The Washington PostDemocracy Dies in Darkness

White House has security concerns about any deal for NSO hacking tools

The Israeli NSO Group company, near the southern town of Sapir, on Aug. 24, 2021. (Sebastian Scheiner/AP)
5 min

The Biden administration is warning that a potential deal between a major American defense firm and NSO Group, a blacklisted Israeli spyware company, to buy the Israeli firm’s hacking tools would raise “serious” counterintelligence and security concerns for the U.S. government.

“We are deeply concerned,” said a senior White House official, speaking on the condition of anonymity because of the matter’s sensitivity.

The defense contractor, L3Harris, is in talks with NSO Group to buy phone-hacking spyware in a deal that would give the U.S. company control of one of the world’s most sophisticated and controversial hacking tools, according to people familiar with the talks. This story was jointly reported by The Washington Post, the Guardian and Haaretz.

The unusual transaction appears to be an attempt to salvage some utility from a firm facing serious financial straits, by selling its most valuable product — its hacking code and access to the software’s developers — to a company that would restrict its use to the United States and trusted Western allies.

But the talks, first reported by the digital publication Intelligence Online, face significant hurdles — including the Biden administration’s concerns. “The U.S. Government opposes efforts by foreign companies to circumvent U.S. export control measures or sanctions,” the White House official said in a statement.

In November, the Commerce Department placed NSO Group on its export blacklist — known as the Entity List — after determining that its spyware had been used by foreign governments to “maliciously target” government officials, activists, journalists, academics and embassy workers around the world. Placing the firm on the Entity List limited its ability to use American technology and damaged its business. Its executives have lobbied U.S. officials to have the company removed from the blacklist.

“Any U.S. company, particularly a cleared U.S. defense contractor, should be aware that a transaction with a foreign entity on the Entity List will not automatically remove a designated entity from the Entity List,” the White House official said.

Such a deal also would “spur intensive review to examine whether the transaction poses a counterintelligence threat to the U.S. government and its systems and information, whether other U.S. equities with the defense contractor may be at risk, to what extent a foreign entity or government retains a degree of access or control, and the broader human rights implications,” the official said.

The counterintelligence concerns arise from what U.S. officials say is NSO Group’s close relationship with the Israeli government. Israel’s Defense Ministry must sign off on all the firm’s contracts. Israel, while a close partner of the United States, is not among the trusted circle of Western intelligence allies, which include Britain, Australia, Canada and New Zealand. One of the deal’s unresolved questions is whether the Israeli government would be able to use NSO’s surveillance technology.

A host of other questions also remain open, such as sale price, deal structure and where the technology will be housed, said people familiar with the ongoing talks.

L3Harris declined to comment on the existence of any talks with NSO Group.

“We are aware of the capability and we are constantly evaluating our customers’ national security needs,” an L3Harris spokesperson said. “At this point, anything beyond that is speculation.”

The Israeli Defense Ministry did not respond to a request for comment. NSO Group declined to comment.

Some information security experts agreed that a sale to L3 would pose counterintelligence concerns.

Even with U.S. ownership, “it’s doubtful that the most elite intelligence services like the CIA, NSA and [Britain’s] GCHQ would trust this technology for their most sensitive operations,” said John Scott-Railton, a senior researcher at the Citizen Lab, an affiliate of the University of Toronto’s Munk School of Global Affairs and Public Policy, who has been critical of NSO’s deployment of Pegasus. “So where would the big market be? I fear the logical consumers are U.S. police departments. This would be an unprecedented threat to our civil liberties.”

NSO Group is among the world’s leading surveillance companies, known for its Pegasus spyware, which is able to crack into almost any mobile device, including the latest iPhones, and collect pictures, audio clips, location records, emails and chats on encrypted apps.

Takeaways from the Pegasus Project

NSO licenses Pegasus to government customers, including intelligence, law enforcement and military agencies, and the company says the spyware is intended only for the use against terrorists and other major criminals.

But the Pegasus Project, an investigative consortium involving The Washington Post and 16 other news organizations, detailed abuses in a series of stories last year, including the targeting of dissidents, politicians, journalists, human rights workers and business people. Official investigations in numerous countries found more abuses.

The Biden administration is seeking to counter the proliferation of hacking tools such as Pegasus. The National Security Council is developing a ban on U.S. government purchase or use of foreign commercial spyware that poses counterintelligence and security risks or has been improperly used abroad, the official said.

Last fall, Apple sued the company and notified users it believed may have been targeted by Pegasus. Meta, the parent company of WhatsApp, had previously sued NSO Group for using its systems to deliver Pegasus onto the devices of surveillance targets.

Stephanie Kirchgaessner of the Guardian and Gur Megiddo and Omer Benjakob of Haaretz contributed to this report.