Pegasus, and the question for UK boards we have been pretending not to face

The Pegasus Project disclosures last month confirmed what specialists have privately known for years: commercial spyware is a mature, well-funded industry, and its customer list includes governments most UK firms do business with. The board question is what to do about it.

On 18 July, an international consortium of journalists led by Forbidden Stories, with technical analysis from Amnesty International's Security Lab and the University of Toronto's Citizen Lab, published the Pegasus Project. The reporting documents the use of NSO Group's Pegasus spyware against journalists, lawyers, activists, business executives, and political figures in dozens of countries.

The technical detail is sobering. Pegasus is a remote-access tool that, in its current iterations, can be deployed via zero-click delivery on iOS and Android — meaning the target does not need to interact with anything for the device to be fully compromised. Once installed, it gives the operator full access to messages, contacts, calls, files, location, microphone, and camera. NSO maintains the software is sold only to governments for legitimate intelligence and law-enforcement purposes. The documented evidence suggests otherwise on a scale that NSO's denials no longer survive.

The piece I want to write is not about NSO. It is about what UK boards should now do, knowing what the past month has confirmed.

The honest assumption

Most cyber discussions in UK boardrooms still implicitly assume the threat is criminal — phishing, credential stuffing, ransomware. That assumption is sensible for most firms most of the time. Pegasus changes nothing about that.

What Pegasus does change is the calculation for a smaller set of firms and individuals. Specifically: if your business involves work that a foreign government might consider strategically interesting — defence, energy, mining, pharmaceuticals, telecommunications, journalism, NGO advocacy, dissident support, legal work involving sanctioned individuals or politically exposed persons — the threat model now includes commercial spyware operated by states (or by their contractors).

The honest assumption is that any senior individual in such a firm whose phone has been physically near a hostile-state actor's interest, or whose communications have been observed for long enough to identify, may have been targeted. Some of those attempts will have succeeded. Most successful targets do not know they have been targeted, because Pegasus does not leave the kind of evidence ordinary users would recognise.

The Citizen Lab and Amnesty resources

For any board director or executive concerned about personal targeting, two resources are worth bookmarking.

Citizen Lab's research output on commercial spyware is the single best public source on how this industry operates and what defensive measures actually work.

Amnesty's Mobile Verification Toolkit (MVT) is an open-source tool for forensic analysis of mobile devices. It is not aimed at non-technical users but a qualified forensic practitioner can use it to look for indicators of Pegasus and similar tools.

Neither of these is something a typical UK SME needs to engage with. For executives in the categories above, they are the starting point.

What the firm should do

For an ordinary firm, the response is roughly raise the bar a few clicks on senior-executive device security. Specifically:

Lockdown Mode on iOS, where applicable. Apple has indicated that a future iOS release will include this — a deliberately reduced-functionality mode designed to harden against state-grade attacks. When it ships, executives in scope should consider using it.

Separate work and personal devices for senior individuals. The personal device is the harder one to harden because the user installs more software. Keeping the work device tightly managed and the personal device for personal use limits the blast radius if either is compromised.

Mature mobile device management. The MDM choice should support remote wipe, application whitelisting, OS version enforcement, and immediate alerting on jailbreak/root detection. Most firms have MDM. Many have configured it lightly.

Periodic device hygiene. For executives in scope, periodic forensic review of phones — by an organisation that knows what it is doing — is reasonable. This is not paranoia; it is the equivalent of the periodic counter-surveillance sweeps that have long been routine in physical security work.

An honest conversation about the boundary of acceptable risk. For executives travelling to certain jurisdictions, the safest practice is a clean device — issued for the trip, used only for the trip, wiped on return. This is inconvenient. For the categories above, it is appropriate.

The harder question: do we use these tools?

There is a separate, harder question for firms in adjacent industries. Some UK private intelligence, due diligence, and corporate investigation firms have, over the years, made use of capabilities derived from or analogous to commercial spyware. Some have stopped after the Pegasus Project. Some have not. Any board overseeing a firm with offensive or investigative cyber capability should now have a clear written position on what tools are used, on what authority, and against what targets. We do not use anything illegal is not a policy. A policy is specific.

The regulatory direction

The US response is the most visible so far. The US Department of Commerce added NSO Group to the Entity List (note: this was actioned in November, after this post was written). The EU has signalled investigations. The UK has been quieter. Expect this to change over the next two years as the policy environment around offensive cyber tooling matures.

The point for boards is that the firms that use these tools, and the firms that supply them, are operating in a regulatory environment that is hardening fast. The position taken in 2021 may not be the position the regulator accepts in 2024.

One paragraph for the audit committee

If the firm has individuals whose work makes them plausibly of state-grade interest, the audit committee should have a written paper, this quarter, covering: who those individuals are (named, by role rather than name in the paper itself), what device hygiene applies to them, what travel hygiene applies to them, whether the firm has retained any forensic capability to check devices on suspicion, and what the disclosure obligation is if a targeting is detected.

For everyone else, this is a chance to take the senior-leadership device standard up by one notch and move on. The everyday threat landscape has not changed because of Pegasus. The ceiling has.