[ad_1]
Cyprus has become the privileged entry point for Israeli cybersecurity companies, including those operating in the shady world of surveillance software.
In July 2021, an internal consortium of investigative journalists revealed that the Israeli company NSO sold its military spyware Pegasus to governments worldwide, including European ones, to track politicians, journalists and other public figures illegally.
In reaction to the scandal, the European Parliament set up an investigative committee to look into the illegal abuses of spyware in Europe. Last November, EU lawmakers visited Greece and Cyprus as part of the inquiry.
“According to an MP interviewed, in Cyprus, there is no regulatory framework, neither for manufacturers nor for the use of software, and that is why spyware and surveillance companies work in the country, and that spyware briefcases are used,” stated the briefing for the MEPs’ mission.
In other words, Cyprus is not just a country whose government has allegedly abused spyware. Thanks to this absence of a regulatory framework, the island has become the European entry point for spyware businesses.
Geography also plays its part. Cyprus is the closest EU country to Israel, home to the world’s leading cybersecurity and spyware sector.
The tech island
The attractiveness of Cyprus for tech companies is not limited to Israeli firms. The island has become an international hub for Russia, Turkey, the United States, and the United Kingdom.
A legal adviser from a Cypriot firm who talked to EURACTIV on condition of anonymity said that there are minimum requirements for non-European companies who choose to establish an office on the island.
Cypriot authorities confirmed that “regulatory, tax and visa incentives” also make the island attractive for technology companies.
But for Israeli companies in particular, the island provides a way to cut the cost of operations, which is much higher in Israel. With the additional advantage of being in the EU, Cyprus can provide the entry point for the European market.
Tech companies based in Cyprus can also secure EU funding and participate in European research projects.
For example, there is cooperation in research and innovation, launched by the Cyprus Research Promotion Foundation, innovation and entrepreneurship, and student exchange programs by the Reichman University in Israel, as well as scholarships for Cypriots to study in Israel.
In 2022, the Pafos Innovation Institute, an Israeli-founded college, also opened its doors on the island.
Elias Athanasopoulos, a Greek cybersecurity expert who works at the University of Cyprus, told EURACTIV that tech companies relocating to Cyprus had been an ongoing process for at least the past seven years.
However, in the last few years, software engineers also began to move to the country. Athanasopoulos also said there are frequent flights between Israel and Cyprus allowing people to commute weekly.
Andreas Aristidou, an assistant professor at the Department of Computer Science at the University of Cyprus, stressed that Israel is “a very attractive place for Cypriots to find collaborations.”
“The real reason spyware companies moved to Cyprus is that in Israel, there is strict legislation requiring the export of surveillance software be authorised by the Israeli government, Thanasis Koukakis, a Greek investigative journalist who fell victim to the Predator spyware, told EURACTIV.
For Koukakis, under the government of former President Nicos Anastasiades, Cyprus provided a safe environment for spyware companies. That is, until the black van scandal pushed several companies to relocate to Greece and North Macedonia.
The spyware triangle
Tal Dilian, a former Israel Defence Forces Unit 81 commander, operated in Cyprus from 2013 until around 2020 and became a major entrepreneur in the high-tech domain. Among other companies, Dilian founded Intellexa, a consortium that some consider might become the new NSO.
In 2019, Forbes reported how Dillian advertised in Cyprus the WiSpear, a ‘magic van’ produced in Israel that can ‘infiltrate’ smartphones within a radius of one kilometre. As law enforcement authorities looked into the matter, they discovered WiSpear was collecting data from the nearby airport.
As a result, Dilian and Intellexa had to relocate. In April, Koukakis’ media outlet, Inside Story, reported that Intellexa’s company Cytrox developed Predator, a spyware similar to Pegasus, in North Macedonia with the knowledge of the local authorities. From there, the spyware was exported to Greece.
Dilian and Intellexa have refused to comment and have not cooperated with the European Parliament’s Pegasus inquiry committee.
As EURACTIV reported, the administration of Greek Prime Minister Kyriakos Mitsotakis facilitated the proliferation of Intellexa’s Predator spyware to countries such as Saudi Arabia, Sudan, Madagascar, and Bangladesh by granting export licences through the Greek Ministry of Foreign Affairs.
Granting such licenses was not only problematic because some of these countries have a poor human rights track record, but it was also at odds with the EU’s rules on dual-use technologies.
In February, the European Commission requested the Greek government to provide an explanation for the provision of such licenses, but Athens still has to reply to the EU executive despite the fact the internal audit was concluded over six months ago.
Since the scandal erupted, the head of Greek secret services, as well as Mitsotakis’ nephew Grigoris Dimitriadis, who was the secretary general of the prime minister’s office until August 2022, resigned after it was revealed that Nikos Androulakis, an MEP and leader of the socialist Pasok party, was placed under surveillance by the Greek intelligence service in 2021.
Mitsotakis said publicly he was not aware of this surveillance. Still, the opposition pointed out that one of his first moves after taking office was to take the intelligence agencies under his direct supervision.
The Greek-Cypriot-Israeli spyware triangle seemed to run full circle when Dilian’s Passitora sold the Israeli technology to Bangladesh via Cyprus, and senior officials from Dhaka’s security forces flew to Greece to be trained on how to use the surveillance tools.
Turning a blind eye
Sophie in‘t Veld, the Dutch MEP who has been spearheading the work of the Pegasus investigation in the European Parliament, considers that it is not the lack of regulations that is the problem in Cyprus but the lack of enforcement.
She told EURACTIV that if the authorities do not check properly or “are willing to turn a blind eye, then it becomes easier” to find ways around regulations.
Cyprus was found to have sold thousands of passports to wealthy individuals, including Russian oligarchs, between 2008 and 2020.
Similarly, the EU Parliament’s report said that “on paper, there is a robust legal framework, including EU rules, but in practice, Cyprus is an attractive place for companies selling surveillance technologies,” which is why “better implementation of existing rules is needed.”
Cypriot authorities said that the country “is committed to imposing further controls on tech companies operating in the field of cyber-surveillance (spyware/communication interception).” They are also “currently in the process of further improving its national regulatory, supervisory and legal framework.”
In ‘t Veld said that the European Parliament asked the Commission to investigate. Still, the EU executive declined, arguing that it is a matter for national authorities.
“Under the Dual-Use Regulation, member states competent authorities are solely responsible for taking decisions with regards to export licenses applications,” a Commission spokesperson told EURACTIV, stressing that enforcement is a national competence.
“The Commission is responsible for the enforcement of EU laws. They’re just slacking and not doing their job,” in‘t Veld retorted, adding that “the European Commission bears a responsibility here as well”.
“In the interest of sincere cooperation with the European Parliament,” the Commission spokesperson added that they did ask the Cypriot authorities if they had issued export licenses of cyber-surveillance technologies to Sudan, which Nicosia denied.
Still, relying solely on national authorities might be problematic since neither Cyprus nor Greece seems to have taken measures following revelations about Dilian’s companies allegedly breaching EU and national law.
“If there are companies that are involved in this private business [of spyware], you won’t notice because nobody will tell,” Athanasopoulos said, adding that there are “undoubtedly” companies that have the talent and resources to be able to create spyware “from scratch.”
“There’s just so much smoke. There must be some fire somewhere,” in ‘t Veld concluded.
Luca Bertuzzi contributed to the reporting.
[Edited by Luca Bertuzzi/Benjamin Fox]
Read more with EURACTIV
[ad_2]
Source link