The United States Government has added four foreign companies to the Entity List for engaging in activities contrary to the national security or foreign policy interests of the U.S. The U.S. Government has added four foreign companies to the Entity List for engaging in activities contrary to the national security or foreign policy interests of the United States. The four entities are Candiru, NSO Group, Computer Security Initiative Consultancy PTE (COSEINC) and Positive Technologies.

The Entity List is a tool used by the Department of Commerce Bureau of Industry and Security (BIS) to restrict the export, re-export and in-country transfer of items subject to the Export Administration Regulations (EAR) to persons — individuals, organizations and/or companies —  reasonably believed to be involved, have been involved, or pose a significant risk to being or becoming involved, in activities contrary to the national security or foreign policy interests of the United States.

The U.S. government is not taking action against countries or governments where these entities are located. This effort aims to improve citizens' digital security, combat cyber threats, and mitigate unlawful surveillance, the Department of State says.

Oliver Tavakoli, CTO at Vectra, a San Jose, Calif.-based AI cybersecurity company, says, "The murky business of supplying offensive cyber capabilities to governments across the world invariably leads these companies to make a judgment on what constitutes "appropriate use" of the technologies and whether their clients can be trusted to honor the spirit of constraints — often expressed in vague terms referring to "threats" and "security" — written into contracts. It's pretty clear that most governments ignore those constraints and do what they believe to be in the self-interest of the government and its current leader. However, the companies can then claim plausible deniability. These sanctions mostly represent a speed bump for these companies."

The update follows an October 2021 interim final rule published by the Department of Commerce establishing controls of certain items that can be used for malicious cyber activities; that rule implements decisions taken by the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies.

According to the Department of State, NSO Group and Candiru were added to the Entity List "based on a determination that they developed and supplied spyware to foreign governments that used this tool to maliciously target government officials, journalists, business people, activists, academics, and embassy workers."

Positive Technologies and COSEINC were added to the Entity List based on a "determination that they misuse and traffic cyber tools that are used to gain unauthorized access to information systems in ways that are contrary to the national security or foreign policy of the United States, threatening the privacy and security of individuals and organizations worldwide."

Each of the additions to the Entity List is interesting in its own right; however, the most significant is almost certainly NSO Group, says Jake Williams, Co-Founder and CTO at BreachQuest, an Augusta, Georgia-based leader in incident response. "While NSO tried to spin its software as being used for legitimate purposes, it's clear that it has been used repeatedly to target journalists, activists, and government officials. It isn't just the targeting of these individuals that got NSO in hot water; it's that entities unfriendly to the U.S. used NSO tools to target friendly journalists, activists, etc. That's never a winning business plan."

The organizations COSEINC and Positive Technologies are perhaps more academically interesting, Williams says. "Both were added to the Entity List because they "misuse and traffic cyber tools that are used to gain unauthorized access to information systems in ways that are contrary to the national security or foreign policy of the United States, threatening the privacy and security of individuals and organizations worldwide." While Positive Technologies (a Russian company) isn't a surprise to see on this list, COSEINC (a Singapore company) is. COSEINC had largely flown under the public radar before today, though prior reporting from Joseph Cox of Motherboard/VICE identified the firm as a zero-day vendor in 2018. It appears likely that COSEINC was found to be selling exploits or collaborating with foreign intelligence organizations or cybercriminals to have gained such a designation on the Entity List."

 According to the Digital Shadows Photon Research Team, NSO Group's addition to the Entity List is likely to garner the most attention out of the four; the company was alleged to have been placed on the list because it had supplied spyware to foreign governments. "The statement alleges that NSO Group's spyware — likely referring to its "Pegasus" suite of exploits and tools — was used to target a range of individuals, including embassy workers, government officials, academics, and activists. The four entities were highly likely perceived to be operating against the United States national security interests and their position on global human rights. Being added to the Entity List is typically a punitive measure and often falls in line with pre-existing U.S. policy. Companies placed on the Entity List are subject to trading restrictions; being added to the list means they cannot purchase U.S. technology or goods without a license provided by the U.S. Department of Commerce. However, U.S. citizens are not barred from trading with organizations on the Entity List."