Last week was perhaps the most dramatic in the history of Israeli cyberespionage firm NSO Group.
A string of exposures by journalists involved in the Pegasus Project, organized by Forbidden Stories and Amnesty International, led not just to widespread public criticism of the company but also to serious questions raised by regulators and states.
How will things proceed from here on? It’s still unclear, but there’s no doubt that even before the new revelations, NSO’s situation was daunting. This is doubly true today. These are the challenges lurking on the horizon for the Israel-based cyber company, which has said in the past it hopes to go public.
Even before the Pegasus Project, NSO’s finances posed a challenge. NSO is still a very large and very profitable company, but the direction it’s going in is not a positive one.
Whereas in 2018 the company ended up with revenues of $251 million, in 2020 these amounted to $243 million. The company, just like the entire industry it belongs to, was badly hit by the coronavirus pandemic. NSO servers require a physical installation and support crews at the client’s end - not something that is easily doable with the world on lockdown.
Read more >> The Israeli cyber weapon used against 180 journalists ■ Khashoggi’s fiancee, son targeted by NSO tech, investigation reveals ■ How NSO's Pegasus is used to spy on journalists ■ Analysis: How Israeli spy-tech became dictators' weapon of choice ■ India’s Gandhi and Pakistan’s Khan tapped as targets in Israeli NSO spyware scandal ■ Israel's cyber-spy industry helps dictators hunt dissidents and gays ■ Amnesty ‘stands by findings,’ rejects NSO's claims ■ Israel's NSO and Pegasus Are a Danger to Democracy Around the World
Moreover, the company grew substantially over this period, from 600 to 750 employees. With more expenses and less revenues, profits are necessarily eroded. This is indeed reflected in the company’s reports which show a drop in profits and a negative cash flow.
One can see this in Moody’s downgrading of NSO’s credit ratings. Moody’s rates the private debts incurred by the entrepreneurs who borrowed money when buying the company and they warn of a possible default on these loans.
Few people look at this issue, but in its short life (11 years), NSO has changed 3 CEO’s. In the first 3 years, the company was managed by Yair Pecht, who left it, with some noise, in 2014. After him came Eran Gorev, the owner on behalf of the private equity firm Francisco Partners. Gorev doesn’t mention this in his profile on Linkedin, but he is a signatory on NSO’s official documents as its CEO. The third CEO is of course entrepreneur Shalev Hulio, but he too has recently told employees that he intends to step down, bringing in an experienced CEO who can support the company’s growth. Hulio will become the company’s president. On the same occasion, Hulio talked about two future routes the company can pursue – obtaining a large investment from a private donor or going public by listing the company as a special-purpose acquisition company (SPAC).
As is well-known, NSO changed hands in 2019, with ownership transferred from Francisco Partners to a partnership between entrepreneurs (Shalev Hulio and Omri Lavie) and Novalpina Capital. Before the acquisition, Hulio was expecting the company to do really well, reaching a valuation of $5-10 billion within a few years.
- Israel's shame: NSO and Pegasus are a danger to democracy around the world
- Two princesses fled the ruler of Dubai. Then they were tagged as potential NSO spyware targets
- Targeted Indian Journalists Slam Their Gov't – and Israel – over NSO Spyware
Currently, the company is not meeting the projections it presented to Novalpina, as reflected in what the industry is saying and in the Moody’s report. At the same time, Novalpina itself is facing a court battle between the three partners, revolving around control of the company.
It should be noted that NSO’s developers (Novalpina’s partners) are not necessarily easy going characters, and when Francisco Partners were the owners there were shouting matches at nearly every board meeting. One of the bones of contention was the way to approach the media. FP believed that the right way was to maintain total media silence and a no-comment approach. NSO’s founders believed (and still do) that transparency was the right tactic when it came to journalists.
In a 2015 interview to the StartIsrael website, the entrepreneurs were asked: “What was the biggest mistake you made that other people should know about and avoid in the future?” They replied: “Our biggest mistake was to take on partners when this was unnecessary. This caused great losses, in control over the company, in percentages, etc. Never take on people without creating control mechanisms which will monitor what they do, as well as the relative portion of what they get for the work they do.”
In other words, it was not easy to bring in a new investor. One should note that Blackstone retracted its intention of buying ownership over the company in 2017, possibly due to concerns over its public image. A public offering is also very difficult, if not impossible, for a company like this, particularly following last week’s revelations. The company is almost a pariah and institutional investors will be wary of investing in it due to concerns of criticism.
Last week’s revelation may also impact the oversight and regulation effecting NSO. Ursula von der Leyen, the President of the European Commission, has already said that if the string of reports turns out to be true this would be “entirely unacceptable.”
According to the France 24 news website, French authorities announced that they will launch an investigation regarding information presented in the investigative report, according to which French journalists were spied on using NSO’s Pegasus software.
Even here in Israel there may be a rethinking of export policies pertaining to cyber tools, or, as noted by Defense Minister Benny Gantz: “We’re studying the information on this issue…as a matter of policy, Israel allows the export of cyber products only to governments, only for legal usage, and specifically for the purpose of prevention and investigation of crime and terror activities.”
In this context, it may be worthwhile to note the words of a veteran Israeli investor in the field in regards to offensive cyber tools: “This is an arms industry and that’s alright, but has the policy relating to it come up for public discussion? I don’t think these are issues that should be settled by NSO and Defense Ministry officials in a non-transparent manner, but by the Knesset Foreign Affairs and Defense Committee, with the participation of representatives of the public.
“Ultimately, these are people the state has trained (i.e. during their military service), and we don’t need the next victim of the flavor-of-the-month dictator on our conscience.” This is even more valid due to the ostensible damage done by NSO affairs to Israel’s image.
Even if we assume that some of last week’s reports are mistaken, it looks like there will be no choice but for NSO to shut down some of its contracts and accounts due to “misuse” of its systems.
This is vital for the company even if only for the sake of responding to the furor caused by Project Pegasus. It will help demonstrate that it is committed to human rights and to transparency. But this is not so simple, giving up an account such as the one the company has in India, for example, given the drop in revenues that the company is experiencing anyway. The countries exposed in the investigation are a major part of the company’s client base.
Overall, it seems that in the coming years NSO will have to gradually wean itself off its “toxic” accounts in countries run by dictators. Instead it will be forced to focus on sales in Western Europe, in democracies in the East and in North America. This will be difficult.
A senior company official once explained that the sale process is very different in third world countries, compared to Western ones. In fact, it’s the total opposite. In dictatorships it’s a top down process, he said, meaning that you have to convince the leader or the army commander and then all the agencies below fall in line, and fast. In Western countries, the process is bottom-up. One has to rise through chain of command of approvals, going through endless committees and bureaucracy. Incidentally, this is how the company’s founders split up their dealings with different countries: Hulio, a people’s person, is NSO’s “salesman” in the third world. Lavie, a person of processes, represents the company in the first world.
According to the company, based on a transparency report, half of its clients are Western democracies. This amounts to slightly less than 50 percent of its revenues. One should also note that NSO has never managed to “breach” the U.S., with its sales remaining minor there.
In recent years, NSO has tried to diversify its products. It has made acquisitions in the area of defense against drones and has developed a product related to analysis, which includes, among other features, contact tracing for the purpose of cutting down coronavirus infections. Apparently, all these products are still far from having a significant impact on the company’s revenues.
It obviously doesn’t do an ostensibly covert company any good when it turns out that there was a significant leak of information from systems it is associated with. This harms its reputation and makes potential clients even more suspicious.
One should note that this is not the first time the company suffered an information leak. In early 2018, a company employee tried to sell company code on the darknet for $50 million. He was caught due to the alertness of another Israel cybersecurity company, and was sent to prison for 5 years.
Like many in the tech industry, NSO is also facing a serious challenge in the battle over talent. On the one hand it offers very big paychecks - even in comparison to the already high salaries doled out in high-tech. The firm is also known to treat its workers to fancy retreats abroad. On the other hand, money isn't everything and for many of those working in tech, staying “clean” is important - and working for NSO does not necessarily go hand-in-hand with the ideal of making the world a better place.
Industry insiders like to talk about two HR “crises” suffered by NSO. At the end of 2019, Haaretz reported that the Israeli military intel decided no longer to call up for reserve duty those former soldiers now working for NSO. The goal was to prevent soldiers from facing tough dilemmas - but those in the know say it hurt morale at the company.
At roughly the same time, a number of Facebook and Instagram accounts belonging to people working at NSO were taken down as part of the legal battle between the social media giant and the spyware firm. Facebook is suing NSO for allegedly misusing WhatsApp to infect the phones of targets selected by its clients. The incident sent waves through the company, with workers being forced to confront how their work is perceived by big tech firms like Facebook.
The bottom line is that NSO faces some serious and interconnected challenges. They can overcome them all. But that requires them to do something that may be hard for them to do: Say goodbye to all their problematic clients and focus on providing services to democratic states. They have a tough road ahead.