The Agenda with Steve Paikin (Audio) - How Cyber Espionage Threatens Democracy in the Era of Trump
Episode Date: March 26, 2025Since 2001, Ron Deibert and his team at the University of Toronto's Citizen Lab have uncovered dozens of covert spy operations around the world, including the creators of the phone hacking spyware, Pe...gasus, created by the Israeli company, NSO group, whose clients include Saudi Arabia's Mohammed bin Salman, and Rwanda's Paul Kagame. In a wide-ranging discussion, Deibert tells host Steve Paikin about his recent trip to the White House, the impact that the Trump administration's policies will have on cyber security worldwide, and why Canadians ought to be concerned by a bilateral agreement with the U.S. called the Cloud Act. His new book is called, "Chasing Shadows: Cyber Espionage, Subversion, and the Global Fight for Democracy." See omnystudio.com/listener for privacy information.
Transcript
Discussion (0)
Renew your 2.0 TVO with more thought-provoking documentaries, insightful current affairs coverage, and fun programs and learning experiences for kids.
Regular contributions from people like you help us make a difference in the lives of Ontarians of all ages.
Visit tvo.me slash 2025 donate to renew your support or make a first-time donation
and continue to discover your 2.0 TBO.
Since 2001, Ron Deibert and his team at the University of Toronto's Citizen Lab
have uncovered dozens of covert spy operations over the years.
In his new book, Chasing Shadows, Cyber Espionage, Subversion, and the Global Fight for Democracy,
he chronicles how and why Citizen Lab
became a world-renowned digital watchdog.
And in our conversation tonight,
he may have a few things to say
about a certain American president as well.
Ron Deeper, great to have you back here at TVO.
Always a pleasure to be here, Steve.
As we indicated, 2001, you founded the Citizen's Lab.
It's fairly, you know fairly early days for the internet.
Has the mission of your lab evolved over that quarter century?
Actually the mission hasn't evolved much.
I would say if anything's changed, it's that we're doing now what we aspire to do then.
And when I set up the Citizen Lab, I had this vision of essentially boring the
techniques of state intelligence practices and turning them around to watch governments
and corporations.
And back then it was all just hubris.
We had no basis to make this claim, to be doing counterintelligence for civil society.
And if you fast forward to today, we're really doing it.
We're doing it quite well, to the point where that old adage comes to mind, careful what you wish for.
Well, I mean, Washington Post, New York Times, I mean, lots of people are
noticing that you are doing good work. Talk to us about the types of cyber
risks that you are talking about from sort of the less nefarious to the most
urgent. Well, I would say that, you know, over the years that the internet has
evolved, governments and corporations have become more adept at controlling information
they become more ambitious about it there's a whole private industry that
helps them do various things and we set out to map all of that and you know the
low-hanging fruit is things like internet censorship it's pretty harmless
relatively speaking just blocking access to information. But then if you move across the spectrum, what I talk about in the
book concerns what I would consider to be the most risky, the most serious, which is
the technology that's provided to government intelligence agencies and law enforcement
to get inside a target's device. Once you're inside a device with the latest most sophisticated spyware,
you can activate the microphone,
you can turn on the camera,
you can of course read all the emails and the messages,
even those that are end-to-end encrypted,
and you can track someone's location.
You can even go back in time and find out where they've been,
who they've been meeting with.
So this is godlike capabilities.
And the latest versions of this spyware enable government clients to get into a phone
without any user interaction whatsoever. Even the companies that secure those
phones, Apple, Google, Microsoft, are unable to keep ahead of the race with
some of those mercenary spyware firms. So if you think about that, some of the world's worst autocrats,
dictators and others around the world right now have the capability, if they
choose, to get inside your phone, my phone, anyone else in the world and
perform these functions which are incredibly revealing.
That is not a comforting thought.
It's not, no. And that's why we do what we do. We try to track these down, investigate abuse cases when we see them and bring them to the
public's attention.
Your focus here is cyber espionage.
How come?
Well, A, that's the most serious.
I mean, you know, I thought when we started the Citizen Lab, we probably wouldn't be able
to touch any of that because it's just too well organized, very secretive. But we found out that this mercenary spyware industry exists and they make mistakes. They
leave digital breadcrumbs all over the place that investigators like us can unearth.
And what we found is really quite astonishing, like a tsunami of abuse cases around the world,
journalists, human rights defenders, NGOs, political opposition, all having
their phones hacked using this type of spyware.
The other reason I focused on it is frankly, like the last 15 years or so
have really been a whirlwind.
We've been involved in disrupting active cyber espionage campaigns involving
China, Russia, Saudi Arabia, domestic espionage campaigns in Spain.
Our reports have precipitated the sacking of heads
of intelligence agencies.
So people say to me, it's incredible what you guys
have been involved in.
You should stop and write it up.
So I thought, well, before something happens,
I better get this down on paper until the story.
What do you mean before something happens?
What does that mean?
Well, I'm getting old. You're getting old. I mean, this down on paper. What do you mean before something happens? What does that mean? Well you know I'm getting old, you're getting old, I mean we may move on. I wondered whether that was a reference to the
okay shall we do it here? I don't know should we? Well we're joking here but I mentioned you before
we went on the air there's a reference in your book to the fact that we live in a world right now
where the shake of a hand can pass a toxin from one person to another and you can be
killed that way. Yeah and there are a lot of bad actors whose operations we have exposed and they
don't like what we're doing and those are powerful people that have shown a propensity to do all
sorts of horrible things so there are major risks doing this type of work there's no doubt about it.
I deal personally and my team deals
with hundreds of victims around the world.
These are front line people who experience these type of risks
all the time.
So being in the same boat as them
when we're doing the research kind of gives you a kinship.
You feel like you're part of the same struggle, if you will,
even though we're the investigators.
And we have to take those risks seriously.
It's part of the bargain.
I'm doing this type of work.
I'm going to say one word to you, and then you're going to tell us a story about why
this was so extraordinary.
Okay.
The word is Pegasus.
Well, Pegasus is a spyware of the type that I just described, manufactured by the notorious
Israel-based mercenary spyware from NSO Group. And it was until 2016 when we published the first report
on NSO Group's Pegasus spyware.
It was a very secretive company.
I mean, people heard rumors of it existing.
But we produced the first report and have done dozens of reports since 2016
showing how their technology
has been used by governments in inappropriate ways.
So companies like that say that they sell this technology to help law enforcement
and intelligence agencies investigate serious matters of crime and terror.
Do you believe that?
Well, no, I don't.
It's not that I believe it or not.
It's in that.
Demonstrably false.
It's demonstrably false.
I mean, that's the point of the research
is we've shown that it sounds right.
But if you ask a first year political science student,
what's wrong with that claim?
They'll say, well, there are many governments around the world
for whom journalism is a crime.
Women's rights activism is a crime or terrorism.
Just now in the United States,
we have Donald Trump considering issuing an executive order
saying fentanyl is a weapon of mass destruction.
So you have all sorts of arbitrary definitions
around these terms and not surprisingly,
governments are going to be using this technology
to go after anyone they consider irritants to their rule.
What is the usefulness of contacting somebody by phone to tell them that they are under
surveillance when that phone they are using has no doubt been hacked?
Yeah, that's a challenge. It's a bit of a paradox and we've been in that situation before where we
know somebody is under surveillance. We have to alert them. What you try to do is get them off that device,
and you try to, first and foremost, secure that device
because the device has evidence on it.
So you want to make sure they don't panic and erase it all
because we want to be able to find the forensic logs
that we can examine.
But you try to move them to some other device,
and it's not always easy.
Back to the NSO group for a second here in Pegasus,
who were some of that company's clients
who were not exactly using this technology
for savory purposes?
Well, the one that comes to mind is Saudi Arabia.
So we had this incredible story that I tell in the book
about identifying a victim of Pegasus spyware here in Canada,
a person named Omar Abdulaziz.
He was a Canadian permanent resident,
had a YouTube channel at the time in 2018
that was mocking MBS, something again.
They could-
Yeah, Mohammed Bin Salman.
Something in that context is considered a crime.
And so they hacked his phone
and we published our report October 1st, 2018.
The next day he sent me a text message saying,
Jamal has gone missing, I'm very afraid.
I had no idea who he was referring to until I turned on CNN
and saw Jamal Khashoggi went into the consulate in Turkey
and was horribly murdered.
So we and others had discovered that basically everyone around Jamal Khashoggi,
his wife, his fiance, his
friends, his colleagues all had their phones hacked with Pegasus.
Essentially a spyware net was cast around his entire inner circle.
There's a story of the Ontario Provincial Police having an angle on this as well.
How about sharing that one?
Yes, well we've discovered yet another mercenary spyware firm, Paragon, another one with Israeli
connections that actually was marketing itself as the anti-NSO. They said we have
all sorts of guardrails in place and lo and behold it turns out that Italy has
been using their technology to spy on a journalist, human rights defenders and
it looks like a priest in that country, which if you think about having a priest phone under surveillance, imagine the confessional and what type
of information somebody might get there. But we did analysis and we have all
sorts of network infrastructure mapping techniques and we can see that there,
lo and behold, there's a customer of this company in Ontario and it's the Ontario
Provincial Police.
Turns out we have a spyware problem in this province and probably in this country.
Police, probably intelligence agencies have been using this type of
technology
without disclosing it to the public, without privacy commissioners
being aware. And so, you know, there are many democracies around the world that
abuse this country and I think in Canada
We better put some strong regulations in place
So we don't become the next democracy with a spyware abuse problem that may be unethical, but is it illegal?
No, it's not illegal that I guess it depends on how you look at privacy
Regulations and whatever guardrails there are in this province, but
that's precisely the problem is a lot of these agencies operating gray areas are frankly
under cover of secrecy.
And there are instances like this where I think it's in the public interest to know
what type of technology they're procuring.
That's taxpayer money going to a firm that is involved in abuse of human rights abroad.
At the very least, we shouldn't be procuring it from a firm like that.
The Ontario Provincial Police does have civilian oversight in the Ministry of the Attorney,
excuse me, the Solicitor General.
Do you think the elected Solicitor General of Ontario knows about this?
Probably not, actually.
That'd be a good question to ask them and that's because
it appears to us that police in this province and across Canada aren't
exactly transparent. So they have been using different acronyms when they are
using this type of technology. They have their own Canadian acronym on device
interception tools. So they're not exactly
forthcoming about how often they use this, what they're using it for, whether
they get warrants for it and so forth. Gotcha. What's the craziest threat you've
ever uncovered at the lab? Well I mean there have been so many incidents. There's
some that strike me personally. One is a woman named Lujain Al-Hatul, who as we speak is in country arrest in Saudi Arabia.
She's well known internationally for being an advocate
for the woman's right to drive a car
without a chaperone in Saudi Arabia.
We discovered her phone was hacked
with NSO Group's Pegasus spyware.
We captured the exploit that was used to hack her phone.
That technology is worth on the market well over $20 million.
We did a responsible disclosure to Apple
because it was taking advantage of software flaws
that Apple wasn't aware of.
And they issued an emergency security patch
for every Apple user around the world,
billions of customers,
simply because of that one woman's bravery.
So there are many cases like that and you know honestly there are too many to single
out one and say that's the craziest one but that's the most memorable for me because of
her work.
Let's look south.
We're going to do an excerpt here because you got a piece in the Globe and Mail recently
the title of which the United States is putting the United States in danger and here's what
you wrote. Sheldon, I'm going to bring this United States in Danger. And here's what you wrote.
Sheldon, I'm going to bring this up and I'll read along for those listening on podcast.
It's apparent to almost everyone in the world over that the United States is rapidly descending
into authoritarianism.
We are observing routine attacks on democratic institutions, the undermining of the rule
of law, daily assaults on the press, politicization of government agencies including intelligence and law enforcement agencies, the encouragement of political violence, the deliberate
evisceration of formal checks and balances, and
outright corruption and self-enrichment. As these practices become normalized in the United States, they will have major consequences for security worldwide,
including, ironically,
in the United States.
Nothing wrong there.
Well, it sounds like there is.
That was just a few days ago you had that piece up.
Now you had a recent assignment in Washington DC which takes us to the States.
Why don't you tell us about that?
Well actually those comments in the Globe and Mail came about because I was asked to
brief members and staff of the US Senate Select Committee on Intelligence about this topic that we've
been discussing about mercenary spyware, something I've done numerous times.
And normally that's a great honour to do something like that.
It's an important stakeholder body.
If you can explain to them the importance of this and they can take action, that's important
for us in this area.
But I actually did a big pause.
I thought long and hard about whether even to accept this invitation.
I'm an officer of the order of Canada.
My father was a world war two veteran who served overseas to fight fascism.
And here, as this invitation comes in, the president of the United States is
threatening repeatedly to annex my country.
So I decided I would write up these remarks and just deliver them in the same way that they're actually printed in the Globe and Mail.
That's a verbatim transcript of what I said.
And my comments to them were, look, everyone in the world can see what's going on.
You're really destroying yourself. You're destroying your country.
A committee like that has an important role to play.
We talked about oversight here in Ontario.
That's one of their jobs down there.
They need to step up and prevent and check the dissent into this cruel techno-fascism
that we're seeing.
Did you hear back?
Actually one of the staff members of a senator
said you should publish those remarks.
And that's why I sent them to the Globe and Mail.
Back to your quote from the piece,
as Trump's chaotic style of governing continues,
what impact do you think this is going to have on cybersecurity
around the world?
It's a disaster.
I mean, in the book I described, there's
a bright light in the book at the end,
where we had great success advocating for the United States to take measures to regulate this
industry and President Biden signed an executive order prohibiting 18 US federal agencies from
procuring spyware from companies like NSO Group.
I briefed the White House staff.
I played a role in bringing about
those regulations.
It's kind of like for a political scientist winning the Holy Grail, that President Biden
signed the executive order.
Now all of that's up in the air, of course.
And given the extent to which they're basically steamrolling over the rule of law, over checks
and balances, that will be noticed around the world.
It will legitimize the same actions abroad.
Despots and authoritarian regimes will say if the United States is doing it, we'll
do it too.
And I have great fears that those regulations will now be rolled back which will precipitate
even greater proliferation of this very powerful technology with all of the harmful consequences
that we've documented.
What do we do, Ron, about a case though where 50% of the United States, 50% of its citizens think
if Donald Trump thinks it needs to be done, then we're okay with that?
You know, that's a tough nut to crack.
It's how we ended up in this place, how they ended up in this place
is very complex political, sociological phenomenon.
I honestly don't have an easy answer for that other than I think it's important
for people in that country to realize just how far they've gone off the deep end.
And that's why in part I wrote those comments because you know we're obviously concerned about our security here in Canada.
Many other countries around the world are as well
But US citizens should be concerned about their own security because they're really shooting themselves in the foot right now
We are apparently we in Canada are negotiating quietly
Bilateral data sharing agreement with the United States called the cloud act. What's that about?
Well, the cloud act is one of these type of information sharing arrangements that in
normal circumstances probably wouldn't draw much attention. It's to facilitate
information sharing between law enforcement on both sides of the border.
Even before the election of Donald Trump we at the Citizen Lab had concerns about
that privacy risks and so on related to this piece of legislation.
Now, of course, I think it's just bananas.
At the heart of this act, it would allow US law enforcement
to reach into Canadian data centers
and access data without a warrant,
without going through a judicial process here in Canada.
I mean, this is just madness now,
given the risks that exist between us and the United States. You also say that former Prime Minister
Stephen Harper's top spies and Privy Council officials intimidated you over
your labs reports. Well, tried to. Tried to intimidate you. Okay, but that provokes a
good story here. So tell us that. This was way back in 2010. And you may recall at that time, the Citizen Lab produced
the very first reports on cyber espionage in China.
It was a blockbuster report that we had
published first of its kind.
We outed a cyber espionage campaign
that China was undertaking.
And it was front page in the New York Times.
We had heard rumors that people within Canadian government weren't
too happy about this. So in order to smooth things over, our mutual friend
Janice Stein set up a meeting at the Privy Council office and they accused us
of all sorts of inappropriate things, hacking computers and so on, which were
just not true. So it was a very curious experience to have that meeting.
And what I thought would be something that the Canadian
authorities would applaud turned out to be something they
were very uncomfortable with.
And I guess it boils down to the very phenomenon of what the
Citizen Lab represents.
We don't pick sides.
We are completely independent.
We will forecast and look wherever the evidence leads us.
And that means we are disrupting China, Russia, cyber espionage, one moment could be Canadian the next.
So I think that's what made them very uncomfortable.
You had the temerity to hope that they may actually be encouraging your work and be glad to know what you would come up with?
I guess so, yeah. Maybe I was naive.
It didn't work out that way.
Give us your thoughts on the increasing, what appears to be,
public-private cooperation into where cybercrime and espionage
have really reached unparalleled heights now.
Well, I think that the technology we're describing,
which is, I would say, the ultimate type of surveillance technology,
when you can get inside someone's phone,
you have a god's eye view into everything
that goes on in that phone.
And that's very expensive technology.
And most of those companies, even though they're
quite careless about to whom they sell their technology,
at least they say they restrict it to government clients.
What we are seeing are all sorts of private companies
now offering not quite the same level of sophisticated technology,
but different ways of accomplishing maybe the same things, hacking your email inbox and so forth,
to a whole range of private sector clients, oligarchs, corporations that are involved in litigation.
And again, this gets back to the norms that are being set and normalized by the United States.
We're entering into a real lawless kind of frontier right now.
And it's a very dangerous time.
We're dependent on these technologies.
They're highly revealing.
And to the extent the bad actors can get inside our devices,
I think that could put a lot of people in danger.
How well or badly is Canada doing on all of this?
We talk a lot about what we should be doing to regulate this space.
Canada signed on to a statement and principles to commit to regulating spyware, but like
in other areas of our commitments, it's mostly words right now, I wish we were doing a lot
more to protect vulnerable people from this type of risk, But so far, I don't really see us doing much
other than rhetoric.
In which case, what does good cyber hygiene look like to you?
I think it boils down to what you pointed out earlier
about what should happen here in Ontario, proper oversight.
You know, there's lots of technical things I could say
about, you know, use this app or whatnot to factor authentication.
But moving back a bit, I think the real problem here is that you have very powerful groups
and entities with access to extremely sophisticated surveillance technology.
The only way we can prevent that from being abused is if we have groups watching them.
CitizenLab watches from below.
Well, we need entities watching from above as well.
Those exist on paper, but they need to be super amplified
in order to meet the task.
What about artificial intelligence?
How's that a factor in this?
I mean, it just makes everything faster.
It allows, for example, the groups that we've been talking about,
these companies, to very quickly analyze software
and look for vulnerabilities that they can exploit.
It gives the offense a greater advantage.
In theory, it should help defense,
but that's not typically how things work in this ecosystem.
Ron, just finally, I'm one of many billions of people
in the world who carries this around, right?
And I guess the final question is,
how worried should I be about hanging on to this thing?
Well, you're a journalist.
I think you investigate important issues
of public interest.
You probably communicate a lot of sensitive things
over the phone.
And even if you don't, somebody might
want to get access to your phone to find things that they
can use to embarrass you.
So you should be very, very concerned about it, given your public profile and your role
as a journalist.
And I've checked hundreds of journalists' phones for spyware.
Given that you're in Canada, you probably have some degree of protection, but I think
that's something that is not likely to
last so if I were you I would get that checked by a group like ours.
Let's talk. If we had more time I could do it right here. Let's talk after it.
I presume you know obviously most of what goes on on this thing is
communicating with producers about what we're what we're doing and I don't know
of how much interest that is to people who are outside this building but I guess
you never know. You'd be surprised.
You'd be surprised.
I mean, anything that gives people information that then can be used to get at what they
want in terms of their ultimate target might be exposed.
Fascinating.
Let's remind people the book is called Chasing Shadows, Cyber Espionage, Subversion, and
the Global Fight for Democracy.
And we are delighted that it has brought Ronald J. Deibert, Ron Deibert, to our studio today.
Thanks so much.
Thank you, Steve.
I appreciate it.