‘We Don’t Want These Kinds of People’: NSO Employees Pay the Price for Pegasus Spyware Scandal

Some cybersecurity execs refuse to hire ex-NSO workers, who they claim lack a moral backbone and could expose their clients to risks. Are they a minority?

Sagi Cohen
Sagi Cohen
Send in e-mailSend in e-mail
Send in e-mailSend in e-mail
Protestors hold placards and a banner during a protest attended by about a dozen people outside the offices of the Israeli cyber firm NSO Group in Herzliya near Tel Aviv, Israel July 25, 2021. REUTERS/Nir Elias
Protesters hold placards and a banner during a protest attended by about a dozen people outside the offices of the cyber firm NSO Group in Herzliya near Tel Aviv in July 2021Credit: NIR ELIAS/ REUTERS
Sagi Cohen
Sagi Cohen

When NSO Group’s co-founder and CEO Shalev Hulio gave an interview to Israeli television last Saturday, he seemed confident and calm about his company’s future: “We’re here to stay,” he said.

Behind the scenes, reality within NSO and the field is more complex. The Israeli offensive security firm is in the toughest time it has ever known, both in terms of image and its business. This is true mainly because of the decision by the United States’ Department of Commerce to blacklist NSO – which means that it has to obtain a license every time it wants to buy American goods or services or sell to American clients. Coupled with the string of damning reports and investigations, all these threaten NSO’s future and the cyber firm is now fighting for its lift - first and foremost by lobbying to be removed from the U.S. list.

Other details about NSO’s situation were also revealed last week, when the Tel Aviv District Court accepted the request of two units within the NSO Group to appoint them a temporary trustee amid massive liquidity issues. The group, it turns out, is in the midst of a power struggle between NSO shareholder, Berkeley Research Group, which owns 70 percent of NSO (through a fund called NOAL) – and the management group, which holds 30 percent of the company.

Read more >> NSO Spyware Targeted Yemen War Crimes Investigator, Report Says The Israeli cyber weapon used against 180 journalists Israeli NSO Spyware Found on Phones of U.S. State Department OfficialsApple Sues Israeli Spyware Firm NSO Over Surveillance of UsersHow Israeli Spy-tech Became Dictators' Weapon of ChoiceTwo UAE Princes Each Got Their Own Personal NSO SpywareGlobal Reckoning Begins for Spyware and Its Tools of Repression

NSO is now in talks with four American funds to sell them the BRG holdings. One of those interested is the American investment company Integrity Partners. Such a sale could lead to a drastic reduction of NSO’s clients and its income, because that would mean its infamous Pegasus offensive software would be sold to only a handful of Western democratic countries.

But the internal conflict between Hulio and BRG for control of the anti-drone platform called Convexum, which was purchased by NSO, might torpedo the entire move: NSO has made clear how complex the situation it is in when it said in response to the court’s request: “Enormous efforts are now being made to restore the group’s health…this is a critical point in time for the group and its hundreds of workers.”

NSO did state earnings of about $250 million in 2021, but according to a report by Bloomberg, it burned through most of the money in a bid to develop new products in the field of drones and analytics.

Black visa

All these will have clear repercussions on the 800 employees of NSO – whether the company makes it through the current crisis or not it will end up with a wave of resignations and firings. In private conversations and media interviews, NSO employees have said that they are absolutely certain about the legitmty of the company’s path and say it has remained committed to its goal of preventing terror and crime.

But cracks are beginning to form in this narrative, long held by workers in the firm and others like - its blacklisting and call by Democratic lawmakers on the Biden administration to impose sanctions on it have all undermined workers’ ability to perceive the company as a victim of bad press. Moreover, they also now pose an actual risk to workers: If sanctions are imposed on NSO, personal sanctions may be imposed on its directors – including blocking their bank accounts and preventing their entry into the United States.

A logo adorns a wall on a branch of the NSO Group, near the southern Israeli town of Sapir, in the summer of 2021.Credit: Sebastian Scheiner /AP

“Employees at NSO were aware of problems, but they say that the most important thing is to find criminals and pedophiles,” says a senior figure in cybersecurity. “But over the past year they started to fear for themselves and their futures. This isn’t something theoretical any more – the workers are afraid of a black stamp on the visa in their passport, so they won’t be able to fly to the U.S.”

<< The NSO file: A complete (updating) list of individuals targeted with Pegasus software >>

Figures in cybersecurity mention instances in which former NSO employees obscure or even hide the fact that they worked for NSO in their Linkedin profile or during interviews – for fear that it will harm their chances of continuing their career.

“Candidates who have in their CV ‘security position’ are trying to bluff, but the truth comes out very quickly,” says an executive in the field.

Ethics for cash

A number of hi-tech executives have begun to speak out publicly recently about the fact that they don’t hire NSO employees because of ethical concerns. For example, after the report on the use of Pegasus by the Israel Police, the CEO and co-founder of the payroll platform Papaya Global, Einat Guez, posted a tweet that sparked a storm:

“A few years ago I interviewed a woman who worked [in NSO] in a senior position and I wondered about her ethical standards during the interview,” Guez tweeted. “Afterward I heard that she said I didn’t hire her because she had children. That’s not true – you weren’t hired because I don’t believe in employing people who sell their ethics for cash.”

Eden Shochat, a partner at the venture capital company Aleph, also took to Twitter to express his objection to hiring people in companies that work in problematic areas like offensive cyber. “Would you want to hire someone who is prepared to give up their ethics for a higher salary? Apparently not,” he tweeted.

Eden Shochat, a partner at the venture capital company Aleph, tweeted that they won't hire someone willing to 'sell their ethics for a price' Credit: Moti Milrod

Guy Barnhart-Magen, founding partner and deputy CEO for technology at the cybersecurity firm Profero, which developed a product that allowed organizations to respond to cyber events, states this clearly: “We have decided unequivocally not to hire people from offensive security firms. We deal with cyber crises, assist companies and people who have been hacked. We don’t want to expose our clients to somebody who we know has high sensitivity to dollars and low sensitivity to the product itself.”

According to Barnhart-Magen, “people who worked in these companies are used to solving problems without regard for issues of privacy and data protection. I don’t want somebody like this to touch my clients’ personal data. I don’t want people with me whose ethical boundary is bought and sold for a price. We don’t want somebody who knows that the amount of damage they do is greater than the good – but who is compensated by the salary. I want a stronger ethical backbone.

“When a hacker comes and offers them $15,000 to gain access to clients, I don’t want them to accept the offer – I want them to come and tell me about it.”

According to Barnhart-Magen, “the cybersecurity community knows what weakness means and how easy it is to get to personal data. And this is a company that doesn’t try to correct or improve the situation – rather, it makes a profit from a bad data protection systems and also tries to find new ways to exploit them.”

Guy Barnhart-Magen of Profero: 'We don't hire ex-NSO workers - we don't want to put our clients and their data at risk'Credit: EYAL MARILUS

Another senior figure in cybersecurity says: “We work with former NSO employees and we don’t look at it like that when we considered them. Former employees of these companies are strong cyber people (especially researchers).

“However, another point that’s relevant essential in this context: because the realm of offensive security in which some employees work in, sometimes there are those with a gap in understanding the difference between the worlds of enterprise and security - one is like developing products for the army and the others is about developing products for protection, like in the business world.”

But this, they stress, is not an ethical problem. If NSO’s tangle with the U.S. and tech giants persists, American companies might treat companies that employ former NSO employees – especially management – as a problem. A senior figure in cybersecurity says that American executives focused on data protection have recently started to ask about the presence of former NSO employees in Israeli companies before they make contracts or collaborate with them.

Don’t generalize

Still, it seems that those who are calling not to hire ex-NSO employees for ethical reasons are in the minority. Over the past few years, many NSO employees have become part of Israeli startups and found home in international development centers. They are courted by prestigious tech companies now too. Moreover, cybersecurity companies founded by former NSO people, like Sternum and Noname, have raised large amounts of money from venture capital firms and private investors.

One entrepreneur and investor in the field of cybersecurity is harshly critical of people who call not to hire former NSO employees. “CEOs like to talk about themselves and their values. But to judge a person who is working legally, supporting their family, and to say they are morally disqualified from working anywhere forever? I despise people who claim moral superiority. You have to be concrete. It could be that there’s an ethically problematic person at NSO, but let’s decide about them specifically. You can’t categorically disqualify employees.

“After all, Israel has compulsory army service, and the army does ethically problematic things and also kills people. So does anyone say not to hire someone who served in the army?”

NSO responded: “The company reached its achievements thanks to its hundreds of excellent employees who worked and still work at the company since its founding. Every day we receive dozens of CVs from candidates and on the other hand – with mixed feelings – we see our employees courted by and receiving offers from the best technology companies working in Israel. This won’t change, even if on the margins there are two and a half executives who try to do PR for themselves by mudslinging.”

Click the alert icon to follow topics:

Comments

SUBSCRIBERS JOIN THE CONVERSATION FASTER

Automatic approval of subscriber comments.

Subscribe today and save 40%

SUBSCRIBE
Already signed up? LOG IN

ICYMI

U.S. antisemitism envoy Deborah Lipstadt and Prime Minister Yair Lapid shake hands, on Monday.

U.S. Envoy: ‘If This Happened in Another Country, Wouldn’t We Call It Antisemitism?’

Dr. Claris Harbon in the neighborhood where she grew up in Ashdod.

A Women's Rights Lawyer Felt She Didn't Belong in Israel. So She Moved to Morocco

Avi Zinger, the current Israeli licensee of Ben & Jerry’s, who bought the ice cream maker's business interests in Israel.

Meet the Israeli Who Wants to Rename Ben & Jerry's Chunky Monkey ‘Judea and Samaria’

Election ad featuring Yair Lapid in Rahat, the largest Arab city in Israel's Negev region.

This Bedouin City Could Decide Who Is Israel's Next Prime Minister

Mohammed 'Moha' Alshawamreh.

'It Was Real Shock to Move From a Little Muslim Village, to a Big Open World'

From the cover of 'Shmutz.'

'There Are Similarities Between the Hasidic Community and Pornography’