The US Commerce Department announced that it was blacklisting the Israeli malware maker, NSO Group, after digital rights NGOs exposed the widespread use of its spyware to target journalists, lawyers and human rights activists in 50 countries. The designation found that the Israeli company had acted “contrary to the foreign policy and national security interests of the US.” The US agency said:
“Today’s action is a part of the Biden-Harris administration’s efforts to put human rights at the center of US foreign policy, including by working to stem the proliferation of digital tools used for repression…This effort is aimed at improving citizens’ digital security, combatting cyber threats, and mitigating unlawful surveillance and follows a recent interim final rule released by the commerce department establishing controls on the export, re-export, or in-country transfer of certain items that can be used for malicious cyber activities.”
Israel has cornered much of the world market for such malevolent cyber-tools. Other Israeli companies in this market are Candiru, which was also blacklisted, Circles, Cellebrite, AnyVision, and Psy-Group. Israel’s role in pioneering this invasive, destructive technology is not accidental. It springs from the country’s hostile relations with many of its Arab neighbors; including with Palestinians, both citizens and those living under Occupation. The security state mentality arising from this all enveloping sense of isolation and hostility, turned Israel’s military and intelligence to creating a vast surveillance state. Technology was developed specifically tailored to the need to monitor and, if need be, target those perceived to be enemies.
Once Israel developed this technology domestically, it naturally determined to maximize its value through export. The country is one of the top ten weapons exporters in the world. Over the past decade it has added this mass surveillance technology to its menu of products. Scores of nations, especially those pursuing their own surveillance schemes to preserve their leaders’ domination and control, have flocked to the Israeli companies for solutions.
Only in the past decade have privacy and human rights NGOs begun to recognize the dangers posed by NSO’s flagship product, Pegasus. Their activism came to fruition a few months ago when a coalition of such groups including Amnesty International, Citizen Lab and Forensic Architecture released their groundbreaking study, the Pegasus Papers. It exposed the list of 50,000 individuals whose cell phone numbers were listed as prospective victims of NSO hacks. That, combined with Senate hearings in which Sen. Ron Wyden suggested, despite NSO’s fervent denials, that Pegasus might have targeted US officials. This indeed turned out to be true when the phone target list included Rob Malley, the US envoy to Iran nuclear deal negotiations.
The next step which Democratic lawmakers are urging would be to extend the blacklist designation to American investors, and thus deprive NSO of much needed capital for its expected public stock offering.
This development should considerably strengthen Whatsapp’s lawsuit against NSO, filed after a company client used one of its exploits to spy on 1,400 victims who used the texting app. One of them might have been Jeff Bezos, who was sent a phishing text message via Whatsapp by Saudi intelligence, which led to the exposure of private sexual images. That, in turn, led to his divorce and subsequent marriage to the woman with whom he was having an affair.
The Israeli government has been doing damage control on NSO’s behalf since shortly after the Pegasus Papers were published. Benny Gantz announced with fanfare an official inquiry into the matter. Prime Minister Bennett met at the Climate conference with Emmanuel Macron, whose phone was hacked by Moroccan state security. Israeli officials are attempting to mollify the French by promising that in future the company will not permit Pegasus to target French phones. But this belies the fact that any French official traveling outside France could be targeted, just as Malley was. Nor is there any guarantee that the notoriously mendacious company will honor its commitment. NSO earns such fealty from Israeli officials because it advances state interests along with its own in its surveillance work. So the state owes NSO, just as NSO owes the state in routinely approving its export licenses.
NSO released this statement defending itself, which left me queasy. Not so much for the words themselves which are quite cleverly crafted; but for the discrepancy between them and the real truth:
“We look forward to presenting the full information regarding how we have the world’s most rigorous compliance and human rights programs that are based on the American values we deeply share, which already resulted in multiple terminations of contacts with government agencies that misused our products.”
How does the world’s most rigorous compliance and human rights program permit NSO to sell its wares to dictatorships like Saudi Arabia, which in turn uses them to concoct the murder plans against Jamal Khashoggi? How does it sell the surveillance tech to Mexico’s intelligence services, which finds its way to those who murdered a Mexican journalist? Is murder one of those “deeply shared American values?” Is earning tens of millions in fees from kleptocracies like UAE, which in turn use Pegasus to lock up a human rights activist for ten years, an American value? Are beatings of Muslim dissidents by Bengladeshi death squads who exploit Pegasus to target their prey, as American as apple pie?
Thankfully, the Biden administration hasn’t been snowed by this fake rhetoric. It has seen NSO for what it is: a criminal enterprise based on cyber-predation.
Haaretz published this interesting analysis which suggests that NSO as we know it, may be dead. If US investors and banks are prevented from doing deals with it due to its blacklisting, then the company may have no choice but either to drop out of the offensive cyber-attack business, morph into a different company, or possibly reconstitue itself in some new form that permits it to continue what it’s doing now.