India is hunting for new spyware with a lower profile than the controversial Pegasus system blacklisted by the US government, with rival surveillance software makers preparing bids on lucrative deals being offered by Narendra Modi’s government.
Defence and intelligence officials from the South Asian country have decided to acquire spyware from less exposed competitors to the NSO Group, the Israeli makers of Pegasus, according to people familiar with the move, seeking to spend up to $120mn through new spyware contracts.
About a dozen competitors are expected to join the bidding process, according to two people with knowledge of the talks, stepping into the void created by the pressure on NSO from human rights groups and the administration of US President Joe Biden.
India’s move shows how demand for this sophisticated — and largely unregulated — technology remains strong despite growing evidence that governments worldwide have abused spyware by targeting dissidents and critics.
India has never publicly acknowledged being a customer of NSO. However, the company’s malware has been found on the phones of journalists, left-leaning academics and opposition leaders around India, sparking a political crisis. Pegasus can turn phones into surveillance devices and can hoover up encrypted WhatsApp and Signal messages surreptitiously.
Modi government officials have grown concerned about the “PR problem” caused by the ability of human rights groups to forensically trace Pegasus, as well as warnings from Apple and WhatsApp to those who have been targeted, according to two people familiar with the discussions.
These people said these issues have spurred India to look elsewhere for its latest spyware contracts, estimated to start at about $16mn and increasing to as much as $120mn over the next few years.
India’s hunt for new, commercially available spyware comes as the US attempts to clamp down on the shadowy $12bn industry that it believes is an increasing threat to its national security.
The White House issued an executive order earlier this week targeting manufacturers tied to abuses in other countries. The aim is to squeeze those spyware makers out of the US, the world’s most lucrative surveillance market.
“US taxpayer dollars should not support companies that are willing to sell their products to abet human rights violations,” said Biden on Wednesday, adding that commercial spyware had been used to “target dissidents, activists and journalists around the world, including in the United States”.
A US official said Monday’s executive order came after forensic checks showed that at least 50 employees of the US government, which includes non-US citizens working at embassies abroad, in 10 countries had been hacked by spyware.
Those familiar with Indian deliberations said officials were considering Greece-headquartered Intellexa, which has also used veterans of the Israeli military to create a spyware called Predator.
That malware is at the centre of a snooping scandal that has ensnared the Mediterranean country’s spy chief and prime minister. According to Citizen Lab and Facebook, Predator is already operational in countries with a record of human rights abuses, including Egypt, Saudi Arabia, Madagascar and Oman.
People with knowledge of the defence contract said Indian officials have also shown an interest in an array of rivals, many of which had been built by Israeli companies, home to the most advanced spyware companies with strong links to the country’s military.
This includes: Quadream, which two Israeli officials said was approved for a sale to Saudi Arabia after the murder of Washington Post journalist Jamal Khashoggi, and; Cognyte, which was spun out of publicly traded Verint, and had its stock dumped by Norway’s sovereign wealth fund after an investigation by Meta found widespread abuse.
Quadream and Intellexa could not be reached for comment. Cognyte did not respond to a request for comment. India’s ministry of defence declined to comment.
Discussions within the ministry of defence over India’s new spyware contracts were in advanced stages, according to two people with knowledge of the talks. However, it will still take weeks to issue a formal “Request for Proposals”, which kicks off a bidding process that nearly a dozen vendors are expected to enter.
That could attract rival spyware firms that also exist in Australia, Italy, France, Belarus and Cyprus, among other countries. Government agencies in the so-called Five Eyes nations — the US, UK, Canada, Australia and New Zealand — are believed to have similar capabilities, albeit developed by their own intelligence agencies rather than private military contractors.
These companies are seeking to replace NSO, which had previously been considered a pioneer in the field. But the US commerce department blacklisted the company in November 2021, after its spyware was found on the phones of nine US government employees in Uganda. Lawsuits by two of the most powerful tech firms in the world, Apple and WhatsApp owner Facebook, also threaten to expose the firm’s inner workings.
Steven Feldstein, who studied NSO and its successors for the Carnegie Endowment for International Peace, said “As long as the money is there and demand is there, then there will be new players.”
NSO Group said it remained “financially stable, profitable and cash positive” because its contracts with “allies to the US and Israel, particularly in Western Europe continue to grow”.
It added: “attempts to limit NSO from doing business, like placing it on the (Commerce Department) Entity list does not serve the interests of US national security and only create opportunities for malign competitors outside the orbit of the US, such as mercenary hacking firms and spyware coming out of Russia and China”.