Royal Hubris: The Hacking of Jeff Bezos and the Future of Regulating the Cyber Domain

Jeff Bezos and Mohammed bin Salman at a 2016 meeting. Photo Credit: Getty Images.

Mohammed Bin Salman (MBS), the Crown Prince and effective ruler of Saudi Arabia, made a strategic error that could limit his nation’s access to cyber capabilities by spying on the richest person in the United States. While hacking political dissidents and reporters is old hat for the Kingdom, targeting Jeff Bezos may prove a tipping point for Congress, as the news of this phone hack comes on the heels of a Reuters expose revealing how cleared US contractors have been working for foreign governments. The two back-to-back revelations have moved the sale and lease of offensive cyber capabilities into the public spotlight. Congress may choose to regulate a wide scope of offensive cyber capabilities and operational support systems—loosely defined as software or exploits that allow an actor to penetrate a victim’s electronics for the purposes of espionage or sabotage. Congress will find the regulation of such capabilities difficult to articulate without impeding on legitimate businesses and penetration testing kits, as new rules will limit the future careers of former government employees and contractors to prevent the flow of US talent to despotic nations. In response, Saudi Arabia, among other second-tier cyber actors, will be pushed into buying and building cyber capabilities from unsavory third parties outside of the dollar-based trading system and will find that the marketplace offers less satisfactory tools than what was once available.

Congressional inaction following the revelation that NSO Group software was used to target journalists and dissidents is markedly different than the congressional response to targeting politically salient, high-wealth individuals. The Citizen Lab discovered in 2017 that the Israel-based NSO Group was marketing and selling an exploit package that could bypass WhatsApp encryption and retrieve content stored in the cloud. Diligent journalists reported on the exploit package, sold as Pegasus, as early as 2017. The reporting compelled representative Ted Lieu to publish an Op-Ed calling for the incoming administration to issue an executive order that would take actions to guard against its use on US government officials.[i] At the time, the administration did not publicly respond, though that’s not to say nothing was done about the issue in a classified policy directive regarding device security protocols. After the Op-Ed was published, Pegasus seemingly fell by the wayside, as Facebook—the owner of WhatsApp—left the vulnerability unpatched and NSO Group’s sale of Pegasus unchallenged. Joel Simon, the Executive Director of the Committee to Protect Journalists, noted NSO Group’s continuing sale of the exploit in his May 2019 congressional testimony, but despite this, Pegasus and NSO Group did not gain traction in the mainstream news until October 2019.[ii] Facebook sued NSO Group immediately following the widespread reporting about Pegasus’s involvement in the operation that killed Jamal Khashoggi and its use on more than 1,400 victims. Congress deferred any action on the issue to Facebook as members wrestled with impeachment proceedings. Even though a Washington Post journalist was among the known victims, no bills or amendments were offered to respond to the news.

Congress took a different, though incomprehensive approach following the Reuters expose published in December 2019, which detailed how US contractors were providing offensive hacking and surveillance capabilities to the United Arab Emirates’ (UAE) Development, Research, Exploitation, and Analysis Department (DREAD). Former US counterterrorism official Richard Clarke spearheaded Project DREAD, which eventually became known to US officials as Project Raven wherein a group of NSA contractors and Emiratis helped track individuals critical of the monarchy, “Saudi women’s rights activists, diplomats at the UN, and personnel at FIFA.”[iii] The report revealed how cleared US cyber operators were able to work on behalf of the UAE and lawfully maintain their clearances by working at least one hour per week on a US government contract, effectively circumventing clearance regulations. According to a person familiar with the program, contractors working for Project Raven were unclear about the legal authority they were operating under after the company executing the contract changed hands. In the days following the Reuters report, The Economist published a leading article advocating for regulating the sale of cyberweapons and reducing despotic foreign leaders access to cyber operators working on offensive cyber capabilities.[iv] The episode drew policymakers’ attention to a previously ignored feature of the cyber domain and spurred the addition to the NDAA of a section—taken from H.R.3949—that requires the Office of the Director of National Intelligence to publish an annual report about the national security risks posed by “retired and former personnel of the intelligence community.”[v] In media reporting after the passage of the NDAA, Rep. Max Rose attributed the inclusion of his proposal to the then recently published Reuters report.[vi] Though hardly a comprehensive regulatory framework, the inclusion represented Congress’s willingness to consider regulating the issue. 

A confluence of factors may make the revelation that MBS himself was responsible for using Pegasus to hack Jeff Bezos’ cell phone the tipping point which creates a policy window for Congress to pass regulations on the sale of offensive cyber capabilities.[vii] First, MBS isn’t very popular in the U.S., and he is even less popular among congressional leadership.[viii] Making MBS the aggressor that leads to regulation in the industry won’t cause much consternation among voters or stakeholders within the U.S. Second, there are few persons that elected officials want to talk to more than a billionaire with a penchant for getting involved in US politics. In the 2018 election cycle, Bezos contributed more than $10 million to congressional candidates through a Super PAC.[ix] It’s no secret that elected officials need money to run for office, and starting a conversation with Bezos by telling him you’re the elected official who’s going to regulate the proliferation of cyberweapons may prove beneficial. Third, the list of 1,400 Pegasus victims presents an opportunity for an information operation by a state or nonstate actor. The lawsuit by Facebook does not list the 1,400 victims by name, but the definite number of victims means that Facebook knows whose WhatsApp accounts and phones were subjected to the attack. For instance, Jared Kushner is one known White House advisor who has communicated with MBS via WhatsApp.[x] It is likely that of the 1,400 victims, some are human rights activists targeted by states that purchased the Pegasus software to spy on dissidents, and there’s a good chance Pegasus was used on more than just the odd billionaire or a single White House advisor. As was the case of Russian election interference in 2016, a slow drip of important victims’ names to the press could cause a sustained period of bad press for Saudi Arabia and the private cyber capabilities market. Iran, already cut-off from purchasing these technologies from countries that use a dollar-based trading system, has plenty of incentives to find and publish such a list. The possibility of cutting off Saudi Arabia from access to private offensive cyber capabilities may be too valuable a target for Iran to pass up. Congress has an incentive to act on these three reasons, and some members have already begun pushing for more reforms. Following the revelation of the Bezos phone hack, Senator Ron Wyden (D-OR) wrote a letter to NSA Director Nakasone asking, “how confident is the NSA that the Saudi government has not also used the crown prince’s WhatsApp account to hack senior US government officials, such as Jared Kushner?”[xi] Five days after Senator Wyden’s letter, Senator Chris Murphy (D-CT) on January 29 wrote to the ODNI requesting it open an investigation into the hacking of Bezos’ phone.[xii] These inquiries illustrate that momentum is building.

Congress is right to consider passing a law limiting the proliferation of offensive cyber capabilities. If the full list of 1,400 victims were to be revealed, liberal democracies may be appalled by the number of journalists among the victims. The U.S. and other developed nations go to great lengths to ensure the cyber security of their most trusted advisors and highest political leaders to prevent foreign governments from repurposing phones as tools for spying. Congress will find the needle difficult to thread, however. Defining the difference between cyberweapons and other, legitimately-purposed exploit kits will be incredibly tricky, if at all possible, to distinguish. Legislators may find that, as with anti-revolving door policies that limit members of congress and lobbyists from quickly transitioning between jobs, controlling the flow of human capital between the government and private sector companies known to hawk cyber capabilities is an easier way to limit the proliferation of cyber weapons. Indeed, Congress’s decision to require an annual report from the DNI on former IC employees may be a precursor to more significant legislation on the matter. Alternatively, Congress may seek to register companies that sell such exploits and require them to implement know-your-customer requirements, so logs of sales can be audited by law enforcement agencies. If the US can take easy-to-purchase exploits off the table for second-tier cyber actors, or even mitigate their spread, then the government will effectively reduce the number of threats to personal device security for high level politicos. Moreover, top-tier actors targeting US government officials in the cyber domain are likely able to create tailored access capabilities and will continue their operations unabated. New regulations may only reduce the number of threats, though that should not be discounted. Opponents of regulating the private sale of offensive cyber capabilities will argue taking this option off the table for some states will make them more inclined to rise above the level of grey-zone conflict or push them into the black market for cyber capabilities. These detractors are only partially correct. States who wish to purchase offensive cyber capabilities to use against adversaries will find the marketplace lacking; tailored cyberweapons are time and labor intensive. Moreover, the targeted nature of cyber espionage means that effective and difficult-to-attribute cyber operations require infrastructure and operational support beyond that which companies like NSO Group provide. The marketplace doesn’t support a business model built around tailored access solutions, thereby limiting less-capable states’ ability to attack other nations. As the list of victims will likely show, it will be defenders of human rights and journalists—everyday citizens—who benefit the most from the regulation of cyberweapons.

*This article was corrected on 4-3-2020. An earlier version referred to MBS as Salman, his father.