Israel-based NSO Group is only one in a growing group of companies that has put powerful spyware tools previously available only to a few governments out on the open market. Its Pegasus software, according to human rights groups and independent investigators, has been used in as many as 45 countries, often by authoritarian leaders to aid the persecution of dissidents, journalists and other innocent civilians.
What hasn’t been previously reported is that NSO is working with a group of Washington-based consultants and law firms to craft its export and ethics policies, including Beacon Global Strategies, a consulting firm run by former top U.S. intelligence and national security officials. But if recent reports of alleged continued abuse of the software are true, the system NSO and its consultants have devised for preventing abuse is clearly failing.
“Over two years, we’ve shown repeated cases of abuse of NSO Group spyware that have been covered widely in global media,” said Ronald Deibert, director of the Citizen Lab at the University of Toronto’s Munk School of Global Affairs and Public Policy. “The idea that NSO Group has some kind of due diligence mechanism that corrects or prevents these types of abuses is really implausible.”
The Pegasus software compromises the cellphone of the target, allowing the government agency full access. It is ostensibly sold only for legitimate law enforcement purposes. But the Citizen Lab has been collecting evidence for more than two years about foreign governments who are reportedly NSO customers abusing the spyware to crack down on civil society, including in Bahrain, Kazakhstan, Mexico, Morocco, Saudi Arabia and the United Arab Emirates.
The Citizen Lab has concluded with “high confidence” Saudi Arabia used Pegasus to hack the cellphone of Canadian-based Saudi activist Omar Abdulaziz and intercept messages between him and his friend Jamal Khashoggi, the Post contributing columnist who was murdered in the Saudi Consulate in Istanbul in October. Those accusations are contained in a lawsuit filed last week.
The lawsuit is part of growing public scrutiny of NSO and the other companies that are selling spyware and other surveillance tools that governments routinely abuse.
“This is not devoid from geopolitics. This is a symptom of a larger problem. It’s time to think about it in the way we think of arms control,” he said. “The idea that software can’t kill people, I think we need to revisit that.”
Beacon referred inquiries to NSO. Through a spokesperson, NSO disputed the findings of the Citizen Lab, saying there’s no public evidence that Pegasus was used to target Abdulaziz. More broadly, the company provided me information on their internal and external vetting process for customers, which includes a Business Ethics Committee made up of intelligence and national security experts who have the power to prevent any sale that doesn’t pass muster.
That committee’s ethics review comes only after the Israeli government has signed off on any export of the Pegasus software, the NSO spokesperson explained. The company’s operations are based in Israel, although technically NSO is a subsidiary of Luxembourg-based Q Cyber Technologies, of which American investment firm Francisco Partners is the majority stakeholder.
That’s where the American firms come in. Francisco hired a team of firms to advise them on export controls and ethics, including Beacon Global Strategies. Beacon is led by Jeremy Bash (former CIA and Pentagon chief of staff), Andrew Shapiro (former assistant secretary of state for political and military affairs) and Michael Allen (former majority staff director for the House Permanent Select Committee on Intelligence), and also employs former CIA director Leon Panetta as a senior counselor.
“[Beacon] has been among several outside advisors and law firms asked to provide advice and perspective on a Business Ethics framework for the sale of critical technology to law enforcement and national security agencies,” the NSO spokesperson said. “The Business Ethics framework is a rigorous internal compliance process designed to ensure that the end-user customers have valid law enforcement or investigative missions, uphold the rule of law, and agree to deploy the technology only for collecting digital evidence in a limited number of critical criminal or national security investigations.”
Beacon didn’t lobby for NSO; rather, it provided confidential advice designed to mirror what the U.S. government might determine in an application for an export license. The NSO spokesperson said the company’s internal processes have resulted in turning down more than $100 million of potential business, and cited a case in which when the company shut down the software after a sale, due to a political change in an unnamed government.
The problem is that all of NSO and Beacon’s work is out of public view. NSO won’t say who sits on the Business Ethics Committee, won’t confirm who its customers are, won’t say what the criteria for refusal is, and won’t reveal the example of when the software was shut down. NSO and Beacon acknowledged their cooperation only after I contacted them. The only external check is by the Israel government, which may have different ideas about the efficacy and ethics of selling spyware to dictators.
If that system persists, the threat is not just to foreigners. There’s nothing to stop these governments from using these tools to spy on Americans who oppose their practices — or even U.S. officials. We are barreling toward a Wild West of spyware and surveillance tools with no clear U.S. government role in mitigating the risks.
“Washington is only just beginning to wake up to the challenge posed — both to our interests and our values — by the commercialization and proliferation of sophisticated cyber weapons and spyware tools,” said Vance Serchuck, adjunct senior fellow at the Center for a New American Security. “Whether the initiative comes from Congress or the administration, we should expect to see much greater scrutiny by policy makers around companies in this space.”
Beacon and the other firms working for NSO must take a hard look at whether they are actually helping the company to implement good ethics practices or enabling them to put forth a veneer of responsibility while profiting off of human rights abuses. Then Congress and the administration then must step in and protect Americans from software that kills.