... for openness and credibility....

After being in the news for years and most of it for the wrong reasons, Shalev Hulio, co-founder and CEO of the NSO, has decided to step down. Along with this, the offensive cyber company will also be parting ways with around 15 percent of its workforce, as reported by Calcalist, an Israeli daily business newspaper. Hulio will be replaced by the current COO Yaron Shohat and will remain in the company in charge of mergers and acquisitions.

No direct reasons were given for the cutback and reorganization within the company. However, Calcalist reported that the Ministry of Defence’s decision to reduce the number of licenses for the sale of offensive cyber tools has already led many companies in the field to bankruptcy but was silent on the current financial status of NSO. Despite the ubiquity of NSO-related news across the globe, the hostile media discourse against the firm has led people and researchers to have a parochial attitude towards NSO. It is preposterous to witness the absence of nuance while dealing with issues related to NSO and similar firms. Given that the company is back in the news, it is essential to look back at what transpired in recent years and what was missing in debates.

The Pegasus controversy and consequences for the firm

Last year, the world was alarmed by revelations of the ‘Pegasus Project’, an international investigative journalism initiative that examined the records of phone numbers, reportedly selected by NSO clients in more than 50 countries since 2016. The stories were based in part on a leaked list of 50 000 phone numbers that were believed to have been chosen for surveillance by governments using ‘Pegasus’, the signature spyware of the NSO firm. Following these detailed reports and backed by forensic analyses, NSO became a household name. However, the then CEO Hulio denied the firm’s involvement and responded to allegations by saying that  “the list of 50,000 phone numbers has nothing to do with the firm.” The firm was already under scrutiny before the revelations by the ‘project’ as it was sued by Meta (Facebook) for allegedly targeting users of its WhatsApp messaging application. Following the reports, Apple also filed a lawsuit against the firm and its parent company for allegedly targeting iPhone users with a hacking tool.

In November 2021, the Biden administration added the firm to the US Department of Commerce’s trade-related Entry List along with Candiru (another Israel-based spyware company) and Russia, Singapore-based spyware firms. The action was based on “evidence that these entities developed and supplied spyware to foreign governments that used the tools to maliciously target government officials, journalists, business people, activists, academics, and embassy workers.” The action was undertaken under the Biden administration’s broader efforts to put “human rights at the centre of U.S. foreign policy” that also include stemming the “proliferation of digital tools used for repression.” Such designation could be crippling for any firm as it empowers the US government to restrict parties from accessing US-origin products or technology. It has made it difficult for the NSO to source critical components for its servers. Isaac Benbenisti, the CEO-designate of the spyware firm, resigned just after a few weeks of announcement of him as a replacement to Hulio, following the US blacklisting. Israel has also reportedly banned cyber tech sales to countries with questionable human rights records. The Defence Ministry’s updated list consists of 37 countries, down from 102.

The firm and its technology, previously touted as a ‘tool for diplomacy’ for the Israeli government, was suddenly turned into an international pariah. There were talks of a possible sale of the firm to Integrity partners, a company run by ex-US soldiers to keep the company floating. There are also reports that the equity in NSO is ‘valueless,’ and the firm has received no new customer bookings to use the Pegasus hacking tool since July 2021. Lately, ProPublica reported that the NSO is conducting a lobbying campaign to get off the US blacklist and has heavily invested in payments to “lobbyists, public relations companies and law firms in the US.” Much of the discussion about NSO centres around its ability to turn a device into a surveillance tool. However, the NSO group has a more comprehensive range of products seldom discussed in media reports.

NSO beyond controversy

In 2021, the NSO released a Transparency and Responsibility Report outlining the firm’s internal governance, vision, and commitment to ‘human rights values. It is challenging to ascertain the veracity of claims made in the report, which are meant for marketing and projecting the company in compliance with international norms. Nonetheless, it also provides an opportunity to examine the internal decision-making within the firm operating in a secretive domain. The firm’s mission is to “help governments protect innocents from terror and crime by providing them with the best intelligence technology of its kind”. As per the report, the company is said to have 60 customers in around 40 countries. The NSO products are meant to be used exclusively by government intelligence and law enforcement agencies to fight crime and terror.

Interestingly, there is too much emphasis on the company’s commitment to human rights. The Governance, Risk, and Compliance Committee (GRCC) board within the company undertakes a comprehensive assessment of potential human rights impact while reviewing potential sales of NSO products. The GRCC may also veto business opportunities following the company’s Human Rights Due Diligence Procedure. It was also reported that the firm had rejected over US$300 million in opportunities due to its stringent review process. Also, 15 percent of potential new opportunities for Pegasus in the previous financial year were rejected for human rights concerns. The company also encourages internal and external stakeholders to raise concerns about misconduct. The firm is also closely regulated by export control authorities, namely the Defence Export Control Agency of the Israeli Ministry of Defence, which strictly restricts the licensing of Pegasus.

The NSO group has also created a wide range of tools to address issues ranging from tracking virus carriers to allowing for geolocation of cell phones used for search and rescue missions. The firm has also heavily invested in the ‘Eclipse’ program, a cyber counter-drone “designed to detect automatically, take over and safely land unauthorized commercial drones in a designated zone.” Similarly, NSO also developed “Fleming,” which uses “cell phones and public health data to identify where people with coronavirus are and whom they come in contact with.”

Somewhere amid alarming claims about the company, the discussions above were found to be missing. Also, the discussions across the globe largely vilified the technology vendor for their client’s misuse, observed Dr. Lior Tabansky, head of Research Development for Blavatnik Interdisciplinary Cyber Research Centre, Tel Aviv University, in an article published in the National Interest. “Democracy needs cyber-surveillance tools to track criminals and terrorists”, observed Professor Isaac Ben-Israel, a leading cybersecurity expert based in Israel, in an interview with the Times of Israel. “Just regulate the tech better”, he argued and cautioned against the temptation to discard the spyware technology. The overwhelming focus on the activities of the NSO group is understandable but it is equally important to understand the utility such technologies bring to law enforcement agencies. Equally significant is to address the elephant in the room which is better regulation of such advanced technologies instead of berating the technology itself. Unfortunately, the whole debate following the scandal was mired in sensationalism, and even though the allegations are serious, a comprehensive picture would have added more value to the discussion.

Note:  This article was originally published in The Times of Israel (The Blogs) on 28 August 2022 and has been reproduced with the permission of the author. Web Link

As part of its editorial policy, the MEI@ND standardizes spelling and date formats to make the text uniformly accessible and stylistically consistent. The views expressed here are those of the author and do not necessarily reflect the views/positions of the MEI@ND. Editor, MEI@ND: P R Kumaraswamy