Skip to main content

Pegasus spyware: UK PM urged to cut taxpayer funding for Gulf allies linked to scandal

In wake of Pegasus hacking, supporting Gulf countries with cyber security aid may 'pose a serious threat to our national security', MPs tell Boris Johnson
The then-Saudi Foreign Minister Adel al-Jubeir with Boris Johnson in Jeddah, in January 2018 (AFP)

The UK government should cut off Saudi Arabia, the United Arab Emirates (UAE) and Bahrain from a multimillion pound, taxpayer-funded programme in the wake of the Pegasus spyware scandal, MPs have told Prime Minister Boris Johnson.

Along with supporting Saudi Arabia's Vision 2030, the Gulf Strategy Fund is set this year to provide a UK cyber ambassador who will help the Gulf allies - accused of hacking British citizens - to defend themselves from cyber security attacks.  

'Like nothing happened': Protesters slam NSO Group's presence at UK-backed fair
Read More »

The MPs, led by Liberal Democrat Foreign Affairs and International Development spokesperson Layla Moran, argue that while the government says the fund provides the UK with trade and national security benefits, the alleged hacking of British citizens by Gulf countries with Pegasus proves otherwise.

They called on Johnson to suspend the programme - which they say has already provided up to £53.4m to six Gulf countries - pending a review into its implications for human rights.

"The cyberattacks referenced above appear to show a blatant disregard by these GCC states for both UK and international law," they wrote.

"The continued supply of surveillance equipment and services, as well as of advanced military and technical training and equipment to Saudi Arabia, the UAE and Bahrain, may in fact pose a serious threat to our national security."

Details about the alleged use of Pegasus by NSO Group clients to target British citizens came to light in July, after journalists working with cyber security campaigners obtained a leaked database of 50,000 phone numbers selected by NSO Group clients.

The numbers were linked to phones used by politicians, human rights defenders and journalists, and forensic analysis of some of the devices found evidence that Pegasus software had been installed on them.

The MPs' letter comes a week after the US government blacklisted NSO Group, along with Candiru, a second Israeli spyware firm, saying the companies' activities were contrary to US national security interests.

It also follows a Foreign Affairs Committee hearing last week in which a rights group called for an immediate investigation into the potential hacking of UK citizens and residents via the spyware, saying not enough had been done in the wake of the spyware scandal.

That sentiment was echoed in the letter, with MPs saying the silence from Johnson's government was concerning.

'Your government has failed to publicly condemn the actions of either NSO Group or the Saudi, Emirati and Bahraini governments'

- UK MPs in letter to Boris Johnson

"Your government has failed to publicly condemn the actions of either NSO Group or the Saudi, Emirati and Bahraini governments or take substantive action to protect UK nationals and residents," they wrote.

They urged Johnson to follow the US lead and impose trade sanctions on NSO Group, and "ensure there is much tighter supervision on the licensing of relevant software in compliance with international human rights law".

In July, a Cabinet Office minister disclosed during a House of Lords debate that the UK government had repeatedly complained to Israel over NSO Group's operations before the latest revelations.

Asked how long the British government had known about the use of the software by authoritarian governments, and what it had done about it, Lord True, the minister, replied: “We have raised our concerns several times with the government of Israel about NSO’s operations.”

Neither Lord True nor the Cabinet Office have answered MEE's questions about what sparked the complaints, and when they were made.

The NSO Group has stressed that it does not operate the spyware that it sells to its customers - who are limited to sovereign states, or the law enforcement or intelligence services of those states - and does not have access to the data of its clients' targets.

It has also indicated that it previously shut down the systems of several customers and would not hesitate to do so again, but would not identify current or former customers "due to contractual and national security considerations".