The privatization of Israel’s intelligence sector leaves offensive cyber technology open to a potentially destructive market.
Revelations on the extent of penetration of Pegasus, NSO Group’s spyware software, have sparked a heated debate in Israel and around the globe over the workings of the country’s praised cybersecurity industry. Israeli technology companies have long been able to maintain strong names due to the notoriety of their intelligence services, particularly when it comes to the Mossad, Israel’s Secret Service, and to the ability of such companies to nationally recruit recent graduates in those services’ areas of studies.
Pegasus is state-of-the-art spyware — the most powerful ever developed by a private company in history. After infiltrating your phone, without your noticing it, it can quickly turn it into a surveillance device — it is capable of copying messages sent or received, harvesting your photos and recording your calls. It can secretly film you through your device’s cameras or activate the microphone to record your conversations. In addition, it can also identify where you are, where you have been and whom you have met. The first version of the software, identified by researchers in 2016, infected devices through what is called spear-phishing, text messages or emails that trick the target into clicking on a malicious link.
A less-discussed aspect of this industry is whether it is financially successful. Former Israeli Prime Minister Benjamin Netanyahu often spoke of cyberspace as “the cornerstone of the Israeli high-tech sector” and the economy in general, but the international press has found extensive evidence that offensive Israeli cyber technology, and specifically the NSO, played an important role in Netanyahu’s foreign policy. Contries that the former prime minister had visited, such as Hungary, India, Rwanda, the United Arab Emirates, and others, signed agreements with the NSO technology group shortly after the former PM’s visit.
When it comes to the profit generated by these technology companies, it is not possible to know the exact amount. Since it is common in Israel for private companies not to trade openly on stock exchange, those companies keep their client list, the size of their contracts, and their projects secret. Your financial reports — total revenue, operating costs, material spend, and profits — are also not easy to find. The organization Who Profits, a project by the Israeli Coalition of Women for Peace, published in June 2021 a report on the Israeli cyber sector and, based on reports by national press, estimated that the country’s total cyber exports totaled 6.85 billion of dollars last year, an amount that almost equals the total of Israel’s arms exports that year.
The secrecy of Israeli cybersecurity companies is becoming difficult to maintain in a world where security is increasingly privatized. When companies of this proportion are public, society is free to consult reports and ask questions such as “What projects are being organized?”, “What weapons are being manufactured?”, among others. Furthermore, when it comes to geopolitics — an extremely important point in this issue — it is crucial that the press is aware of which countries, governments and partners have access to such tools through exports.
Private security companies rely on private investments and on private clients, so they must reach out to the public and advertise themselves. The Israeli government used to maintain tight control over the arms industry and over the intelligence organizations operating inside and outside its territory, but privatization has seeped in and now Israel’s largest arms company, Elbit Systems, is privately owned. Not only the company responsible for developing the Pegasus spyware, the NSO, is private, but the majority of its shares were bought by the European company Novalpina in 2019. That means that the company may be Israeli, but it belongs to foreign investors.
Another Israeli cyber intelligence company, Cellebrite, has been indicted for providing surveillance equipment to Belarus, to Chinese authorities in Hong Kong and to Russia. The company announced it would cease operations in those countries, but when human rights activists appealed to the Israeli court to find out whether Cellebrite’s technology remained in the hands of those governments even after the company’s leaving, the Israeli court refused to discuss the case.
Cellebrite software, which was developed by the same company, can not only break cellphone encryption and monitor devices, but it also bears a striking resemblance to Pegasus. It is also already in the hands of Brazilian authorities.
Privatizing companies of such size — and destructive potential — leads to the loss of state control over the country’s cyber weapons. It is much easier to spy on part of the population through the internet, or through illegal access to personal devices, because there is a social demand to always be connected to your phone. As long as this demand exists, there is a risk of journalists, politicians, and activists constantly becoming targets. Private companies having full control of tools like Pegasus makes this risk pervasive. Depending on the client — his influence or the capital he is willing to use —, anyone can become a target, even if not a public person.