Skip to main content

Pegasus: Spyware scandal lays bare cracks in Israel's cyber security 'success' story

Privatisation of country's highly regarded intelligence sector leaves offensive cyber technology open to a market of potential abusers
Israeli Prime Minister Naftali Bennett speaks during a Cyber Week event at Tel Aviv University on 21 July 2021 (AFP)

Revelations about the extent of the penetration of the NSO Group's Pegasus spyware software have sparked off a fierce debate in Israel and abroad about the workings of the country's much-vaunted cyber security sector.

Israeli cyber companies have long been able to maintain a strong brand because of the notoriety of the Israeli intelligence services, especially Mossad and the military SIGINT unit 8200, and the perceived ability of such companies to recruit graduates of these services to their ranks.

A less discussed aspect of this sector is whether it is financially successful. Former Israeli prime minister Benjamin Netanyahu spoke frequently about cyber as a cornerstone of the Israeli high-tech sector and the economy in general, but the Haaretz newspaper found extensive evidence that Israeli offensive cyber technology, and specifically NSO, played a major role in Netanyahu's foreign policy.

States that Netanyahu visited, including Hungary, India, Rwanda, the United Arab Emirates and more, signed deals with NSO shortly after being visited by the recently ousted leader.

When it comes to the profits generated by cyber companies, the picture is far from clear. As private companies that are not traded openly in stock exchanges, these companies keep their list of customers, the size of their contracts and the cost in time and materials for each project secret, and even their financial reports - total revenue, operating costs and profits - are not easy to come by.

The organisation Who Profits, a project of the Israeli Coalition of Women for Peace, in June published a report on the Israeli cyber sector, and, based on reports in the Israeli media, estimated that total cyber exports from Israel amounted to $6.85bn in 2020, an amount that almost reaches the total arms exports from Israel that year.

In contrast, the investigative journalism organisation Hashomrim reported, based on interviews with government officials, that Israeli cyber exports amounted to only $5m in 2019, merely 7 percent of the total arms exports in that year.

Have cyber exports increased almost fourteenfold in one year? More likely is that the true numbers are a closely kept secret and that neither report is accurate.

Privatised security

The secrecy of Israeli cyber security companies is becoming more difficult to maintain in a world in which security is increasingly privatised.

Private security companies depend on private investments and private customers, and therefore must reach out to the public and advertise themselves. The Israeli government used to keep a tight control over the arms industry and the intelligence organisations operating in and out of Israel, but privatisation crept in, and now the largest Israeli arms company, Elbit Systems, is privately owned.

Pegasus: How it hacks phones and spies for NSO clients

+ Show - Hide
graphic

NSO is not only privately owned, but the majority of the company's shares were bought by the Europe-based Novalpina fund in 2019, which means that the company may be Israeli but is owned by foreign investors.

Black Cube, as another example, is an Israeli espionage company that prides itself on being founded by former Mossad agents. An hour-long documentary in Israel exposed a long list of failures of Black Cube, as many of its targets realised that they were being spied upon and exposed the company in the media. Black Cube sued the documentary makers but had to withdraw the lawsuit and pay compensations.

Another Israeli cyber intelligence company, Cellebrite, has been exposed for providing surveillance equipment to Belarus, the Chinese authorities in Hong Kong and to Russia. It announced that it would end its operations in these countries, but when human rights activists appealed to the Israeli court to find out whether Cellebrite's technology remained in the hands of these governments even after the company left, the Israeli court refused to discuss the case.

Thanks to the investigations of Forbidden Stories, Amnesty International and Citizen Lab, as well as the work of Forensic Architecture, NSO has become arguably the most famous (or infamous) Israeli offensive cyber company.

However, fame does not necessarily mean success.

Hagar Shezaf from Haaretz interviewed company workers and found that what made NSO stand out from companies in other countries is its willingness to take on larger risks, such as working with some of the most authoritarian and human rights abusing governments.

Shezaf questioned whether the risks showed confidence - or desperation. Already in 2017, the US-based investment management company Blackstone decided not to invest in NSO because it considered it too risky an investment.

When Facebook filed a lawsuit against NSO over the alleged hacking of more than 1,400 WhatsApp accounts, a lawsuit that was joined by Microsoft and Google, NSO found itself under increased pressure.

Now the company reports that it has devised its own ethics code to select its customers more carefully. This year it also published a transparency report, which was slammed by Amnesty International as a "missed opportunity" for not being transparent enough.

Anyone could be targeted

According to Amitai Ziv of TheMarker Magazine, NSO's finances were faltering even before its operations were exposed. The company has taken on more and more workers and increased its workforce from 600 to 750, presumably to deal with the Facebook lawsuit and the bad press it has received.

In 2020, NSO had revenues of $243m compared with $251m in 2018. Ziv noted that NSO switched CEOs three times in 11 years. Ziv could not access the company's financial reports directly, but cited a report by Moody's credit rating agency on NSO, which warned in May that the company's cash flow had turned negative and responded by downgrading NSO's credit rating to B3.

Pegasus: President Macron changes phone amid concerns over Moroccan surveillance
Read More »

On 27 July it was reported that Novalpina Capital, the fund that owns most of NSO's shares, is facing liquidation over disagreements among the management. If the fund ends up selling its assets on the open market, no law exists that can prevent Saudi Arabia, China or Iran from buying NSO shares and potentially achieving majority shareholder status. 

The risk is that that privatisation of security leads to loss of control by the state over the weapons and knowledge produced by and for its own military.

As long as the Israeli government used mass surveillance methods to keep the Palestinian population in a state of constant fear, international protest was minimal. Now, when anyone on the planet might have reason to fear surveillance, just because someone decided to hire NSO (or another company) to spy on them, the world is starting to be more concerned.

NSO declined to send a response to this story.