Pegasus was meant to give law enforcement and intelligence agencies access to criminals’ and terrorists’ smartphones, but the reports in 17 media outlets said they had a leaked list over 50,000 phone numbers of “people of interest” to NSO’s clients in countries with which Israel has grown closer in recent years, such as Saudi Arabia, the UAE, Bahrain, Azerbaijan, Hungary and India.
Those targets included leaders such as French President Emmanuel Macron, Pakistani Prime Minister Imran Khan and Moroccan King Mohammad VI, and 180 journalists, including one who was murdered in Mexico after reporting on government corruption, as well as countless activists and dissidents.
NSO, however, said it investigated the claims and the report is “full of wrong assumptions and uncorroborated theories.” The list on which the news stories rely is easily accessible data that have nothing to do with the NSO customer list and did not come from its servers, the company said.
In addition, NSO does not operate its system once it is sold to its clients, which are all law enforcement and intelligence agencies of governments approved by the Israeli government for the sale.
Days later, Prime Minister Naftali Bennett stood on a stage and hailed Israel’s cybersecurity industry, in which he made his fortune as the CEO of Cyota 15 years ago. Bennett announced at Cyber Week, an annual international conference at Tel Aviv University, that Israel would be launching the “Global Cybernet Shield,” a network that like-minded countries can join to warn one another against cyberattacks and threats.
The Global Cybernet Shield, which is still in development, is an international version of Cybernet, Israel’s domestic cyber defense network, led by the Israel National Cyber Directorate with over 1,500 members, including government ministries and major corporations. The National Cyber Directorate uses Cybernet to swiftly disseminate warnings about cyberattacks and isolate online viruses so they don’t spread, as well as to explain to organizations how to prepare their systems.
Israel is the first and possibly only country to have such a network, National Cyber Directorate Executive Director of Strategy and International Cooperation Aviram Atzaba explained this week, and foreign governments’ cybersecurity units have expressed interest in joining it.
Bennett’s idea to take Cybernet global is not only a smart way of protecting Israel and its allies from cyberattacks by bad actors such as Iran, which he singled out for opprobrium in his speech. Israeli prime ministers have long used Israeli technology as a way of strengthening Israel’s diplomatic standing, bringing it closer to more countries.
But the prestige of Israeli cybersecurity prowess has taken a hit following the NSO report, which has dented Israel’s public image at a sensitive time and could have negative reverberations in its foreign relations. The report also revealed weaknesses in how Israel regulates sales of defense technology.
PEGASUS IS not a classic cybersecurity product, in that it is not purely defensive. It is considered a “dual use” product – meaning, it can be weaponized – and as such, it needs multiple authorizations from the Defense Export Controls Agency before each sale is made.
DECA was established in 2006, after Israel tried to sell airborne early-warning systems to China, infuriating the US, which demanded greater regulation of Israeli arms deals.
Today, any security-related product must go through four stages before a sale. First, the company must register as a security exporter. Next, it needs to register each product it wants to sell; about 20% of the products are confidential, and dealing with them requires a security clearance, ranging from protected to top secret.
Next, the company needs a marketing license for the product, which means permission to negotiate a deal with a specific country about a specific product. A new license is required for each product in each country.
The final step is for DECA to review the deal and give authorization to sell the product.
Israel’s considerations in providing licenses include its immediate security needs, such as ensuring the defense technology won’t get into Iran’s hands, as well as international relations, as in the case of the American uproar over selling Phalcon airborne early-warning systems to China, and as such the Foreign Ministry is also involved in DECA.
Dr. Lior Tabansky, head of research development for the Blavatnik Interdisciplinary Cyber Research Center at Tel Aviv University, which organizes Cyber Week, argued on this week’s Jerusalem Post podcast that, because of the heavy government regulation, Pegasus is “definitely not exported to countries that are known abusers of international norms and liberties.
“The publication of this week is completely strange because there really is no connection between the list of phone numbers that they call evidence and NSO’s potential customers,” he said.
Tabansky also said that NSO sells to governments, which in turn decide whom to target: “That’s not something that is up to the decisions of tech providers.”
Plus, in the case of NSO, it has an internal auditing program to assess risks prior and during the contract. If someone is caught abusing its product, NSO can stop giving the government agency access to it.
However, Tehilla Shwartz Altshuler, head of the Democracy in the Information Age program at the Israel Democracy Institute, said that defense exports have “the heaviest regulation in the market,” and therefore “there is no way the State of Israel didn’t know who NSO is selling to, what it’s selling and under what conditions.”
The NSO story has been framed by much of the international media as something wrong that Israel has done, while much of the Israeli media has reported it as though NSO is a private company doing bad things, Shwartz Altshuler said, calling the Israeli framing “nonsense.”
“There is nothing they sold that wasn’t encouraged by the state,” she posited.
THE DEFENSE Ministry, Foreign Ministry, Justice Ministry, Mossad and other Israeli government agencies are now working on a task force to look into the media reports about NSO and determine if something went wrong in the regulatory process.
Defense Minister Benny Gantz warned at Cyber Week that the government approves cyber products to be sold only “to governments and only for lawful use in order to prevent crime and terrorism. Countries who purchase those systems must adhere to the conditions of use.”
The Knesset Foreign Affairs and Defense Committee also plans to review the matter, with the panel’s chairman, Ram Ben Barak of Yesh Atid saying “we certainly need to take a new look at the whole topic of licenses given by DECA.”
“Truth be told,” Ben Barak told Army Radio, “[Pegasus] has uncovered a lot of terrorist cells and crime families and helped many people. If it has been misused, or sold to irresponsible parties, that must be examined.”
Shwartz Altshuler suggested that greater transparency would vastly improve DECA’s results. She called for it to be moved from the Defense Ministry to the Economy Ministry, so that it would be subject to the Freedom of Information Law.
“All the rot happens behind the scenes,” she said. “If there is no transparency, there is corruption.”
The IDI researcher said there are strong ties between members of the defense establishment and cybersecurity companies like NSO. For example, former IDF chief censor Ariella Ben-Avraham immediately moved to NSO after leaving the military, and the IDF censors elements of news reporting about NSO, as determined by DECA.
AS FAR as the international implications of the NSO scandal are concerned, a senior Israeli diplomatic source said that, at the moment, the damage is mostly in the public sphere and not in government-to-government relations, but there is potential for diplomatic tensions.
The reports come soon after Operation Guardian of the Walls, when there was massive anti-Israel activity. Soon after the NSO story broke, Ben & Jerry’s announced that it will stop doing business in Judea and Samaria, and its board said it wants to boycott Israel entirely. Cybersecurity and ice cream don’t have a lot to do with each other, but the negative stories about Israel compound each other.
The NSO story specifically “connects us to countries that are not ‘like-minded,’” meaning not liberal democracies, the diplomatic source said. “From the outside, it makes us look like facilitators of countries with human rights problems.”
For example, prominent political scientist and a former minister in the Portuguese government Bruno Maçães, who has a history of support for Israel, pointed to the fact that Hungary blocks anti-Israel decisions in the EU and was an authorized NSO client. Maçães tweeted: “So am I right in concluding that Israel is part of the global forces spreading autocracy worldwide?... Israel seems to have decided its national interest is advanced by supporting autocracies.”
Still, the diplomatic source argued that criticism in that vein “ignores the fact that other countries sell similar products.”
Tabansky said “it’s very easy to create an association between the wicked activities of an Israeli company and the State of Israel or the Jews in general. That is obviously not a new phenomenon; we know how this works.
“Nobody talked about the truck manufacturers in terrorist attacks in Nice or Berlin,” he added.
Shwartz Altshuler said that Israel may lose cybersecurity as a tool that it used to improve its international relations, “but maybe it’s justified.
“Part of our pride is that we’re the Start-Up Nation, which is how we draw big companies to open research and development centers here,” she said. “There has been a lot of pressure on Facebook to close its center in Israel in the wake of Guardian of the Walls.... If Israeli technology has the reputation of being arms dealers, think how that will influence the Israeli hi-tech world.
“Israel does a lot of innovation for good, but there’s also this,” Shwartz Altshuler said. Scandals like the Pegasus Project “hurt Israel’s good name. Israel is trying to promote hi-tech and be the Start-Up Nation, but the other side spoils it.”
Tabansky pointed to reports on ties between the Kaspersky antivirus software and the Russian government, followed by a ban on using it on US government computers starting in 2017, or when Edward Snowden leaked evidence in 2013 that the US’s NSA was surveilling Americans’ phones, plus those of foreign leaders.
“We’ve been arguing about this for quite a long time,” he said. “Now [the NSO leak] is joining those other major events.” •