Lessons for policymakers from the NSO Group saga

The logo of Israeli cyber firm NSO Group is seen at one of its branches in the Arava Desert, southern Israel July 22, 2021. REUTERS/Amir Cohen

Just as the surveillance tool Pegasus powered the Israeli hacking company NSO Group to dizzying commercial success, so too would it ultimately cause its downfall. For years, NSO claimed Pegasus was provided only to “authorized governments” in the fight against “terror and crime.” Unrivaled in its ability to break into and surveil Android and iPhone devices, Pegasus gave NSO’s clients the ability to spy on the smartphones of targets, providing a periscope with which to view the most intimate details of their lives. But thanks to years of reporting and research by Amnesty International, Citizen Lab, and a global consortium known as the Pegasus Project, we know that this spyware was also used to break into the phones of politicians, journalists, and civil rights activists around the world. In the aftermath of the Pegasus Project revelations last summer, NSO appears to be on the verge of collapse. Thanks to U.S. sanctions, NSO’s ability to operate has been severely restricted and the company that once pioneered the use of digital hacking tools has become a byword for unbridled espionage.

The fallout from the NSO saga offers important lessons for policymakers, researchers, and activists aiming to secure human rights online. First, amid a debate over how to establish cyber-deterrence online, the implosion of NSO shows how actions in a non-cyber domain can have an effect in cyberspace. Second, the role of researchers in identifying NSO’s tools and targets illustrates the value of publicly attributing cyberattacks. Lastly, the effort to restrict the availability of NSO’s hacking tools demonstrates the need for understanding the scope and nature of a cybersecurity problem if concerted political action is ever to be brought against it. 

Over the course of the past half decade, NSO has grown into one of the hacking industry’s most successful firms—despite clear evidence that the company has failed to live up to its promises that its tools would be used in limited ways. Since at least 2016 NSO’s spyware has targeted civil-society activists and later reporting has shown this was not a one-off aberration. Despite public outcry, as recently as a year ago NSO was mulling a $2 billion public offering.

Many companies in the cybersecurity space have tools that can be repurposed for surveillance and unauthorized access to devices, and NSO Group could theoretically have shrugged off the unflattering coverage as so many other companies have before. But recent reporting has made that impossible. The Pegasus Project and a Reuters report that U.S. State Department officials were targeted by NSO tools made clear the scale and indefensibility of NSO’s targets. While many cybersecurity firms have seen their tools be used for nefarious purposes, the long list of journalists, civil servants, activists, and politicians targeted by NSO’s clients made the company qualitatively and quantitatively different from other firms.

Despite NSO’s attempts to head-off a response by the U.S. government by preventing their spyware from being deployed on U.S.-based phones, it was too little, too late. On Nov. 3, the U.S. Department of Commerce added NSO to the U.S. sanctions list, an action that caused the company’s recently appointed CEO to resign and NSO’s debts to trade at a fraction of their value—all signs of a company in free-fall. 

The first lesson from this debacle is a reminder to those working in national governments: Often the most effective response to unwanted cyber activity is a response in a non-cyber domain. The pain NSO is now facing is not—at least not primarily—thanks to the National Security Agency or U.S. Cyber Command. It is thanks to the Commerce Department and the array of real-world consequences that come with appearing on the U.S. sanctions list. These consequences make it hard for NSO to access the U.S. financial system, attract investors, sell to clients in the United States or allied countries, and add substantial risk for staff and executives at NSO who choose to continue working there.

These costs are not only far more substantial and lasting than an attempt to digitally-counter NSO malware deployed against U.S. interests, but are also far more visible to other actors in adjacent and related fields. For all the talk of “cyber deterrence” in policy realms and debates over whether NSA and Cyber Command’s superior capabilities online could be used to “deter” foreign actors, it is easy to miss that ordinary pen-and-paper statecraft can counter and deter online threat actors not only as effectively, but far more effectively than trying to counter cyber-threats exclusively in one domain.

The second lesson is that public attribution matters. NSO’s current woes are a consequence of the collective reporting by civil society groups and journalists exposing the company’s work, but such reporting is not always inevitable. There are three critical components to this reporting, all of which were necessary for this outcome: that NSO’s malware was caught; that the malware could be attributed to NSO; and that this attribution was made public.

Historically, all three of these properties were hard to come by. Surveillance software is, by its nature, designed to not tip off the target of its surveillance. Even if detected, determining the operator or author of the software can be a challenging and inconclusive process. And historically, even when those two obstacles were overcome to yield a concrete attribution, the analysts doing this work were likely operating in classified environments and their analysis used for counter-surveillance of the malware operators rather than publicly announced.

In recent years, the ability to attribute attacks has drastically improved, and analysts are increasingly willing to make their findings public. The defensive cybersecurity industry now has tools for understanding and correlating malware that are unthinkably powerful compared with even a decade ago, leading to dramatic improvements in attribution capabilities. Additionally, a huge industry of malware analysis has grown up in the private sector, where public attribution is often done de facto since remediation for nation-state level attacks can’t wait for months while a congressional report is mulled over in committee. Anecdotally, for those of us who have done incident response, attribution happens relatively quickly—and whether or not that attribution is politically convenient to make is irrelevant to people doing the technical analysis and who are trying to get systems back online.

The final lesson is that coordinated action across domains is impossible without the ability and the political will to see the problem clearly and mandate action. Unfortunately the recent National Defense Authorization Act passed by Congress declined to mandate that companies report cyberattacks. Without a mandate to report attacks, businesses are likely to continue to rely on the advice of counsel and remain silent about attacks, fearful of increasing their liability or creating a perception that they were unable to secure the company. Unless U.S. regulators can mandate the reporting of cybersecurity incidents, there is no way for U.S. policymakers to tell how widespread an attack could be. As a result, the United States is undermining its ability to defend itself. 

Ultimately, the rare insight into NSO Group’s global hacking campaign came to light thanks to the combined work of journalists and the dedicated professionals who uncovered the massive abuse of their tools across countries. Everything we have learned points to the need for systemic action across domains that rigorously and regularly reports intrusions, carefully attributes them, and pairs them with action to penalize malefactors and impose real costs on the companies behind these large-scale cyber intrusions. 

Matt Tait is a cybersecurity expert. He is the former Chief Operating Officer of Corellium, a former security engineer in Google’s Project Zero team, and a former cybersecurity analyst at GCHQ.
Runa Sandvik works on digital security for journalists and other high-risk people. Her work builds upon experience at The New York Times, Freedom of the Press Foundation, and The Tor Project. She is a board member of the Norwegian Online News Association, a certified sake sommelier, and tweets as @runasand.

Tarah Wheeler is a contributing editor to TechStream, a Cyber Project Fellow at the Belfer Center for Science and International Affairs at Harvard University‘s Kennedy School of Government, an International Security Fellow at New America leading a new international cybersecurity capacity building project with the Hewlett Foundation’s Cyber Initiative and a US/UK Fulbright Scholar in Cyber Security for the 2020/2021 year.