In July 2021, Amnesty International, Forbidden Stories, and 17 news organizations released a bombshell investigative report called the Pegasus Project. The investigation provided an in-depth analysis of Israeli surveillance company NSO Group’s highly sophisticated Pegasus spyware. The consortium discovered over 50,000 people across 50 countries were targeted by Pegasus, such as Saudi Arabian women rights activist Loujain al-Hathloul, Belgian politician Didier Reynders, and Hanan Elatr, the wife of murdered journalist Jamal Khashoggi.
One of the many targeted by the Pegasus spyware included US-Lebanese citizen and Human Rights Watch’s Middle East and North Africa director Lama Fakih. After Lama learned of the intrusion, she decided to go public, penning her cyberattack experience in a Washington Post op-ed. To highlight the human impact of Pegasus, we spoke with Lama to dive deeper into her story and bring to life the real dangers of invasive spyware.
(Edited for brevity and clarity)
DPN: Tell us a little bit about yourself.
LF: My name is Lama Fakih. I’m the Middle East and North Africa Director at Human Rights Watch. I’m a human rights lawyer by training, and I’ve been dedicated to human rights advocacy my entire career.
What is Human Rights Watch’s core mission?
Human Rights Watch is an international organization that documents, reports, and prevents human rights abuse around the world. We work in 100-plus countries around the globe, and we use the same methodology everywhere we go. We go to the ground, uncover the facts, and report the facts. We tell people’s stories. We try to get the government to stop their abusive behavior. Increasingly, our work has also touched on the role of companies in furthering or perpetuating human rights abuse.
Walk us through the day you found out you were targeted by a cyberattack.
I was targeted between April and August 2021, but I didn’t learn about the attack until the end of November. It was late in the afternoon. I was in a meeting when I glanced at my phone. I received a message from my phone service provider notifying me that I had been subjected to a state-sponsored hack. Since I work in the human rights field, I know people targeted by these attacks. I had never heard of a service provider sending state-sponsored cyberattack notifications, so I was suspicious. I contacted our Information Security Director and asked her if it was a legitimate notification. She did some checks on her side, and we found out it was legitimate.
Describe the moment you found out you were targeted by a cyberattack.
Even though I knew of these attacks, I was still shocked. My first thought was to question what I was working on, and why a government would be interested in it. They could have spent hundreds of thousands of dollars trying to get into my phone, so the information had to be valuable. So, what government is it? What data did they take? Who else was compromised? I still don’t have good answers to these questions. However, I have my suspicions.
What are your suspicions?
At the time of the attack, I was investigating the August 4th, 2020, explosion in Beirut’s port. This explosion levelled half the city, caused by 2,750 tons of ammonium nitrate housed in very unsafe conditions. The blast killed 220 people and displaced thousands of others. To this day, no one has been held responsible.
So, we conducted an investigation to find out who was responsible. We wanted to know which government officials knew of the ammonium nitrate and who failed to take necessary safety precautions. We were aiming to release the report on the anniversary of the explosion, so I was working night and day.
When I learned about the Pegasus attack, I suspected it was related to the blast investigation. The Lebanese government is not one of NSO’s clients, as far as we know. Given that NSO is an Israeli company, the likelihood that it was them is exceedingly low. However, several other governments around that region are NSO clients, and I suspect it could be one of them.
How did you respond to the discovery of spyware on your phone?
Once we confirmed the message’s authenticity, my colleague did a forensic analysis of my phone. Through that process, we discovered five separate state-sponsored cyberattacks between April and August 2021. When we identified my phone was infected with Pegasus spyware, we reached out to NSO Group, the company that produces the software. We asked them to investigate which government was responsible for this intrusion. They stated they would start an inquiry, but we haven’t heard anything from them since.
Were other Human Rights Watch employees targeted by Pegasus?
We checked a number of our colleagues’ phones. Thankfully, we did not find spyware. Unfortunately, I have colleagues from media organizations and partner organizations who found Pegasus on their phones. For some of them, that means very dire, real-life consequences. That means being detained, being mistreated in detention, being tortured, or having someone you know killed. There are far-reaching consequences to these cyberattacks.
Can you explain how this cyberattack disrupted your personal life?
Even though I have a public professional profile, I try to keep my personal life private. I care about privacy because it involves my family’s safety. Suddenly, a hostile government knew everything about me, my family, and my network. They even knew where my kids went to school. The feeling of anxiety that comes from an attack like this? It’s not something that ends—it is ongoing.
This spyware can also activate a phone’s microphone and camera. So, how much of my work did these hackers capture? Did they listen to my meetings with vulnerable people, conversations with other colleagues, or group discussions around strategy? All of that information was no longer confidential. It became accessible to a hostile government, and they can use that information when and how they see fit. They can use it today or ten years from now. This experience impacted my sense of being able to mitigate risks that I expose myself to at work. It also shook my belief that I can protect the ones I love.
Have you discussed this experience with your family?
My family is very supportive. But of course, they were concerned. They understand the repercussions of these attacks. So, it’s certainly not something we took lightly.
Pegasus gained a lot of media attention, in part due to your Washington Post piece. Why did you decide to come forward about this cyberattack?
I went public because I wanted people to know that this could happen to anyone. I recognize I occupy a privileged position. I am an American citizen. I am a lawyer. I work at a mainstream international organization headquartered in New York. Yet, it still happened to me.
I hope the media attention raised awareness that we need regulations on how governments can use spyware. Until there are regulations, we are all vulnerable to governments abusing this kind of technology. NSO Group, and other organizations like it, try to sell itself as a company that stops terrorists and pursues serious criminals. They say they don’t target people that are doing legitimate work. That’s just not true. I wanted to shine a light on this fact.
What was the most concerning aspect of this cyberattack?
It’s hard to pick one because my concerns are tangled together. I’m concerned about my family. I’m concerned about the security of human rights victims I come into contact with. I’m concerned about sensitive information in the hands of wrongdoers. I’m concerned about the impact of these cyberattacks.
When you go through an experience like this, part of you wants to turn off the phone and never turn it on again. However, our work is dependent on digital devices. You can try to limit the damage caused by cyberattacks, but you can’t fully prevent it. Investigative journalists and human rights activists are involved in such important work. They are trying to hold governments responsible for human rights violations. Cyberattacks try to strip them of their voices. Without their voices, our way of life is at risk. It’s incredibly chilling.
How much did you know about cyberattacks or cyberwarfare before this occurred?
I’m pretty well-versed in it. Human Rights Watch has seen how cyberattacks affected the lives of activists. I know people in the Middle East and Africa targeted by Pegasus spyware and other malicious attacks.
Has the experience made you change your online habits?
Absolutely. I keep less content on my phone. I try to minimize the type of information that would be accessible if somebody attacks my phone again. That’s the primary way I have changed my online activity. But we can’t mitigate every risk. We need to use these devices.
What would you tell people unaware of the threat of cyberattacks and/or cyberwarfare?
This is an issue that should matter to all of us. Some people believe it is irrelevant to them. They think it is a future concern, but the future is here. You may have already been subjected to surveillance technology like this and not even know it. Guess what? By the time you find out, it’s too late.
Is there any message you would like to provide for those impacted by cyberattacks?
You’re not alone. Speak out about what’s happening to you. Try to educate people around you. There’s more that can be done to stop these attacks. In fact, more must be done to stop them. We need to fight for our rights in this space.
The NSO Group is not the problem in and of itself. Remember, NSO is only one of many companies in an entire industry that is largely unregulated. This industry profits by selling spyware like Pegasus and exploiting that lack of regulation. What has become clear to me is our governments need to address this problem and do more to protect us. There just needs to be the political will to act.
Thank you so much for your time.
Have you been personally affected by a cyberattack? If so, we want to hear from you. Let us know by DMing our Twitter account @DigitalPeaceNow.