Analysis

Is Anyone Guarding the Cyber-guardians?

The NSO case shows how even the most paranoid organizations struggle with insider threats to their networks

Computer hacker illustration
Getty Images IL

“Quis custodiet ipsos custodes?” (“Who will guard the guards themselves?”) the Roman poet Juvenal asked long before the advent of the computer network.

Even a country like Israel, where cybersecurity is a leading industry, one threat that remains elusive is the “insider threat” from people within the organization, such as its employees, former employees, contractors or business associates. Even the most paranoid organization with its fire walls and other defensive measures to bar outsiders can easily fall victim from someone within.

The NSO story, where a disgruntled junior employee being identified as AA used his last days on the job to download sensitive codes, is only the least such instance.

Not long before, a senior official in Israel’s Agriculture Ministry, Yiftah Hirsch, a coordinator at the Central Investigation and Enforcement Unit, was found guilty of unauthorized access and abuse of access to an assortment of government databases. He looked for information on subordinates and their families and information on his own relatives. Two other ministry employees are facing similar charges.

Police officers reportedly also make use of databases for personal reasons. As one policewoman told the news site Mako: “I don’t know of a single unmarried policewoman who hasn’t done something like that. All of us, when we starting dating someone, check. We also check for our friends. My girlfriends going out with someone know they can come to me to see whether the guy is okay.”

There are products out there that aim to deal with the problem of data leakage prevention and others designed to cope with internal attackers, for instance the virtual vaults of the Israeli company CyberArk, the world leader in the field. But experience has proven over and over again it’s just not enough.

Indeed, this is precisely the message of those who unsuccessfully opposed the government’s biometric database: If there is a database, there will be those who will try to use it illicitly. With personal information, fingerprints, photo and facial profile of every Israeli, it will be a tempting target.

In the case of the NSO employee, whose indictment was revealed on Thursday, he didn’t just steal sensitive business information and commercial secrets. He got his hands on weapons. Because NSO develops super-sophisticated tools used by the government, what he did was tantamount to stealing a weapon.

Israel regulates cyberattack weapons like all other weapons. Cybersecurity companies are subject to strict regulation and exports of cyber-offensive (as against cyber-defense) products must be cleared with the Defense Ministry.

The problem is that unlike conventional weapons cyber weapons are easy to replicate and distribute. Even if AA did not succeed in its plot, who can be sure that no technology hasn’t been leaked in the past? AA had the material he downloaded at home on a disc for three weeks before he was arrested.

AA tried to sell his purloined software – NSO’s flagship Pegasus product for tapping smartphones – on the darkweb, a popular place to sell all kinds of contraband, including drugs, weapons and even people. He was asking $50 million for it, a price equal to 10 Merkava IV tanks or an F-16.

Perhaps that was only a fantasy price, but as the world grows more interconnected and cyberwarfare comes to fore, the day may come when $50 million doesn’t sound unreasonable.