The Israeli spy software firm NSO Group has rarely been out of the headlines over the past year.
Its spyware tool Pegasus worms its way into phones, accessing data and turning on the microphone and camera to act as round-the-clock surveillance equipment. Authoritarian states have reportedly bought the cyber weapon from NSO and put it to nefarious political uses, targeting journalists, human rights workers, civil rights lawyers and opposition parties.
Perhaps most notoriously, associates of journalist Jamal Khashoggi, a critic of the Saudi government who was murdered in the Saudi embassy in Istanbul in 2018, were later found to have Pegasus on their phones. And last month, it was reported that the spyware was used on the phone of Kamel Jendoubi in 2019, when he was investigating potential Saudi war crimes in Yemen on behalf of the United Nations.
US President Joe Biden’s administration placed NSO and Candiru, another Israeli surveillance software developer, on a blacklist in November, barring US firms from providing them with technology. Washington said these companies’ military-grade software tools were being used for “transnational repression” and were harming US national interests.
Poland’s opposition-led Senate joined the backlash last week, announcing plans to draft a law to regulate surveillance software such as Pegasus, after it was used to target the phones of several opposition leaders. The legislation has little chance of being passed; the Polish justice ministry reportedly bought the spyware in 2017, ostensibly as part of an anti-corruption drive.
Selective outrage
But while there has been plenty of selective international outrage at NSO for its profiting from repression and human rights violations, the real problem is being largely obscured.
This is not a matter of better regulation of a few private companies that have gone rogue. This is a battle for control of a rapidly developing cyber weapons industry that is not only highly profitable, but gives those states that can oversee the industry enormous clout over other states.
The reality is that cyber weapons, like conventional arms, are not going away. They are just going to get more sophisticated, invasive and destructive – and more profitable.
Up to this point, Israel has dominated the field. That is largely because its conventional and cyber weapons industries have been lavishly subsidised with US military aid, and because Palestinians under occupation have served as a ready laboratory for testing the new technologies.
But that may be changing as Washington begins to crack down on pioneering Israeli firms, such as NSO and Candiru, making it much harder for them to sell their wares. NSO was reported last month to be close to insolvency.
While the Biden administration has packaged its measure as a way to protect human rights from offensive software, its motives appear to be far less disinterested. An examination of Israel’s own role in the development of the cyberweapons industry points to what is really at stake.
Police operation
This month, it emerged that NSO’s Pegasus software had not only been used by malign actors abroad, but had also been covertly used by Israeli state agencies against opponents of Israel’s far-right government, both in the occupied territories and inside Israel itself.
Israeli police were recently forced to concede that they had been using Pegasus too. They reportedly bought an early version of the software in 2013, long before its use elsewhere was discovered.
The targets in Israel included the leaders of protests that took off in 2019 to oust former Prime Minister Benjamin Netanyahu from power. Netanyahu is currently on trial on corruption charges, and is widely reported to be readying for a plea deal.
The Calcalist, an Israeli business newspaper, has reported one instance in which police used Pegasus to collect details of the sex life of a social activist.
In Israel, the debate about the police spying operation has been largely limited to technicalities. Did police get court permission before using this military-grade spyware? An investigatory panel has been set up to find out. But that inquiry is intended to deflect from the main point.
Intimate ties
The latest revelations confirm a pattern that was already clear to anyone paying attention: the Israeli state is not simply failing to regulate NSO. It is working hand-in-hand with the company – and others like it.
The first direct clue about the Israeli state’s complicity with NSO emerged last November, shortly after Israel declared six prominent Palestinian human rights groups to be terrorist organisations – even though those improbable allegations have never been backed up with any evidence.
Within days, it was revealed that the phones of some of the Palestinian groups’ senior staff had been infiltrated with Pegasus software. That had a striking implication: only Israeli security services had both the motive and means to spy on these Palestinian organisations.
Now, with fresh revelations about Israeli police using Pegasus, the intimate ties between the Israeli state and firms such as NSO are impossible to deny. Indeed, according to Haaretz’s veteran military analyst, Amos Harel, NSO is “part of the very heart and soul of the Israeli establishment”. Israel cannot be treated as simply another rogue purchaser of NSO’s offensive spyware.
Blind eye
Pegasus was developed by the alumni of the Israeli state’s cyber teams and intelligence arms, drawing on military research funded by Israel and the US. Like other veterans of the Israeli army, NSO staff developed their know-how by testing surveillance tools on Palestinians.
The Israeli defence ministry licences the export of NSO’s spyware. The claim was always that the software was being sold exclusively to the security forces of democratic countries in the fight against crime and terrorism.
What soon became clear was that NSO was actually profiteering from the surveillance and abuse – and sometimes murder – of regime opponents, whether journalists, lawyers, politicians or human rights activists. It was Israel, not just NSO, that turned a blind eye to that information.
And that was for good reason. The selection of who NSO sold to never appeared random. Its clients were Israel’s closest allies, as well as those states with whom Israel wanted to cultivate deeper ties for political and diplomatic advantage.
That included repressive Gulf states, which have been developing ever closer relations with Israel, culminating in the 2020 Abraham Accords.
According to a report in the New York Times last week, then Prime Minister Netanyahu personally intervened to renew Saudi Arabia’s contract with NSO after the defence ministry rejected an export licence following bad publicity over Khashoggi’s murder in 2018.
Israel also wanted to deepen ties with ultra-nationalist governments in eastern Europe and India, countries Israel has come to rely on in international forums to side with it against the Palestinian push for statehood.
At a conference last month, Eli Pincu, the former head of the Israeli defence ministry’s team overseeing the export of Pegasus, highlighted the Israeli state’s obligations towards NSO: “If a company that helped the country’s interest in any way enters the US blacklist … isn’t the state of Israel obligated to support it, to defend it, to deal with the issue for it?”
Another Israeli analyst has termed this “espionage diplomacy”. The thinking has been: “I’ll give you the tools to repress your internal opponents, if in return you back my repression of the Palestinians.”
Rubbed the wrong way
But NSO – and by implication, Israel – has rubbed too many powerful interests the wrong way. Meta (formerly Facebook) and Apple, two of the richest transnational corporations in history, are suing NSO in the US for hacking their products. They likely worry that such infiltrations have undermined consumer confidence.
The US government, too, is unhappy that Pegasus has been found on the devices of its officials. It has already gone to great lengths to make an example of Wikileaks founder Julian Assange, seeking to lock him up indefinitely after he published leaks of embarrassing diplomatic cables and exposed US war crimes in Iraq and Afghanistan.
It is public knowledge that NSO spyware was recently identified on the phones of US diplomats serving in Uganda. The likely suspects include Uganda and Rwanda, both NSO clients.
But given the hard-world realities of state relations, it is likely that in private, the US has found Pegasus software on the phones of many more of its officials. NSO’s client states have an incentive to eavesdrop on the world’s only superpower to understand what it plans for them.
Back in 2015, another Israeli firm, Black Cube, spied on US officials involved in negotiating a nuclear deal with Iran that Israel deeply opposed. Washington knows it cannot stop the development of spyware – and, in any case, it has no interest in undermining this burgeoning industry. After all, it wants these tools for its own spying operations, both against rival states and for internal repression of dissidents.
But what it can do is take greater control of the cyber weapons industry so that the US gets to decide who has access to the best spyware, and build in technological safeguards to prevent offensive software from being turned against the US itself.
Professions of concern about human rights violations and invasions of privacy will keep dominating headlines. But the real battle will be for who emerges as the global spymaster.
• First published in Middle East Eye