I believe these cases are the tip of the iceberg, and there are many more yet to be discovered. Recently the Biden Administration the threat to americas National Security and Foreign Policy when it added several vendors to the entity list. This was progress. When the administration announced the designation, there have been an avalanche of abuses that are contrary to democratic values. We confirmed pegasus infections of activists and lawmakers in thailand. Before that, journalists in el salvador, polish lawmakers targeted during elections, christian religious leaders in africa. Yesterday, we learned that when the deployment in ghana was taken down, pegasus servers were hidden at a private location and were found during a police raid. Today, microsoft announced they disrupted a mercenary spyware actor that sells to private pears. In mexico, we also see a nexus between cartel killings and spyware. That only scratches the surface. Unfortunately, we cannot trust the vendors to protect their capabilities either. On nso Group Employee stole source code for personal gain. Another used the technology to target a love interest. It has taken us too long to have the conversation, but im glad to have it. We must make sure it moves at the pace of proliferation. It is too late to put the tech into the bottle, so we must pump the brakes on proliferation to protect National Security and human rights. Financial investments, including from Pension Funds in the United States, have supercharged this problem. When the United States government added nso group and another vendor to the entity list, this sent a strong signal, which was powerful, and it impacted both nso groups evaluation and investor confidence. Congress should send the signal to all accountable players within the industry. Congress should direct the Intelligence Community to identify and use all tools at their disposal to counter and disrupt Problem Companies. Problem companies should be barred from business with federal entities, and American Companies should be blocked from acquiring them. The u. S. Must also expand the tools available to hold Problem Companies and their officers and executives and owners accountable and work to coordinate these activities with allies. Finally, the u. S. Should apply diplomatic pressure to countries that have become safe havens for these companies. I think you for your time. Rep. Schiff thank you very much, mr. Huntley. Mr. Huntley . Mr. Huntley esteemed members of the committee, my name is shane huntley, and i am the director of Googles Threat Analysis Group. Tag is the team within google Whose Mission it is to analyze and disrupt serious and targeted threats against googles users p this includes governmentbacked actors, serious cybercrime, and disinformation threat actors. Tag is one part of googles latest investment in making the internet more secure. We work with many other teams, including android and chrome security, and we work across the industry, Civil Society and with governments to keep users safe. Thank you for inviting me to appear before you. I appreciate the opportunity to explain how the commercial spyware industry is thriving, creating risk to americans and users across the globe. The Business Model of commercial spyware is to make money by providing comprehensive and sophisticated Cyber Espionage capability to Foreign Governments, including the exploits to gain control of the device and the software itself, which can collect information. What we have observed in tag is consistent with other reporting that again and again, these tools are found to be used by governments for purposes antithetical to democratic governments, targeting journalists, human rights workers and politicians. Weve been working for years to counter the threat and mitigate the damage. In 2017, googles android was the first mobile platform to warn users about pegasus spyware. At the time, our android team researched released research about a targeted attack against a small number of android users. We implemented controls across all of android to ensure further users were not infected by this. Later in 2019, we were able to fix a vulnerability that was discovered by finding some leaked marketing information from nso. In 2021, our team published research about the novel techniques used by nso group to compromise i message users. This was a zero click exploit, meaning iphone users could be compromised by receiving a malicious i message text without needing to click on a link. Nso is certainly not the only actor in this space. Tag is actively tracking more than 30 vendors with various levels of sophistication of public exposure. We have publicly taken action to discover and counter exploits, and countering these threat actors is becoming a bigger part of our work. In 2021, my team discovered 90 day vulnerabilities being used in the wild, and seven were developed by commercial surveillance vendors. This is threatening our Digital Society and National Security. We also have worked to develop and deploy industryleading security features to protect our users, which is detailed in my written testimony. This includes programs targeted for highrisk users, such as our advanced protection program, and project shield. We appreciate the committees focus on this issue, and we recommend Intelligence Community prioritize identifying and countering threats from foreign commercial surveillance vendors. We believe it is time that government, industry and Civil Society should come together to change the incentive structure that has a lot of these technologies to spread in secret. We welcome the sanctions against nso group, and we recommend the government consider further sanctions to limit vendors ability to receive u. S. Funding. We urge the United States to lead a diplomatic effort to work with other countries that harbor these problematic vendors. We need to build support for measures that limit harms from this capability. While we fight these threats on a technical level, these providers will open operate openly in undemocratic countries. Thank you for convening this hearing. Google is committed to disrupting the threats posed by these commercial spyware vendors. I look forward to answering the committees questions. Rep. Schiff thank. Ms. Kanimba . Ms. Kanimba mr. Chairman, Ranking Member, members of the community, thank you for allowing me to come today. My name is carine kanimba. I am an american citizen. The u. S. Welcomed my family when its hot security, and we found it within its borders. I am a proud graduate of northwestern, and until two years ago, i was working at a job i loved in finance based out of new york city. In august of 2020, everything changed. Nearly 700 days ago, my father was lured from my family home in san antonio, texas buying intelligence operation directed by the Rwandan Government. He was kidnapped in dubai and illegally rendered by the office of the rwandan president. He was tortured, subjected to a sham trial, and sentenced to 25 years imprisonment. United States Government has designated him as wrongfully detained and has backed two resolutions in support of my father and calling for his release. My family is grateful to the house and to congressman castro and congresswoman kim for leading the effort to adopt the resolution. In 2021, i became the victim of nso pegasus spyware. I was born in rwanda just prior to the 1994 genocide that made me an orphan. My birth parents were among the first victims of nearly one Million People killed during the genocide, leaving my sister and i orphans. She is a graduate of Georgetown University in washington and is here with me today. My father Paul Rusesabagina. He was manager of the hotel inco galley and gave refuge to 1268 people in his hotel, risking his life every single day to push back the militia at side, and not a Single Person was killed. Once the killing ended, my adopted parents heard that my parents had been killed, and they found us in a refugee camp, raised us and loved us as their own, along with my new brothers and sisters. My mother tatiana is here with us today. In 2004, the story was portrayed in the film t