Could one of the world’s most pernicious spyware vendors soon be operating under the auspices of the American flag?
That’s the question some are asking following reports that US aerospace and defense contractor L3Harris is in talks to buy NSO Group, the Israel-based seller of spyware tools. phones like Pegasus that have been used by authoritarian governments around the world to monitor dissidents. , human rights activists, journalists and politicians.
According to Intelligence Online, a Europe-based digital news site focused on intelligence and craftsmanship, the harsh economic sanctions directed by the US Treasury Department left the NSO Group business messy. Such a deal would include L3 taking on $250 million of debt from NSO Group and the company plans to announce “the abandonment of certain activities” which would allow the new American entity to push for the lifting of global sanctions, while putting set up a branch in Tel Aviv to maintain the intellectual property of the ONS.
Citing unnamed sources, the outlet claimed that a dwindling client list, a growing debt pile and a market brand inextricably linked to a series of scandals and human rights abuses, executives of the NSO group are looking for an exit.
There are other signs that those running the company are tired of being an international pariah. Frames says POLITICO in May of this year that they would welcome additional regulations that spell out more clearly which countries and organizations can – and cannot – purchase their hacking tools.
Although SC Media was unable to independently confirm the negotiations (neither L3Harris nor NSO Group responded to a request for comment), the report alarmed a number of US and Western cybersecurity experts. who have spent years forensically mapping the damage done around the world. by Pegasus and other spyware created by the company.
The American Civil Liberties Union said a potential sale to an American company would be troubling for many reasons, including the possibility of Pegasus and other spyware spreading to state and local governments and law enforcement agencies. order. They also noted that L3Harris has his own context of dubious surveillance practices around their “StingRay” ISMI-catcher devices, which can be placed near cell towers to intercept and capture incoming mobile traffic.
“NSO has previously tried to sell its dangerous spyware directly to the US government, to no avail. This deal could allow our government to infiltrate NSO spyware through the backdoor by buying from a spy company that already sells to US law enforcement,” the nonprofit organization said. digital rights. wrote on Twitter in reaction to the reports.
However, a sale is far from guaranteed, as US regulators and enforcers will likely take a keen interest in any deal and its impact on both national security and the availability of heavily regulated spyware tools like Pegasus.
Use of NSO spyware for human rights abuses invites scrutiny
Looking at NSO Group’s history of facilitating human rights abuses overseas, the company’s legal and regulatory background, Treasury blacklisting and other factors, “when you put All of this together I think is a recipe for scrutiny, especially from the government side.” Chris Cummiskey, a former DHS official and US contracts expert, told SC Media.
NSO Group and Israeli government officials have consistently asserted that these hacking tools are tightly regulated, not sold commercially, and are restricted to countries that exceed basic international legal and human rights thresholds. The numerous incidents where their spyware has appeared on the phones of dissidents or activists known to be targeted by authoritarian governments is one of the reasons the company’s reputation is in tatters and is now subject to a level economic sanctions which have been described as the economic equivalent of the death penalty.
However, Cummiskey said the prospect of NSO Group being sold to a US entity is “a slightly different scenario than I think most would have envisioned” and raises questions about the appropriate role of government in that scenario. While selling to a U.S. contractor may give the federal government more direct control over how these technologies are used in federal contracts, it might not have as much flexibility to prevent the company from doing business with state and local governments or police departments.
“It’s always easier when it’s the Chinese government and Huawei and 5g…the lines are pretty clear as to where the government stands, it’s easier to get everyone to understand that it’s politics,” Cummiskey said. “When a company is purchased by a US entity and does business with the US government, there are certain limits…but not as extensive as one might think. In dealings with the federal government, we will impose on you these limits, but in dealings with other state and local governments or police departments, it would likely require an act of Congress to put in place rules of the road standards.”
It is unclear how selling to a US company or contractor would significantly reduce international and legal pressure around NSO Group and its practices. Two lawyers SC Media spoke to asked how active pursuits against NSO Group would be resolved if a purchase was made that would ultimately retain liability as well as the underlying technology at the heart of these lawsuits.
Aaron Cockerill, chief strategy officer at Lookout, a cybersecurity firm that helped analyze one of Pegasus’ early iOS samples in 2016, told SC Media that on the face of it, the news “seems like a bad thing. “because of the potential for expansion of the presence. NSO spyware in the United States, but this is not a foregone conclusion and largely depends on the buyer’s ultimate intentions.
“For example, if a cybersecurity company is considering buying Pegasus to better protect against similar threats in the future, that may be a good thing,” Cockerill said.
He also noted that a purchase of NSO Group would not automatically mean that Pegasus and other tools would come with it, or remain as effective as they were under its former owners who pledged to create a parallel pipeline of mobile vulnerabilities to feed it.
“Buying Pegasus software is very different from buying NSO. The stealth deployment and continued use of Pegasus is highly dependent on the sophisticated use of numerous zero-day vulnerabilities. Thus, much of the organization NSO has been focused on finding these vulnerabilities,” Cockerill noted. “Without a continued source of these vulnerabilities, the Pegasus software would, over time, simply cease to function as these vulnerabilities were found and fixed.”
