Don’t toss the spyware with the NSO scandal bathwater, urges Israeli cyber guru

Democracies need cybersurveillance tools to track criminals and terrorists. Just regulate the tech better, argues Prof. Isaac Ben-Israel

Shoshanna Solomon is The Times of Israel's Startups and Business reporter

An illustration of the ‘Digital Violence: How the NSO Group Enables State Terror’ website set up by Forensic Architecture with Amnesty International and Citizen Lab (Courtesy)
An illustration of the ‘Digital Violence: How the NSO Group Enables State Terror’ website set up by Forensic Architecture with Amnesty International and Citizen Lab (Courtesy)

The technology developed by spyware firm NSO should be more strictly regulated but not discarded altogether, Israel’s cybersecurity guru said — though he acknowledged that the scandal surrounding the Herzliya-based firm was blackening Israel’s reputation.

The NSO scandal “is spoiling our name,” Prof. Isaac Ben-Israel, who led the task force that set out Israel’s national cybersecurity policy, said in a recent interview with The Times of Israel from his office at Tel Aviv University.

Ben-Israel was head of military research and development in the Israeli army and at the Defense Ministry from 1991 to 1997. In January 1998, he was promoted to major general and appointed director of the Defense R&D Directorate at the ministry. During his service, he twice received the Israeli Defense Award. Post-army, he was central to the establishment of Israel’s National Cyber Bureau and other authorities protecting national civilian and security infrastructure from cyberattacks.

Ben-Israel said that of all exports of Israeli cybersecurity products and services — which accounts for some 10% of global market sales — offensive products like those developed by NSO and Candiru, two companies recently blacklisted by the US Department of Commerce, are just a “small percentage” of the total.

Unfortunately, in the public eye this is irrelevant as people tend not to distinguish between defensive and offensive cybersecurity tools. As a result, the damage to Israel’s reputation is comprehensive, explained the 72-year-old Ben-Israel, who today heads the ICRC – Blavatnik Interdisciplinary Cyber Research Center at Tel Aviv University.

NSO’s flagship spyware, Pegasus, is considered one of the most powerful cyber-surveillance tools available on the market, and experts say there is no defense against it. The software gives operators the ability to effectively take full control of a target’s phone, download all data from the device, or activate its camera or microphone without the user knowing. The company has made global headlines as revelations about the reach of its technology, and the consequences, keep piling up.

Prof. Isaac Ben-Israel at his office at Tel Aviv University, December 28, 2021. (Shoshanna Solomon)

This summer, Citizen Lab and Amnesty International unveiled an in-depth probe that found that the firm’s software had been used by many countries with poor human rights records to hack the phones of thousands of human rights activists, journalists, and politicians from Saudi Arabia to Mexico.

As a consequence, NSO has been facing a torrent of international criticism over the allegations, with mounting diplomatic fallout as Israeli allies, such as France, demanded answers amid reports that Pegasus was being used within their borders.

The Washington Post reported last month that NSO’s Pegasus spyware had been placed on the cellphone of the wife of journalist Jamal Khashoggi months before he was murdered in the Saudi consulate in Istanbul in 2018. Other reports claimed the spyware had targeted Polish opposition politicians and an Indian activist.

The US blacklisting of the two Israeli firms has pushed Israel to dramatically scale back the number of countries to which local companies can sell cyber technologies and impose new restrictions on the export of cyber warfare tools. The Israeli Defense Ministry must authorize the sale of spyware firms’ products abroad.

NSO for its part has said that its products are meant only to assist countries in fighting serious crime and terrorism.

A logo adorns a wall on a branch of the Israeli NSO Group company, near the southern Israeli town of Sapir, on August 24, 2021. (AP Photo/Sebastian Scheiner, File)

The ensuing fallout has greatly affected the company, which became at risk of defaulting on about $500 million of debt and saw its credit rating take a dramatic hit, leading to issues of solvency.

NSO is said to be considering shutting down its Pegasus operation and selling the entire company to an American investment fund, Bloomberg reported in December, citing officials involved in the talks.

The Israeli government’s role

Private companies can freely export defensive technologies. But for offensive or even potentially offensive weapons, including offensive cyber technologies, private companies need to get a special export license from the government, said Ben-Israel.

“As far as I know — I am not part of NSO — in all the cases they got an export license,” said Ben-Israel. “So, if there is some problem, perhaps the government was too easy with giving them the license. The problem is not with NSO but the government.”

Defense Minister Benny Gantz (L) and Prime Minister Naftali Bennett speak during the swearing-in ceremony for President Isaac Herzog, on July 7, 2021. (Yonatan Sindel/Flash90)

Technologies like those developed by NSO are used by governments to track criminal groups as well as terrorist groups, said Ben-Israel, arguing that these kinds of offensive tools are “essential” for democracies. “You don’t want to live in a country [that] doesn’t have a way to track terrorists or criminals.”

But some governments have obviously misused such technologies to wield them against dissidents, he said, and that is the problem.

“NSO is not a service company” and does not itself perform tracking, said Ben-Israel. NSO sells the technology, whereupon the governments that buy it use it or misuse it, said Ben-Israel.

When a terrorist stabs someone or rams a car into people, he mused, the blame is laid on the wielder of the weapon or the driver, rather than the knife or car manufacturer. “The same is with NSO,” he said. “The Israeli government gave them a license to sell to certain countries like Mexico and others, [to be used] for a good reason.” If these countries used it for a different purpose, he asked rhetorically, is NSO to blame?

Sometimes, Ben-Israel mused, you build something with good intentions, “and somehow you lose control of it. What can be done? I don’t know… What can you do, not develop those types of technologies anymore?

“We need them. The free world needs them,” he posited.

Cars are one of the main causes of death today because of traffic accidents. But no one would argue “we should go back to horses and donkeys,” Ben-Israel said. Instead, legislation and new safety features have made cars less lethal than they used to be.

“Everything you introduce costs you sometimes.”

NSO CEO Shalev Hulio seen at an OTD New Year’s gathering in Tel Aviv. (OTD screenshot)

In the long term, he forecast, Israel’s cybersecurity industry as a whole will not be affected significantly by the spyware scandal. “But if you look at NSO or Candiru, or these types of companies, it will affect them significantly. It may even destroy the companies,” he said.

Beyond cybersecurity

Ben-Israel in 2011 was appointed by then-prime minister Benjamin Netanyahu to lead a task force to formulate a national cyber policy. This resulted in government resolutions aimed at making Israel a global cybersecurity powerhouse both for defense and the economy.

“The goal was to position Israel among the five leading countries in cyber space capabilities by 2015,” he said.

The hope was that Israel would account for 3% or, optimistically, 5% of the global cyber market share. “But we are much more today. The economic numbers are overwhelming.”

Israeli exports of cybersecurity products total some $10 billion, of which some 10%, or $1 billion, is believed to be exports of offensive software, according to Calcalist.

In the first half of the year, Israeli cybersecurity companies raised $3.4 billion in 50 deals and seven of them became unicorns — private companies valued at over $1 billion — the Israel National Cyber Directorate said. The half-year figure accounts for 41% of the total funds raised by cybersecurity firms worldwide, and is three times the amount raised in the same period a year earlier, the data shows.

Israel’s next challenge, Ben-Israel said, will be artificial intelligence, a field. like cybersecurity, in which Israel can have a strategic global advantage.

He submitted a five-year plan in 2019 to make Israel among the top five nations globally in artificial intelligence, a year after he was tasked with doing so by Netanyahu.

But due to the political turmoil including four elections in two years and a lack of a national budget, “The National Initiative for Secured Intelligence Systems” is still on Ben-Israel’s desk, waiting for the new government to discuss and approve the plan.

“We already lost three years because of politics and elections,” he said. “I hope we will not lose another three years with the new government.”

Ricky Ben-David contributed to this report.

read more:
Never miss breaking news on Israel
Get notifications to stay updated
You're subscribed