At the end of 2018, the offensive cyberespionage firm NSO held a special event for its employees at Tel Aviv University. The event, one of the largest ever staged by the company, included musical performances, guest lectures and a panel of NSO executives. However, it also had a unique social aspect: the company had also invited the employees’ parents, partners and children. The decision to host an event for such a broad audience was apparently no coincidence: Three months before Washington Post columnist Jamal Khashoggi was murdered, and reports were spreading that the firm’s technology may have played a role in helping the Saudis locate him.
NSO wanted to present its position – to this day it denies any connection to the Khashoggi case – to the employees’ families. Until then, the Khashoggi murder was one of the company’s biggest crises, because of the identity of the client (Saudi Arabia), the target (a journalist), and the international storm generated due to Saudi Crown Prince Mohammed bin Salman alleged direct involvement in the killing.
But even compared to that crisis, what happened last week was at another level, something the company will not forget quickly.
Project Pegasus is an investigation organized by the nonprofit Forbidden Stories together with a group of 17 international media organisations and Amnesty International into a leak of 50,000 phone numbers that were potential surveillance targets for countries that bought NSO’s spyware.
Read more >> The Israeli cyber weapon used against 180 journalists ■ Khashoggi’s fiancee, son targeted by NSO tech, investigation reveals ■ How NSO's Pegasus is used to spy on journalists ■ Analysis: How Israeli spy-tech became dictators' weapon of choice ■ India’s Gandhi and Pakistan’s Khan tapped as targets in Israeli NSO spyware scandal ■ Israel's cyber-spy industry helps dictators hunt dissidents and gays ■ Amnesty ‘stands by findings,’ rejects NSO's claims ■ Israel's NSO and Pegasus Are a Danger to Democracy Around the World
The investigation published by the media organisations on Sunday said spyware made and licensed by Israeli company NSO had been used in attempted and successful hacks of 37 smartphones belonging to journalists, government officials and human rights activists. read more. Additional reports also said the phone numbers of heads of state were selected as targets.
NSO has said its product was intended only for use by vetted government intelligence and law enforcement agencies to fight terrorism and crime. They deny the leaked list of numbers has anything to do with them or their Pegasus software.
- Three stories reveal what Israel prefers to hide about NSO
- I was targeted by NSO spyware. Here's how Israel is helping Modi undermine India's democracy
- Israel's shame: NSO and Pegasus are a danger to democracy around the world
If after the Khashoggi murder NSO had to throw a huge bash to boost morale, how is NSO going to cope after one of the most dramatic weeks in its history? Has the persistent negative publicity over the years undermined its efforts to recruit employees and has it affected its current employees in any way?
“Does NSO have a problem recruiting? No, it just pays a lot more,” a source familiar with the offensive cyber firm said this week. Another source in the industry said that NSO recruiters are offering huge salaries, even by today’s standards in high-tech, of as much as 100,000 to 120,000 shekels ($30,600 to $36,700) a month.
“They come to people who have just finished their army service and this is will be their first job offer, and give them all the messages they’ve been conveying in their media responses; that the company does good things, it has learned from its mistakes, etc. A former team leader offers them a super high wage and they say to themselves, ‘I’ll work there a year or two and I’ll make a million shekels a year,’ it’s tempting,” the industry sources said.
NSO is also considered a pampering workplace, one that flies its employees abroad every year, throws huge parties and tries to provide a homey atmosphere.
Nevertheless, there are those in the cybersecurity industry who say that in recent years some have turned down NSO’s generous offers, or even left the company. The question is whether they are doing this for moral reasons or because of the current character of the company. Because while there are industry sources who insist that NSO’s reputation as an employer has been undercut, many current and former employees say that there is no phenomenon of “quitters of conscience,” at least not publicly.
“There can always be people who leave for such reasons, but I’ve never heard anyone say it out loud,” says Tomer (a pseudonym), who left the firm within the past year.
“However, because of the newspaper reports, you can’t live in denial while at NSO, you have to have a serious discussion with yourself, doggedly demand answers from management, and choose each time anew whether to be part of the company, to tell yourself that you’re doing good in the world or not. This is a delegitimization campaign that is unparalleled in Israel,” they said, suggesting NSO was benign disproportionately targeted by negative media coverage.
Another employee who left says, “The moral consideration is not the main reason for leaving, but it can play a role and be one consideration among many.”
Still another former employee says, “Today it’s an embarrassment to say that you worked at NSO.” There are former employees who are deliberating whether to leave the fact that they worked there on their LinkedIn profiles, yet in the same breath they say they believe in the company’s mission.
Some former employees and people who know the offensive cyber field believe the reason NSO has become a less attractive employer in recent years has nothing to do with ethics, but with its size: Now with 800 employees, it has developed the DNA of a large corporation, while there are other more attractive options in the industry, young startups like Candiru and others.
It’s not at all certain that the Israeli high-tech industry considers having worked at NSO such a stain on one’s resume. “I received more than 10 offers in two months,” says Tomer. “NSO employees are courted and I think that everyone understands that reality is more complex.”
Shirley K. an NSO engineer, says that this week she received more job proposals via LinkedIn than usual, apparently part of an effort by personnel recruiters to take advantage of the crisis at the company. At the same time, there were several posts leading to debates over the degree to which employees are responsible for the problematic use of the technology the firm the work for developed.
The NSO stigma?
Conversations with executives, recruiters and investors show that the industry placed a stigma on former NSO employees, whether they are seeking other positions or trying to raise funds for a startup of their own. And yet, companies do take their background into account to some degree - and its not always negative. Everyone interviewed for this story insisted on anonymity, even if they weren’t being critical.
Several investors, even those who invest at an early stage, when there’s merely an idea and the investment is more in the entrepreneurs themselves, won’t avoid investing in former NSO employees.
“I’m not a regulator and I think that personal boycotting is a dangerous business that works both ways. I leave the decision as to whether what they do is legitimate to the official agencies,” said one investor, who noted he had no problem investing in people who worked for NSO.
Another investor said, “Of course there’s a degree of ambivalence about this whole story, but in the end if they are professionals and suited to the task, I don’t see a real problem. We have never rejected someone because they worked in the worlds of offensive cyber.”
Another investor, however, said there are clients and information security executives who don’t like these former-NSO entrepreneurs because they think the company they came from is unreliable. This investor concedes that the workers aren’t really to blame, but added that he would never go to work for NSO and that there are many in the industry who are deterred by it.
Tech head-hunters have a slightly different take on the issue, saying they want to understand what motivated an employee in their previous position before they decide where they can or cannot be recruited to.
“We don’t categorically rule out entire classes of companies - but rather examine numerous parameters as part of the recruitment process, among them why a person chose to work in a specific place. Sometimes it’s a young crowd who don’t always fully understand what they’re getting into,” said one CEO of an Israeli startup focused on recruitment.
“I don’t think that [NSO] stains a person,” said a recruiter at a different startup. “I would want to hear from them how they viewed the company and what led them to stay there. I would expect them to speak about it maturely. I have to make sure that there is a common ethical basis.”
The human resources director at a third startup said, “Today the market for talent is very competitive and it could be that companies make compromises. Recruiters don’t always know all the companies or know if these companies’ products do good or not, which is why headlines don’t do these companies any good. There are workers who didn’t know what they were getting into and left after a year or two, but if an employee worked there enough years, there’s no doubt it can hurt them in terms of their career.”
Spiderman and human rights
Many justifiably look at NSO and other offensive cyber companies as weapons manufacturers. At least one of the former NSO employees with whom we spoke for this report apparently informed NSO of this. As a result, the company asked us to also speak to current employees. While these interviews, conducted via Zoom, were done with the company spokesman present, what emerged from them wasn’t substantially different than what most of the former employees told us: there is clearly a substantial gap between public image of NSO public image and how the firm’s employees, both current and former, perceive it.
“We’re like Spiderman being chased by the journalist Jameson, but who can’t explain what he’s doing because he swore not to take off his mask. We also can’t explain what we are doing and how many attacks we’ve prevented,” said Michael Barda, who deals with sales.
“Even though I’ve been at the company for five years, what happened last week was really powerful. It’s not pleasant and it’s not normal, because we see the company in a totally different light than what they are saying about us. It’s very frustrating and unjustified. Do you know how hard it is to explain this to my mother? Ninety percent of the things appearing in the papers are not true, but go prove that you don’t have a sister.”
There have been many reports about the use of the technology to target human rights activists, regime opponents, journalists and even members of the LGBTQ community. Can you sleep well at night, certain that such people aren’t being harmed?
Barda: “Of course, I’m sure of it. Absolutely. And if something happens, I know that the company will immediately do what’s necessary to fix it. Don’t forget that we don’t have our hand on the system, but we do have all the necessary mechanisms to stop [the system] immediately. I rely on our leadership and trust that they know what to do if something happens. I don’t have bags under my eyes.”
Still, such a technology can be used to do problematic things.
Barda: “I don’t know, it’s possible, but I prefer to focus on the good. I chose to be an optimist in life, I want to live in a good place, and I know that we are doing a lot of good.”
‘Intelligence is not binary’
Every one of the people with whom we spoke claimed that the lion's share of NSO’s activity is preventing terror attacks, catching drug dealers, preventing pedophilia, etc.
"When you're exposed to terror incidents that they helped to prevent, to the capture of 'El Chapo' (the nickname of the Mexican drug lord) or seizing the Boko Haram members who carried out the massacre of hundreds of young girls – you can't not believe in the company," said one of the former employees.
"However, that of course doesn't mean that there was no abuse of the technology and that there is no need for closer supervision of clients who abuse the system," he added.
And in fact, everyone who has worked at NSO seems to be able to recite the company's main messages, which are repeated in the various conversations, and which center on the company's ethics committee, which according to the firm has rejected major deals, despite the fact that they were approved by the Defense Ministry.
"There are super-ethical people in the company and everyone who is involved in development is preoccupied with it on a daily basis. These are people with a great sense of responsibility. When things that you're convinced do good in the world are delegitimized – that's a tough experience," says Tomer.
"We're interested in having the tools used for good, and if by chance we hear otherwise – it's taken care of," says cybersecurity expert Anna Plohotnichenko.
"Is it possible to do 120 percent and to do only good? In the intelligence world, it's just not so simple, intelligence is not binary - good or bad. I'm totally confident in the place where I am, because I know what ethical conditions my company meets and what we demand of ourselves. We want the tools to be used for good purposes, I have no doubts and therefore I don't get upset by the articles. NSO also chooses its clients and doesn't allow improper use of the systems."
One of the firm's big questions is the identity of the countries to which the technology is sold, which also includes non-Western countries. In the company's recently published transparency report, it claimed that throughout the years it has lost $300 million in income by walking away from deals due to possible infringements of human rights by potential clients.
The report explains that there is a ranking for every country, and based on it they decide whether NSO will sell technology to that country and on what level, but it's impossible to learn the ranking of every country from it, and why the firm nevertheless sells to countries such as Saudi Arabia. Apparently this issue – of NSO's red lines – is such that the employees rarely have any doubts about it.
Shirley Kontanta, a quality assurance engineer, says: "All kinds of companies create technological products. You can think of the simplest products in the world, even knives and forks – basic things that are produced for a specific need, but there are people who will use them for another purpose. I feel that the company is doing everything in its power so that they won't use our amazing product for things that are not for saving lives. I know without hesitation and I'm also exposed to cases when they said 'No, absolutely not.'"
There's another thing that can be done – not to sell to those countries.
Yefi Dampti, a developer, says: "I'm in favor of selling to those countries if it's for a good purpose. They also have drug dealers and pedophiles, and they have a right to protect themselves. If they abuse the product – it should be shut down."
But how can you know if there has been such abuse? The fact is that throughout the years only five clients have been blocked.
"We have no access to their intelligence material. There can't be any access. But if it happened that someone investigated and said that such a thing exists, then we jump into action."
So it's a good thing that there are investigations.
Dampti: "Yes, very good, we work openly with all kinds of organizations, but to attack us? That's just trying to slander us - and it's a shame that there are such attempts. Look a little bit at the good and not only at the bad. If someone were to come to us – the company would check without that reaching any headline and it would do so better without all the surrounding disturbances. I'm in favor of not doing bad, and that's why there are also feedbacks and internal checks, the company will never be 100 percent, but there's the media that likes to take the 10 percent and turn it into 90 percent."
Kontanta: "These are things that you read and you say to yourself: 'Oy vey, I don't believe that it happened.' I don't know if a specific report is correct or not, but things happen and we all regret that. When you hear that a client abuses the system it causes a cringe, because that wasn't our intention. Our goal is to save lives and reduce crime. There are worrisome things but I'm familiar with the company's character and DNA. These are things that come up for discussion, but we're all like a family, it's like comrades in arms. I'm an NSO patriot."
You talk about abuse of the system, but let's get back again to the identity of the clients – in nondemocratic regimes there's a greater chance that the system will be abused.
Damty: "There can be abuse in any company, for example one that manufactures miniature cameras. You'll sell them to the police and then there'll be a police officer who will install the cameras in the bathroom."
A nondemocratic regime is not a regime that transgressed – it's an undemocratic regime.
Damty: "I don't judge regimes. A dictatorship can be fair, and they also deserve protection. And if they use it in an improper way – that's a shame and I hope that they'll be blocked from out system, if they haven't been so already."
The elephant in the room: Israel
Alon (not his real name), a former employee, wonders why there's criticism of NSO and not of security firms such as the Israel Aerospace Industries, Rafael Advanced Defense Systems and Elbit Systems.
"Because NSO is considered a high-tech firm? It may be unpleasant to say this, but NSO is also a weapons firm. There's another question – is it preferable to manufacture a 5.56 mm bullet or cyberattack technology?
"That's a philosophical discussion, but I prefer that they use cyber technology against people, rather than arresting them, harassing them for no reason or killing them," he said. However, he agreed that this ostensibly "clean" treatment is also problematic, because the victim has no idea that he is under attack and under surveillance.
Alon says that, "In regard to harming opposition members and journalists, the question is what lies in the balance – if in order to prevent terror or pedophilia 'chips fly' then I'm not opposed to that.
“There's another important point – which the firm doesn't discuss with the employees – namely the benefit to the State of Israel in the diplomatic and security realm.
“In my opinion, when the regime in Middle Eastern countries is stable, and they do their job, then the chances that someone there will start fighting with Israel is smaller. Israel has an interest in strengthening those regimes so that terror won't arise there and in the end be turned against us, or alternatively, in order to take care of other security interests of the State of Israel."