"Outlaw offensive cyber software sales to dictatorships"

NSO
NSO

Cyber expert Daniel Cohen tells "Globes" that only global action can prevent abuse of software such as NSO's Pegasus.

"The export of Israeli offensive cyber technologies to dictatorships should be prohibited by law. That could be a good interim solution for companies like NSO, among the other existing possibilities: government or global cyber regulation, or a prohibition on indiscriminate use of such technologies, which isn't really effective," Daniel Cohen, a senior researcher at the Blavatnik Interdisciplinary Cyber Research Center (ICRC) at Tel Aviv University and head of the Abba Eban Institute for International Diplomacy at IDC Herzliya, told "Globes".

"Countries with which we have peace agreements should be exempt from the prohibition. That is to say, I wouldn't rule out the sale of cyber technologies to the UAE, since we are signatories to certain agreements with them," Cohen said. "There's a need to define 'red countries' - dictatorships with which we have no special agreements in places like Africa and Asia. For example, countries that commit genocide or apply violent sanctions to their populations. We should not trade in these kinds of systems with them, even if we have to pay an economic price."

Cohen's comments follow the investigation published by "The Guardian", Le Monde", and "The Washington Post" by the Forbidden Stories and Amnesty International organizations of Israeli company NSO. The investigation was based on 50,000 leaked telephone numbers from countries and agencies that are customers of NSO, that were apparently used by them to monitor journalists, politicians, government officials, businesspeople, and human rights activists, in places such as Saudi Arabia, Azerbaijan, Rwanda, Hungary, India, Bahrain, Kazakhstan, the UAE, and Mexico.

Monitoring location and content

NSO's offensive cyber software enables governments and national authorities to plant a software component on citizens' mobile telephones in order to monitor their location, telephone calls, and content on the telephones. Under the contract that purchasers sign with the Israeli company, the technology is for use for security purposes and to prevent terrorism, but states sometimes use it for surveillance of this or that individual.

Like another ten or so Israeli offensive cyber technology companies, NSO exports its technology under a license from the Ministry of Defense and the Ministry of Foreign Affairs, and it undertakes not to sell it to countries involved in terrorism or connected to Iran, such as Lebanon, Syria, and Venezuela.

According to the investigation, NSO's spyware, called Pegasus, was installed on the telephone of the fiancée of Saudi Arabian journalist Jamal Khashoggi four days after Khashoggi was murdered in the Saudi Arabian embassy in Istanbul. Pegasus was also implicated in the hacking of the telephone of Amazon founder Jeff Bezos.

Tough competition in cyber

"The prohibition should be worldwide, and should not just apply to NSO, in order not to give an advantage to its foreign competitors, and there are plenty of those around the world, such as Hacking Team, an Italian company with ties to Saudi Arabia, German-British company FinFisher, a unit of Britain's Gamma Group, and French company Amesys. Countries therefore need to join forces on this," Cohen said.

Cohen spoke to "Globes" during Cyber Week, an annual event held by the Blavatnik Interdisciplinary Cyber Research Center at Tel Aviv University, the National Cyber Directorate, the Ministry of Economy and industry, and the Ministry of Foreign Affairs, currently taking place at the university.

Should the regulator prohibit development of this kind of technology or its general sale?

"It is very important that this kind of technology should be developed in a regulated manner by private companies, and not by the black market, since offensive cyber software is the other side of protective cyber technology. They go together, and if you want to identify weaknesses in software, telephones and computers, you will be at a disadvantage.

"In the area of legislation, two attempts to regulate exports of offensive cyber software in Israel and the US failed, each one separately. The regulators in the US proposed several drafts, not before finding themselves facing a wall of opposition from the industry itself - companies like Microsoft, Symantec, and NSO of course - and several cyber experts. There are several reasons for this. First of all, who should be the one to decide to disqualify this or that technology or to impose stricter limitations on exporting it? That requires considerable expertise such as only intelligence agencies possess, and confirmation that there is no harm to the security of the country, and so in the US they realized that the only authority capable of doing this was the NSA, the National Security Agency, but they also realized that it would not be practical for the NSA to serve as a regulator as well.

"Secondly, what will the sanction be? Will you put people in jail? Give them fines? It's not realistic. Israel too found itself in a similar situation of not managing to pass such legislation.

"Thirdly, what's the alternative? The main fear is that if you start regulating the market, it will go underground, so that instead of proper companies like NSO operating openly, cyber criminals on the Darknet will flourish at their expense. They will sell the technology as they see fit to dangerous countries and dictatorships, and the market will be completely lawless. It's true that even now you see a leak of these technologies to the Darknet, but what exists there does not manage to be as sophisticated as the technology held by a company like NSO."

Has NSO gone too far in comparison with the other companies? We're taking about countries that use its technology for surveillance of journalists, senior politicians, and businesspeople, Jeff Bezos among them.

"When you take dual-use technology, that can both attack and defend, sell it in the security and government agency market, and ask that it should not be abused, you have to rely on your customer, since you can’t be an active partner in every intelligence investigation. So when NSO says that it turns off the tap for wayward agencies, I have no reason not believe it."

You mention other companies that sell similar solutions to those of NSO. Is the Israeli company being made a scapegoat, perhaps because it is Israeli?

"NSO is not alone in the offensive cyber market in Israel and globally. In Israel, there are twenty companies in this field, a fraction of a percentage point of the Israeli cyber industry as a whole, which numbers about 800 companies, although in terms of revenue and export volumes it's a highly prosperous industry. NSO is one of the companies in the field, but it has competitors in Israel and abroad.

"The reason that we hear about it more than about the others is that it found itself in a fight with Facebook and WhatsApp. Its technology was involved in the hacking of Bezos's telephone, and UN reports linked Pegasus to surveillance of journalists. The Citizen Lab of the University of Toronto also made NSO a focus of its research. I wouldn't call the Israeli company a scapegoat."

Did NSO go too far in developing an aggressive tool, or did they perhaps not supervise its use sufficiently?

"NSO sells in large volumes and is considered aggressive, but it has a supervisory mechanism defined by the Defense Export Control Law, such that everything they do is with approval. We see them working with governments and protecting citizens from terrorist attacks and criminals, and that too needs to be said. But there's a crime here that stems from the fact that the market is completely unfenced, there are no global standards or norms, and anyone can do almost anything, until things come out into the open. NSO disables the system operated by a security agency when it hears of something untoward that happens there, and I believe them on that. The problem is that these things are always discovered after the fact."

Does the State of Israel use NSO as a prize for countries that have agreements with it?

"There is undoubtedly a link between diplomacy and the advantages Israel has, but I can't point to countries being offered offensive cyber technology as a 'carrot'. I presume that it's more complicated than it looks."

NSO denies investigation claims

NSO Group has denied the claims arising from the Forbidden Stories/Amnesty investigation and describes it as "recycled material divorced from reality, based on fabrications and conspiracy theories." The company denies any connection between the list of 50,000 telephone numbers and NSO Group or the Pegasus system.

Published by Globes, Israel business news - en.globes.co.il - on July 20, 2021

© Copyright of Globes Publisher Itonut (1983) Ltd. 2021

Twitter Facebook Linkedin RSS Newsletters גלובס Israel Business Conference 2018