Veteran Israeli journalist, Amir Oren, posted a series of tweets revealing news even more troubling than we’ve been reading about NSO Group. We thought we were dealing with a runaway Israeli company wreaking havoc among human rights activists, political dissidents and even national leaders in 50 countries. But it’s far worse than that.
Where do you think NSO came up with this spyware? It wasn’t invented out of whole cloth by a few clever hackers and programmers hired for astronomical sums. Those employees learned their trade elsewhere before they came to NSO. They did so in Unit 8200, the Israeli army’s signals intelligence branch. It is the largest unit in the IDF and produces surveillance technology to rival, or even exceed, the NSA.
Here are Oren’s tweets followed by my translation:
1/1 העוקץ בסיפור NSO – שם דומה להפליא ל-NSA; יפה שהבעלים התאפקו לא לכנות את החברה 8200 וחצי – אינו עיסקי או דיפלומטי, אלא מודיעיני ואסטרטגי. אם המוכר הישראלי ובעקבותיו הלקוח הזר מסוגלים להינעל באמצעות סמרטפון, טבלט או מחשב על תכולתם ואפליקציותיהם והלאה, באמצעות נמענים ואנשי קשר..— Amir Oren (@Rimanero) July 27, 2021
2/2 ..כי אז ברור ש(1) גם אמ״ן, שב״כ, מוסד ואם תורשה להב 433 מסוגלים לאותה חדירה מודיעינית, כולל לטלפון של מקרון (או ביידן) (2) למודיעין הישראלי גירסה משודרגת; הגירסה שנמכרה בחו״ל משונמכת (3) ישראל מאובטחת באמצעי נגד (4) אעפ״כ, נתניהו, החשוף ליכולות או חושד בהן, נמנע מהחזקת טלפון.— Amir Oren (@Rimanero) July 27, 2021
The real sting in the NSO story, a [company] name remarkably similar to NSA: It was nice of the founders [of NSO] not to name the company “8200-and-a-half.” It has little to do with business or diplomacy; but rather intelligence and strategic [interests]. If the Israeli seller and consequently the foreign client are able to hack a smartphone, tablet or PC, their contents and apps, recipients and contacts, then it’s obvious that…
1) AMAN [Israeli military intelligence], Shin Bet, Mossad and the police investigations unit can also achieve the same results, including [hacking] Macron’s (or even Biden’s) phone.
2) Israeli intelligence has an upgraded version [of Pegasus]; the version sold abroad is downgraded.
3) Israel is secured [from such hacks] by counter-measures.
4) Nevertheless, Netanyahu, who has been exposed to these capabilities [spied upon] or who suspects them, refuses to own such a phone.
5) Given the capabilities of the NSA, CIA, FBI–the lax security of the telephone and private e-mails of, for example, Hillary Clinton–is a security breach the width of the gates of the White House.
6) This demands tightening supervision and the oversight of the Knesset constitution, foreign affairs, security and internal affairs committees–and even a court, possibly modeled on FISA, to ensure it is not exploited to the detriment of Israelis.
The important take-aways here are the warning that the Israeli state and its domestic and foreign intelligence apparatus have developed surveillance tools even more powerful than Pegasus; and that these tools are deployed around the world to advance Israeli interests. We can further assume that US intelligence agencies like the ones Oren mentioned have either tools comparable to Pegasus or even more powerful; and that we use them in the same way Israel does. That we hack the phones of both allies and enemies and pry into their personal, political and military secrets.
As I wrote in an earlier post, states with advanced surveillance capabilities like the US, Israel, China and Russia should be extremely nervous about the NSO scandal. While they pay lip service to the issues of violations of human rights or even the murder of journalists like Jamal Khashoggi, what scares the living daylights out of them is the potential for this to rebound against state intelligence interests.
If we outlaw private spyware as Edward Snowden advocates, it will not stop there. Digital rights activists and privacy advocates will next turn to state actors and tell them that they are far more dangerous than private actors like NSO. Fancy Bear and his NSA counterparts can do far more than hack cell phones. They can sabotage major infrastructure. They can cause failures of communication systems, power plants, airports, etc. They can grind an entire nation to a halt practically with the flick of a few switches. Now that’s danger!
Members of Congress have been curiously silent in the midst of this controversy. Other than Sen. Ron Wyden, who spoke out a few years ago about the dangers of NSO, there has been silence. Until now. Today, a group of Democratic House members from California and New Jersey offered a joint statement, Enough is Enough! They demanded an end to NSO’s havoc:
“Enough is enough. The recent revelations regarding misuse of the NSO Group’s software reinforce our conviction that the hacking for hire industry must be brought under control. Private companies should not be selling sophisticated cyber-intrusion tools on the open market, and the United States should work with its allies to regulate this trade. Companies that sell such incredibly sensitive tools to dictatorships are the A.Q. Khans of the cyber world. They should be sanctioned, and if necessary, shut down.
…To that end, we call on the United States government to urgently:
- Call out by name publicly and in reports provided to Congress private companies that sell cyber-intrusion tools to governments with a history of misusing them.
- Consider the immediate addition of the NSO Group and any other company engaged in similar activities to the Entity List administered by the Commerce Department and consider the company’s abusive clients for sanction under the Global Magnitsky Act.
- Establish by legislation or executive order a sanctions regime to hold accountable individuals and companies that sell these tools to authoritarian states.
- Ensure that the NSO Group and companies engaged in similar activities do not access American investors funds—including through a potential IPO—through SEC regulations that would protect non-securitized capital from funding their activities.
- Accelerate efforts to finalize accession to the Wassenaar Arrangement’s limited controls on cyber-intrusion tools, lead a multilateral initiative to impose strengthened controls with transparent human rights assessments on items with surveillance capabilities, and consider SEC regulations requiring companies to publicly disclose exports of technologies with surveillance capabilities and to carry out published human rights due diligence for any such exports.
- Investigate and assess the possible targeting of American ‘journalists, aid works, diplomats and others’ with NSO Group’s Pegasus spyware, determine whether America’s national security was harmed, and take steps to protect all Americans, including federal employees, from the threat posed by the growing mercenary spyware industry.”
Now, we need every Democrat in Congress to join in this effort. Even Republicans who favor the right to privacy and protection of individual liberty should sign on. This is the sort of teeth NSO and its investors need to see in order to rein in their worst impulses.