When NSO Group’s co-founder and CEO Shalev Hulio gave an interview to Israeli television last Saturday, he seemed confident and calm about his company’s future: “We’re here to stay,” he said.
Behind the scenes, reality within NSO and the field is more complex. The Israeli offensive security firm is in the toughest time it has ever known, both in terms of image and its business. This is true mainly because of the decision by the United States’ Department of Commerce to blacklist NSO – which means that it has to obtain a license every time it wants to buy American goods or services or sell to American clients. Coupled with the string of damning reports and investigations, all these threaten NSO’s future and the cyber firm is now fighting for its lift - first and foremost by lobbying to be removed from the U.S. list.
Other details about NSO’s situation were also revealed last week, when the Tel Aviv District Court accepted the request of two units within the NSO Group to appoint them a temporary trustee amid massive liquidity issues. The group, it turns out, is in the midst of a power struggle between NSO shareholder, Berkeley Research Group, which owns 70 percent of NSO (through a fund called NOAL) – and the management group, which holds 30 percent of the company.
Read more >> NSO Spyware Targeted Yemen War Crimes Investigator, Report Says ■ The Israeli cyber weapon used against 180 journalists ■ Israeli NSO Spyware Found on Phones of U.S. State Department Officials ■ Apple Sues Israeli Spyware Firm NSO Over Surveillance of Users ■ How Israeli Spy-tech Became Dictators' Weapon of Choice ■ Two UAE Princes Each Got Their Own Personal NSO Spyware ■ Global Reckoning Begins for Spyware and Its Tools of Repression
NSO is now in talks with four American funds to sell them the BRG holdings. One of those interested is the American investment company Integrity Partners. Such a sale could lead to a drastic reduction of NSO’s clients and its income, because that would mean its infamous Pegasus offensive software would be sold to only a handful of Western democratic countries.
But the internal conflict between Hulio and BRG for control of the anti-drone platform called Convexum, which was purchased by NSO, might torpedo the entire move: NSO has made clear how complex the situation it is in when it said in response to the court’s request: “Enormous efforts are now being made to restore the group’s health…this is a critical point in time for the group and its hundreds of workers.”
NSO did state earnings of about $250 million in 2021, but according to a report by Bloomberg, it burned through most of the money in a bid to develop new products in the field of drones and analytics.
- Netanyahu Used NSO's Pegasus for Diplomacy. Now He Blames It for His Downfall
- NSO ‘Offered Bags of Cash’ for Access to Global Cellular Networks
- Israel’s Spyware Diplomacy Is an Extension of Its Long Bloody History of Arms Sales
All these will have clear repercussions on the 800 employees of NSO – whether the company makes it through the current crisis or not it will end up with a wave of resignations and firings. In private conversations and media interviews, NSO employees have said that they are absolutely certain about the legitmty of the company’s path and say it has remained committed to its goal of preventing terror and crime.
But cracks are beginning to form in this narrative, long held by workers in the firm and others like - its blacklisting and call by Democratic lawmakers on the Biden administration to impose sanctions on it have all undermined workers’ ability to perceive the company as a victim of bad press. Moreover, they also now pose an actual risk to workers: If sanctions are imposed on NSO, personal sanctions may be imposed on its directors – including blocking their bank accounts and preventing their entry into the United States.
“Employees at NSO were aware of problems, but they say that the most important thing is to find criminals and pedophiles,” says a senior figure in cybersecurity. “But over the past year they started to fear for themselves and their futures. This isn’t something theoretical any more – the workers are afraid of a black stamp on the visa in their passport, so they won’t be able to fly to the U.S.”
Figures in cybersecurity mention instances in which former NSO employees obscure or even hide the fact that they worked for NSO in their Linkedin profile or during interviews – for fear that it will harm their chances of continuing their career.
“Candidates who have in their CV ‘security position’ are trying to bluff, but the truth comes out very quickly,” says an executive in the field.
Ethics for cash
A number of hi-tech executives have begun to speak out publicly recently about the fact that they don’t hire NSO employees because of ethical concerns. For example, after the report on the use of Pegasus by the Israel Police, the CEO and co-founder of the payroll platform Papaya Global, Einat Guez, posted a tweet that sparked a storm:
“A few years ago I interviewed a woman who worked [in NSO] in a senior position and I wondered about her ethical standards during the interview,” Guez tweeted. “Afterward I heard that she said I didn’t hire her because she had children. That’s not true – you weren’t hired because I don’t believe in employing people who sell their ethics for cash.”
Eden Shochat, a partner at the venture capital company Aleph, also took to Twitter to express his objection to hiring people in companies that work in problematic areas like offensive cyber. “Would you want to hire someone who is prepared to give up their ethics for a higher salary? Apparently not,” he tweeted.
Guy Barnhart-Magen, founding partner and deputy CEO for technology at the cybersecurity firm Profero, which developed a product that allowed organizations to respond to cyber events, states this clearly: “We have decided unequivocally not to hire people from offensive security firms. We deal with cyber crises, assist companies and people who have been hacked. We don’t want to expose our clients to somebody who we know has high sensitivity to dollars and low sensitivity to the product itself.”
According to Barnhart-Magen, “people who worked in these companies are used to solving problems without regard for issues of privacy and data protection. I don’t want somebody like this to touch my clients’ personal data. I don’t want people with me whose ethical boundary is bought and sold for a price. We don’t want somebody who knows that the amount of damage they do is greater than the good – but who is compensated by the salary. I want a stronger ethical backbone.
“When a hacker comes and offers them $15,000 to gain access to clients, I don’t want them to accept the offer – I want them to come and tell me about it.”
According to Barnhart-Magen, “the cybersecurity community knows what weakness means and how easy it is to get to personal data. And this is a company that doesn’t try to correct or improve the situation – rather, it makes a profit from a bad data protection systems and also tries to find new ways to exploit them.”
Another senior figure in cybersecurity says: “We work with former NSO employees and we don’t look at it like that when we considered them. Former employees of these companies are strong cyber people (especially researchers).
“However, another point that’s relevant essential in this context: because the realm of offensive security in which some employees work in, sometimes there are those with a gap in understanding the difference between the worlds of enterprise and security - one is like developing products for the army and the others is about developing products for protection, like in the business world.”
But this, they stress, is not an ethical problem. If NSO’s tangle with the U.S. and tech giants persists, American companies might treat companies that employ former NSO employees – especially management – as a problem. A senior figure in cybersecurity says that American executives focused on data protection have recently started to ask about the presence of former NSO employees in Israeli companies before they make contracts or collaborate with them.
Still, it seems that those who are calling not to hire ex-NSO employees for ethical reasons are in the minority. Over the past few years, many NSO employees have become part of Israeli startups and found home in international development centers. They are courted by prestigious tech companies now too. Moreover, cybersecurity companies founded by former NSO people, like Sternum and Noname, have raised large amounts of money from venture capital firms and private investors.
One entrepreneur and investor in the field of cybersecurity is harshly critical of people who call not to hire former NSO employees. “CEOs like to talk about themselves and their values. But to judge a person who is working legally, supporting their family, and to say they are morally disqualified from working anywhere forever? I despise people who claim moral superiority. You have to be concrete. It could be that there’s an ethically problematic person at NSO, but let’s decide about them specifically. You can’t categorically disqualify employees.
“After all, Israel has compulsory army service, and the army does ethically problematic things and also kills people. So does anyone say not to hire someone who served in the army?”
NSO responded: “The company reached its achievements thanks to its hundreds of excellent employees who worked and still work at the company since its founding. Every day we receive dozens of CVs from candidates and on the other hand – with mixed feelings – we see our employees courted by and receiving offers from the best technology companies working in Israel. This won’t change, even if on the margins there are two and a half executives who try to do PR for themselves by mudslinging.”