All the bad guys loved an Uzi. Now Israeli cyberspies are the autocrat’s weapon of choice

Louise Callaghan, The Times

July 25, 2021

From a conference stage at Tel Aviv University, Israel’s new prime minister called on all “good nations” to join forces against the growing scourge of cybersecurity threats.

Yet Naftali Bennett, a millionaire tech boss turned politician, made no mention of one of the most devastating global hacking scandals yet recorded, which came to light only a few days earlier.

According to widespread reports last week, spyware sold by NSO Group, an Israeli technology company, had been used by their clients, including the Saudi Arabian and Emirati governments, to target the private data of journalists, activists, senior politicians and military chiefs in 34 countries.

The French president Emmanuel Macron, Indian student leaders and a member of the House of Lords were among thousands of alleged victims of the software, known as Pegasus, which is used to hack into phones: breaking open encrypted information and turning them into listening devices.

The affair has created a monumental headache for Bennett’s administration, which is trying to rebrand the country’s international image after former prime minister Benjamin Netanyahu’s years of divisive leadership.

At the same time it has highlighted Israel’s extraordinary success in turning itself into a world leader in cybersecurity — and exposed how the development of products such as Pegasus has updated the Israeli strategy of “Uzi diplomacy”: international weapons sales that bought the country cash and allies as it fought to survive in a region hostile to its very existence.

“Innovation is something you can’t command, force or direct,” said Bennett in his speech. But that is exactly what Israel has done.

French president Emmanuel Macron was among thousands of alleged victims of the software known as Pegasus

Since it was founded in 1948, the country has poured incredible amounts of money and human resources into creating one of the most technologically advanced armed forces on the earth.

Conscription into the Israel Defence Force (IDF), officials say, detects talent early on in Israeli teenagers and provides them with highly sought-after skills and discipline before ejecting them into the private sector. Niv Carmi, Shalev Hulio and Omri Lavie, the men who founded NSO — and whose first initials make up the company name — are all former members of Unit 8200, the elite Israeli cyber spy agency.

“The IDF has a lot of technological units, they train soldiers and those they train are later on funnelled to the market and become entrepreneurs and start-up owners,” said Professor Gabi Siboni, a colonel in the IDF reserve forces and a senior fellow at the Jerusalem Institute for Strategy and Security. “There’s a lot of energy. The IDF is practically like a hothouse for technological development.”

The motivation, said Siboni, was existential. “Israel is surrounded by our enemies and we must invest in our security otherwise we die, simple as that,” he said.

Yet for successive Israeli leaders, the truth has been a little more complicated. During his 15-year rule, Netanyahu, who was ousted this summer, sold Israel as a world power in cyber-weapons and technology as he courted potential new allies. Some of those, including Saudi Arabia, had once been among Israel’s fiercest enemies; now, however, they were eager to buy what Israel was selling.

In previous decades other nations had flocked to buy the Uzi sub-machinegun, developed by an Israeli army officer after the Arab-Israeli war of 1948. Now the product was less tangible — though no less dangerous in the wrong hands.

“The NSO system, the Pegasus, just replaced the Uzi diplomacy. It’s the same policy,” said Eitay Mack, a human rights lawyer who has filed two petitions to cancel NSO’s export licences.

He added: “[But] because Pegasus is not something physical, it’s easy to deny and there’s no accountability.

“There was a shared interest between NSO and the government to work in these places. Of course NSO wanted to enlarge its profits, and the Israeli government wanted to advance its interests.”

Today, he claimed, there was “zero transparency” from the Defence Ministry about their deep relationships with private companies such as NSO.

Phone numbers belonging to Sheikha Latifa bint Mohammed al-Maktoum had been on the list allegedly used for by Pegasus

Benny Gantz, the Israeli defence minister, last week said that Israel was “studying” the information published about Pegasus.

In a statement the Defence Ministry said it would take “appropriate action” if NSO has violated its export licences.

NSO’s defenders say that Israel’s export laws go to extraordinary lengths to stop their products from being abused. The software requires an export licence as it is considered a weapon.

The company has denied the allegations. In a post on its website last week entitled “enough is enough!”, it thundered against what it called a “vicious and slanderous campaign”.

“Any claim that a name in the list is necessarily related to a Pegasus target or a Pegasus potential target is erroneous and false,” the statement read.

Their spyware, NSO has claimed, is used only to investigate terrorism and crime. But terrorism can be a very flexible term. When used by dictators or autocratic regimes, it can be applied to just about anyone who disagrees with their ideas.

As well as world leaders and activists, the list of more than 50,000 phone numbers allegedly used for targeting by Pegasus included an Indian woman who had reported a former chief justice for sexual harassment.

Last week the Israeli government formed a damage control team to limit the fallout from the revelations. Yet a source close to the Israeli defence ministry said that they did not believe NSO’s export licences would be cancelled. Rather, they half-joked, the publicity could lead to a boom in sales as autocrats saw the enormous capabilities of Israeli spy technology advertised across the world.

This is not the first time that NSO has been at the centre of a major scandal of international intrigue. Over the years, its name has cropped up from Mexico to the Gulf in connection with allegations of targeting civil society figures through spyware. In 2019 the company halted its deals with Saudi Arabia over allegations that NSO software played a part in tracking the journalist Jamal Khashoggi before his assassination in 2018.

Last week it emerged that phone numbers belonging to Sheikha Latifa bint Mohammed al-Maktoum, the kidnapped daughter of the leader of Dubai, and her associates had been on the list allegedly used for targeting by Pegasus.

“Like anything else in cybersecurity it’s an ongoing battle,” said May Brooks-Kempler, CEO of Helena-Sec, an Israeli cybersecurity company. “One side provides defensive mechanisms and finds vulnerabilities and fixes them, and the other side tries to find vulnerabilities that nobody knows about, and utilises and exploits them.”