The NSO Affair: An Explainer
The allegations against Israeli cyber-security company NSO have made international headlines. How could this affect the ‘Startup Nation?’
When is it legitimate to use surveillance software, and when does its use cross the line?
Surveillance software, which includes eavesdropping and information-gathering programs, is permitted under certain circumstances: First, when used by law enforcement authorities; second, when used for a specified purpose of investigating specific offenses; and third, subject to oversight which is generally provided by the courts.
Pegasus and similar programs have very unique characteristics: They are not cyber-attack software, in that they do not paralyze systems or erase or alter information on target computers. Instead, they only collect information, which can subsequently be used in different ways by those who receive it. Thus, these programs can be used for all kinds of purposes, both legitimate and illegitimate (meaning that they are what is called “dual-purpose” systems). Most sales of Pegasus have been to law enforcement agencies in countries that use it in a highly focused manner, with oversight from the courts. However, recent reports indicate that it has also been used by political agencies, or for political purposes, in non-democratic or semi-democratic countries. Moreover, it has been deployed in an unfocused manner, to collect all kinds of information from all kinds of individuals; instead of being used only against those suspected of serious crimes, it has been used against human rights activists and journalists, with no judicial oversight.
In other words, the problem has been the broad extent of the illegitimate use made of Pegasus - such as a tool for leaders to jail, or physically harm, innocent people – distinct from the important legitimate uses for which it can be deployed.
Why did the Ministry of Defense not block sales to non-democratic regimes that use these tools for illegitimate purposes?
It should be noted that the Ministry of Defense approved these sales, and most likely supported them. The two relevant divisions in the ministry are the Division for Defense Export, which supports and encourages overseas sales of defense technology; and the Division for Oversight of Defense Technology Exports, responsible for oversight of these sales. To a large extent, this former division is a case of the fox guarding the henhouse.
To be clear, oversight of defense exports from Israel (including exports of defense technologies such as Pegasus) is extremely thorough. Every exporting company must clear four regulatory hurdles:
(1) registering the company with the Defense Exporters Registrar; (2) registering the product and receiving the relevant security clearance; (3) gaining a marketing license (approval to offer a particular product for sale to a particular country); and (4) if a sale becomes a relevant prospect, gaining a sales license. This draconian regulatory regime is designed to maintain comprehensive oversight of defense exports by the State of Israel, and thus it would be false to claim that the state does not know or does not care to whom these technologies are sold.
This is where the considerations taken into account by the Ministry of Defense come in, of which there are four main kinds:
- Defense considerations designed to ensure Israel’s continued military superiority and prevent products reaching hostile elements. (Is there any chance that a product being sold now may come into the hands of Hezbollah?)
- International considerations, in which the Ministry of Foreign Affairs is also involved, relating to international trade wars. (Israel does not sell to China so as not to anger the United States).
- International relations. (Israel does not sell to Ukraine so as not to anger Russia, but does sell to Hungary and India and other “friendly” regimes in the Middle East that are seeking to silence their critics.)
- Human rights considerations, particularly with regard to the fear that cases could be brought to court against the Ministry of Defense by human rights activists.
How will this affair affect the local cyber industry?
Incidents such as this can damage the Israeli cyber industry as a whole, and not just the particular company involved. The Pegasus affair presents this entire industry as one that is largely not beneficial to the world in general, but instead exports sophisticated weaponry to states with appalling human rights records. The cyber industry is a major engine driving the Israeli economy, and thus the state has a double role to play: On the one hand, it wants to advance the industry and encourage innovation, and on the other, it is moved to rein it in due to local strategic int considerations, as in this case and in similar previous instances.
If companies such as Amazon decide to turn off the servers of Israeli companies (as they did with NSO), this could damage the entire industry. If companies such as Microsoft decide to cease investing in Israeli cyber and data collection companies, as has happened in the past, other investors will follow. It is important to understand that in the current age, global hi-tech giants do not play games—they ruthlessly sideline those who do not play by their rules, whether or not their decisions seem justified to us.
The world of cybersecurity is largely divided into two areas: defense and offense. This case is unusual in that it concerns a third area—data collection. When a company such as NSO inserts Pegasus onto a phone, the user’s data is not deleted or corrupted, but harvested. According to reports, various states and agencies around the world then used these capabilities to intimidate and persecute journalists and human rights activists.
The question before us is thus a larger one. We need to decide what to do with systems that simply collect information, in a world in which information and data are extremely valuable and can be used to oppress entire populations.