Kampala, Uganda — Sometime in February 2020, then-Uganda Prime Minister Ruhakana Rugunda's phone might have been hacked by Pegasus; a spyware manufactured by the Israel firm, NSO.
The collaborative media investigation dubbed "Pegaus project" that outed the global spying scheme reported that Rwanda might have used the Pegasus spyware to tap the phones of Uganda's former Prime Minister Ruhakana Rugunda, former Chief of Defence Forces Gen. David Muhoozi, and former foreign affairs minister Sam Kutesa.
According to recently released data by a group of journalists and human rights activists, Rugunda's phone was found among possible targets of spying operation by clients of NSO.
Rugunda's phone was found in the same data set as that of then-Chief of Defence Forces, Gen. Muhoozi, and then-Foreign Affairs Minister, Kutesa and other prominent Ugandans.
According to its manufacturers, the Pegasus spyware is designed to collect files, photos, call logs, location records, communications and other private data from smartphones.
The spyware literally takes over the target smartphone and the spy can read and send mail, edit photos, listen to phone conversations.
It can activate cameras and microphones and offer real-time surveillance at key moments.
The Pegasus attacks can happen without the targets knowing - in so-called 'Zero click' attacks.
The suspected hack on the prominent Ugandans has gained attention because, according to the French journalism nonprofit, Forbidden Stories, and the human rights group Amnesty International, who released the data of possible targets; the Ugandans' data was found among a group dominated by Rwandan phone numbers. And Rwanda is suspected to be a client of the manufacturers of the spyware.
Other targets in the Rwanda-dominated group included South Africa's President Cyril Ramaphosa, top Burundi officials. These are areas where Rwanda equally has interests.
Even French President Emmanuel Macron's phone number was added to the list as he was about to embark on a tour of Africa, with stops in Kenya and Ethiopia.
The revelations of Rwanda spying on Uganda have fueled the intrigue and suspicion that has been running between the two countries for close to four years now. In 2019, Rwanda shut down its border with Uganda alleging harassment of its citizens in Uganda, an accusation denied by Uganda.
It is not abnormal for countries to spy on each other; especially neighbouring ones like Rwanda and Uganda which have a shared history through liberation wars and ancestry. The two countries have allegedly run espionage campaigns against each other resulting in arrests, blackmail and soured relations over the years.
The investigative report says the tapping of phones belonging to top Ugandan officials happened in February 2020 at the time there was a summit between President Yoweri Museveni and his Rwandan counterpart Paul Kagame at the Uganda-Rwanda border.
Then Minister of Foreign Affairs Sam Kutesa was heavily involved in the talks mediated by Angola and DR Congo. Minister of state for international affairs Okello Oryem was quoted as saying it would be wrong and unacceptable for Rwanda to be engaging in the spying.
Tensions between the two states were only dulled by the pandemic that broke out in 2020 but arrests, killings and retaliatory actions have gone on.
Rwanda has issued official statements denying involvement in the spying.
Rwanda's minister of foreign affairs, Vincent Biruta, said his country "does not possess this technical capability in any form."
Despite Rwanda's denial, many commentators are saying Uganda must be ready for similar cyber espionage in the future.
In an interview with The Independent, Daniel Mwesigwa, a digital rights activist and ICT researcher at The Collaboration on International ICT Policy for East and Southern Africa (CIPESA), says governments such as Uganda must boost cybersecurity readiness and capacity for such attacks.
He says the government needs to invest in human resources and protective equipment.
Mwesigwa's recommendation is similar to what experts elsewhere have been making.
Cyber infiltration not war
On April 30, in what was billed as his first major speech as U.S. defense secretary, Lloyd Austin, announced the need for a "new vision" for American defense. He said future conflicts will bear little resemblance to "the old wars."
"The way we fight the next major war is going to look very different from the way we fought the last ones," Austin said in a widely quoted speech to the U.S. Pacific Command at Pearl Harbor, Hawaii.
"We can't predict the future," he added. "So what we need is the right mix of technology, operational concepts and capabilities -- all woven together in a networked way that is so credible, so flexible and so formidable that it will give any adversary pause."
He said the next wars will require quantum computing, artificial intelligence, and edge computing.
At around the same time, a new report titled 'The Future of Warfare in 2030' published by the Rand Corporation; the American nonprofit global policy think tank created to offer research and analysis to the United States Armed Forces, recommended that among other strategies, all branches of the U.S. military will need to enhance their information warfare capabilities and, because of the trend toward greater use of artificial intelligence in war, invest more in automation.
But the experts also warn that infiltration and extracting information is not an act of war. It is merely evidence of typical espionage operations that countries conduct against their peers.
Brandon Valeriano, an authority on military innovation, says denying future cyber-attacks will require correct assessment because attackers have many attack options.
He says defense will likely not come solely through government action, but collaboration between industry, the private sector, and government agencies.
Mwesigwa makes the same point.
"Potential targets should ensure that their immediate networks also adopt digital protection mechanisms because they can only be as strong as their weakest links," he says.
As all those affected by the possible hack reckon on its impact, digital activists have pointed out measures that need to be taken for anyone who uses smartphones or plies their trade in the digital space on how they can be safer while carrying out their work.
Mwesigwa recommends what he calls exercising "digital hygiene". This involves regularly changing passwords and prioritising encrypted communications.
"This might be helpful although there are no full guarantees," he says, "With more advanced spyware such as Pegasus, it might be important to regularly change devices or even phone numbers".
On whether any amount of regulation or government policy can stop the proliferation of the likes of Pegasus, Mwesigwa says this is an almost unachievable goal.
"On the contrary, governments, especially the global powers, have been slow to regulate the spyware/malware industry because it is in their best interest to keep it as such."
He adds, "Moreover, there is no well-defined framework against cyber espionage, there are no Geneva Conventions for impending cyber wars."
Instead, he warns, rogue governments and institutions might acquire equipment to counter cyber-attacks but instead use it to spy on citizens.
"Although this might include purchasing foreign designed equipment, the government and high institutions should ensure that the use of countermeasures against Pegasus are not arbitrarily used against citizens including dissenting voices and activists without following due process," he says.
Neema Iyer, executive director of Pollicy, a Ugandan organisation working at the intersection of data, design and technology, told Research ICT Africa in an interview that it is important to understand that a lot can go wrong with for instance Uganda's digital ID rollout. Iyer added that it was also important to understand "how to implement systems that stop unlawful or unjust uses of digital IDs, both by governments and by malicious actors."
Iyer was speaking about the digital ID eco-system that is in the works in Uganda and in several parts of the African continent.
The Ugandan government has in the past procured equipment to spy on the political opposition and critical voices in the media, civil society and to some extent, religious leaders. In August 2015, The Independent reported that State House and the Uganda Police were in the final stages of acquiring stealth technology from an Italian firm then called Hacking Team.
Hacking Team would deploy Pegasus-like spyware to monitor computers and smart phones. The deal was being handled by then Inspector General of Police, Gen. Kale Kayihura, and cost in the region of Shs10 billion. Hacking Team's spyware was called Remote Control System (RCS) and it was sold to governments worldwide targeting journalists and human rights activists.
However the company suffered severe data breaches and went through a near collapse before it was bought by another Italian cyber security company in 2018.
Ugandan opposition politicians and activists have for long suffered under the overbearing surveillance of the state and the global spying expose may not shock them since the state resorted to a brutal method of kidnaps to curtail opponents as the country entered election season late last year. Journalists were not spared the brutal arrests in the election season and now there are wide spread fears the hacking software may give Ugandan state operatives new ideas to crack down on critical and dissenting voices.
Journalists, activists worried
Ugandan journalists, activists and opposition politicians are now on alert for possible surveillance following revelations that their counterparts have been targeted by governments worldwide using Pegasus.
Nicholas Opiyo, a human rights lawyer, says he has readied himself for the new confrontation that is the digital warfare.
"The intense pressure on journalists, civil society actors by autocratic governments to stifle expression is a vice that has gone on for so long. I am that shocked that anyone would be shocked," he says.
Opiyo was abducted on Christmas Day last year commando style by security operatives while at a restaurant in Kampala. He believes he was being trailed by security operatives before they pounced on him. He is facing money laundering charges.
He says "we can never give in to the tactics of the state".
"I have a 2G phone for sensitive communications which is off grid; no internet, nothing as a way of avoiding digital surveillance," he says.
The spyware revelations were a result of a collaborative investigation by more than 80 journalists from 17 news organisations. Forbidden Stories, a Paris-based nonprofit journalism organisation, and Amnesty International, coordinated the investigation where 50,000 phone numbers that were selected as targets were leaked to the journalists.
The journalists investigating the wide scale spying had various findings.
"The fact that a number appeared on the list was in no way indicative of whether that number was selected for surveillance using Pegasus or was infiltrated with NSO's software." wrote The Guardian, one of the 17 media houses involved in the investigation. 180 journalists including editors were selected as possible targets using Pegasus.
The new spying scandal has also exposed more digital vulnerabilities as the iPhone which is known for its strong security features had a number of users' digital security compromised. Once Pegasus has compromised a phone, it gets access to one's emails, photos, messages, videos, location and can activate cameras and microphones without a user's knowledge.
The new spyware reveal has left US tech company Apple on the defensive. Pegasus was used to trail Saudi journalist Jamal Khashoggi who was brutally murdered by a Saudi hit squad in Turkey in 2018. His murder drew widespread condemnation from the world. It was also revealed that his fiancée, Hatice Cengiz's phone was also targeted.
Some activists are not letting their guard down as cyber surveillance becomes ever more intense and sophisticated even as others seem resigned to a seemingly unwinnable war.