NSO Group’s reported sale to US defense contractor alarms cybersecurity experts

Could one of the most pernicious spyware vendors in the world soon be operating under the auspices of the American flag?

That’s the question some are asking in the wake of reports that U.S. aerospace and defense contractor L3Harris is in negotiations to purchase NSO Group, the Israeli-based seller of mobile spyware tools like Pegasus that have been used by authoritarian governments around the world to surveil dissidents, human rights activists, journalists and politicians.

According to Intelligence Online, a European-based digital news site focused on intelligence and tradecraft, harsh economic sanctions led by the U.S. Treasury Department have left NSO Group’s business in shambles. Such a deal would reportedly include L3 taking on $250 million in NSO Group debt and the company plans to announce it the “abandonment of certain activities” that would allow the new American-owned entity to lobby for removal from global sanctions, while also setting up a branch office in Tel Aviv to maintain NSO intellectual property.

Citing anonymous sources, the outlet claimed that a dwindling client list, a surging pile of debt and a market brand inextricably tied to a series of scandals and human rights abuses, executives at NSO Group are searching for an exit.

There are other signs that those running the company have had their fill of being an international pariah. Executives told POLITICO in May of this year that they would welcome additional regulations that spell out more clearly which countries and organizations can — and cannot — buy their hacking tools.

While SC Media has not been able to independently confirm the negotiations (neither L3Harris nor NSO Group responded to a request for comment), the report has alarmed a number of American and Western cybersecurity experts who have spent years forensically mapping the damage caused around the world by Pegasus and other spyware made by the company.

The American Civil Liberties Union said a potential sale to a U.S. company would be troubling for numerous reasons, including the potential for Pegasus and other spyware to spread throughout state and local governments and law enforcement. They also noted that L3Harris has its own background of questionable surveillance practices around their ISMI-catcher “StingRay” devices, which can be placed near cell towers to intercept and capture incoming mobile traffic.

“NSO has previously tried to sell its dangerous spyware directly to the US government to no avail. This deal could allow our government to sneak NSO spyware in the back door by purchasing from a spy company that already sells to US law enforcement,” the digital rights non-profit wrote on Twitter reacting to the reports.

However, a sale is far from guaranteed as U.S. regulators and gatekeepers will likely take great interest in any deal and its impact on both national security and the availability of heavily regulated spyware tools like Pegasus.

Use of NSO spyware for human rights abuses invites scrutiny

Looking at NSO Group’s history of facilitating human rights abuses abroad, the company’s legal and regulatory baggage, the Treasury blacklist and other factors, “when you put all that stuff together, I think it’s a recipe for scrutiny, especially on the government side,” Chris Cummiskey, a former DHS official and expert in U.S. contracting, told SC Media.

NSO Group and Israeli government officials have consistently claimed that these hacking tools are tightly regulated, aren’t sold commercially, and are restricted to countries that pass fundamental thresholds for international legal and human rights. The numerous incidents where their spyware has turned up on the phones of dissidents or activists known to be targeted by authoritarian governments is one of the reasons the company’s reputation is in tatters and is now subject to a level of economic sanctions that have been characterized as the economic equivalent to the death penalty.

However, Cummiskey said the prospect of NSO Group being sold to an American entity is “a slightly different scenario than I think most would have envisioned” and raises questions about what the proper role of the government may be in this scenario.  While being sold to a U.S. contractor may give the federal government more direct control over how those technologies are used in federal contracts, it might not have as much flexibility to prevent the company from doing business with state and local governments or police departments.

“It's always easier when it’s the Chinese government and Huawei and 5g … the lines are pretty clear as to what the government’s position is, it’s easier to make it evident to everybody that this is the policy,” Cummiskey said. “When a company is purchased by a U.S. entity and doing business with the U.S. government, there are some limitations … but not as extensive as one might think. In dealings with the federal government, we’ll put these limitations on you but in transactions with other state and local governments or police departments, it would probably take an act of Congress to get standards in place for what the rules of the road are.”

It's not clear how the sale to a U.S. company or contractor would meaningfully reduce the international and legal pressure around NSO Group and its practices. Two lawyers SC Media spoke with questioned how active lawsuits against NSO Group would be resolved if a purchase went through and who would ultimately retain the liability as well as the underlying technology at the heart of those suits.

Aaron Cockerill, chief strategy officer at Lookout, a cybersecurity firm that helped analyze one of the first Pegasus iOS samples in 2016, told SC Media that at first glance, the news “seems like a bad thing” because of the potential to expand the presence of NSO spyware in the United States, but it's not a foregone conclusion and largely depends on ultimate intentions of the buyer.

“For example, if a cybersecurity company is considering purchasing Pegasus to better protect against similar threats in the future, it may be a good thing,” Cockerill said.

He also noted that a purchase of NSO Group would not automatically mean that Pegasus and other tools would come with it, or would remain as effective as it was under its previous owners who were committed to creating a parallel pipeline of mobile vulnerabilities to feed it.

“Buying Pegasus the software is very different from buying the company NSO. Stealthy deployment and continued use of Pegasus is heavily reliant on sophisticated use of many zero-day vulnerabilities. So, much of the NSO organization has been focused on finding these vulnerabilities,” Cockerill noted. “Without an ongoing source of these vulnerabilities the Pegasus software would, over time, simply stop working as these vulnerabilities are found and fixed.”