NSO Group CEO Shalev Hulio welcomes the decision to look into claims that various governments used the company's attack software to spy on tens of thousands of clients, including politicians, journalists, and human rights activists.
In an interview with Israel Hayom's Yoav Limor for the paper's weekend supplement, Hulio says, "We'll be very happy if there is an investigation into the affair, because we'll be able to clear our name."
"We don't have and have never had any ties to the list that was published, and if it turns out that there was some client who exploited our system to track journalists or human rights workers, they'll be cut off immediately. We've proven that in the past, including with some of our biggest customers, and we stopped working with them," he says.
Q: If your system wasn't used for nefarious purposes, like you claim, why don't you open everything and show everyone that everything is fine?
"Because there are issues of privacy, and matters of national security and trade agreements with the countries we work with, and I can't go out and say, 'This we did, and this we didn't do.' But if any government entity approaches me – anyone, from any country – I'm willing to open everything, let them come in, dig around. Let them come."
Pegasus is considered the most advanced program in the world when it comes to cracking cellphones. It allows the user to pull all the data out of the device, including correspondence (even encrypted) and photos, without leaving traces. It also allows the program user to activate the compromised device's camera and microphone remotely. The expose published this week was based on a leaked list of 50,000 cellphone numbers that various governments allegedly asked to crack using NSO's program.
Hulio, 39, says that he first learned of the affair about a month ago.
"A third party reached out to me, someone we work with not involved [in the affair] and said, 'Listen, they've broken into your servers in Cyprus and the entire list of NSO targets has been leaked.' I started to get stressed, but after a moment I calmed down, both because we don't have servers in Cyprus and also because we don't have a list of 'targets.' It doesn't work that way: every customer is a unique customer. We don't have any central location where all the customers' targets are collected."
Q: What did you do?
"In the meantime, we checked our servers, and we checked with the customers, and we didn't find anything that had been cracked. But because it seemed strange, I asked the guy to bring us examples from the leaked list. We got them – a few phone numbers – and started to check them with our customers. Not a single one was a target for Pegasus. I realized it had nothing to do with us, and we moved on."
But the story refused to die. A few days later, Hulio was contacted by another businessman with an identical story about an NSO "list of targets" that was going around the market, and beyond that, a list of questions from the consortium of journalists who exposed the affairs this week in the international media.
"There were crazy allegations there. At first, I laughed, and said to myself that someone is going to fall hard, but then a friend told me I wasn't getting that they were going to come down on us, hard. At that stage, we already knew it was a list that had nothing to do with us. We hired a firm of lawyers and started to send out letters, and the fact is that most media outlets were convinced. The editor [in chief] of the Washington Post even wrote that she didn't know where the list had come from or who had put the numbers on it, and that she had no confirmation that the numbers were associated with Pegasus or had even ever been targets or potential targets."
Q: So who is behind this story?
"It looks like someone decided to come after us. This whole story isn't just incidental. The Israeli cyber sector is under attack, in general. There are so many cyber intelligence companies in the world, but everyone just focuses on the Israeli ones. Forming a consortium like this of journalists from all over the world and bringing Amnesty [International] into it – it looks like there's a guiding hand behind it."
"I believe that in the end, it will turn out to be Qatar, or the BDS movement, or both. In the end, it's always the same entities. I don't want to sound cynical, but there are people who don't want ice cream to be imported here [to Israel] or for technology to be exported. The way I see it, it's no coincident that the same week that people try to prevent Cellebrite's IPO, an expose about [cyber firm] Candiru is published, and now us. It can't be that this is all coincidental."
Q: The expose indicated that of the 65 numbers that were checked, 37 were targets of Pegasus.
"They have a problem with their story. Let's assume that this is a list of Pegasus targets – where are all the cases that claims were made about in the past, from journalists to human rights activists in Mexico? Why aren't they there? They need to decide. Either the reports in the past were wrong, or the current list is wrong. I'm saying with certainly that it's nonsense. Since we founded the company, all the years [we've operated], we haven't had 50,000 targets."
Hulio says that NSO currently has 45 customers, and each one is permitted by their program license to track 100 targets, on average, per year. It's the customer who chooses the targets, and NSO is uninvolved in the selection or the tracking.
"When we founded the company we decided on four rules. First, we would sell to governments only, and not companies or individuals. You can imagine how many people and companies tried to buy the technology, and we always said no. The second rule is that we don't sell to every government, because not every government in the world should have these tools. Looking back 11 years after the company was founded, we have 45 customers, but 90 countries to whom we refused to sell. The third rule is that we don't activate the system, we just install it, instruct how to use it, and leave. The fourth rule is that we want to be under the Defense Ministry's regulatory oversight. We have been under voluntary oversight since 2010, even though the law for defense and security oversight of cyber companies was written only in 2017. We haven't ever made a deal that wasn't under oversight."
Q: Why did you refuse to sell to certain countries?
"Because there are governments that you know you can't trust. That violate human rights, that bug journalists, that are corrupt."
Q: Some of the countries you do sell to also have problematic track records: Saudi Arabia, Morocco, the United Arab Emirates.
"I won't discuss any specific customer, but most of the countries we work with, more than two-thirds, are European countries. They comprise most of our business, and these are countries that use this tool to fight terrorism and crime. The attempt to portray a situation in which all these governments do is sit and listen to journalists is completely delusional."
Q: Still, the list that was published includes plenty of journalists who were allegedly tracked.
"If any of our customers listened to journalists, that's really bad, and they won't be a customer any longer."
Q: You say that it's the customer who decides the list of targets. It could be that your customers exploit the system, and simply haven't been caught.
"We choose our customers carefully, and we make very strong deals with them that allow us – in the case that they are found to be exploiting [our tools] – to cut them off. Every customer receives very clear instruction about what they are allowed and forbidden to do with the system."
Q: Still, what oversight do you have for them?
"There is plenty. We limit the number of targets, and we limit them to certain territory in which they are allowed to operate. In every instance when we receive reliable information about abuse, we investigate. According to the contract, the customer has to give us access to some log and shows all the actions in which the system is used, and if we see anything out of bounds, we can shut them down."
Q: Has that happened?
"Yes. We had five customers whose systems we shut down in the past few years."
Hulio defines Pegasus as a "lifesaving program." He says that in a world in which conversations are encrypted end-to-end, there is no other alternative when it comes to battling major crime and terrorism.
"Once, you'd go to a cellular operator with a warrant and listen in on conversations. Today, there are applications that process data [in a way] that even the companies that develop them can't access. So encryption is fantastic for regular citizens, but intelligence and law enforcement organizations need tools to prevent the next terrorist attack or crime. Thanks to our program, terrorist attacks have been prevented on almost every continent, and in the last few years over 100 pedophiles have been arrested. That wouldn't have happened without Pegasus."
Q: You always fall back on catching pedophiles and terrorists.
"Why was the company founded?"
Q: To make money.
"If all I wanted to do was make money, I wouldn't forgo customers. In the past two years, we declined $300 million because of customers we shut off or did not agree to sell to, so apparently it's not just about money."
Q: Pegasus is a weapon. It's good when it's in good hands, and can be bad when it's in less good hands.
"Unlike guns, which the minute you sell them you have no control over them, here we have control. If someone misuses it, we can cut them off."
Q: But you say that you don't have control, that the customer decides whom to track.
"I don't understand. Mercedes sells a care, then a drunk person gets behind the wheel, runs someone over, and kills them. Does anyone blame Mercedes? It's not clear why we are under fire. If there are complaints, they should be directed at the governments who violated [regulations] and listened in on journalists. Let people claim they violated human rights."
Q: You really don't understand? As we've said, this is a weapon. There are claims that your system helped with the murder of [Saudi journalist] Jamal Khashoggi.
"That claim was made, and we checked with all our customers to see if Pegasus had been activated against him, his family, his wife, his fiancée. We investigated very carefully, and discovered that our tools weren't employed at any stage. It's simply incorrect."
Q: You claim that this is part of a wave of allegations, but NSO has been making negative headlines for years. There have bene plenty of reports that exposed cases of your system being exploited.
"I think that there is someone who is trying to paralyze these technologies by any means possible, and bringing everything possible to bear on the matter."
Q: The fact is, NSO has become synonymous with "bad company."
"It's a crappy feeling. The countries that work with us understand our contribution to their national security, and you know you've done the right thing, that you're saving lives. But you never get credit for that, and that's 99% of the cases."
Q: And there is the one percent in which this system does bad things.
"True, and we handle that one percent. We shut down systems. But to say that because of that one percent the rest of the things we do aren't good just doesn't make sense."
Q: The chief prosecutor in France has announced that an investigation will be launched into allegations that Pegasus was used by Morocco's intelligence apparatus to track journalists. Are you worried?
"The opposite. I want them to investigate and look into it. Because the moment that a normal entity conducts a probe like that, they'll realize that there's nothing to it."
Q: Aninvestigation has also been launched in Israel.
"Great. Nothing could be better, because it will turn out that we operate strictly in accordance with the permits we were given and have never stepped over the line, and that the latest reports have nothing whatsoever to do with us.
"It's time for someone to look into this story once and for all. There are plenty of other companies that are just chasing dollars, an entire industry of companies throughout the world whose entire business model is based on approaching customers with whom NSO refused to work or stopped working. In almost every case, even when it turned out that other technologies had been used, we were blamed immediately because we're the poster boy for the industry."
Q: Yet you yourself say there were instances in which the program was exploited for nefarious purposes.
"Certainly there were, and there are countries we stopped working with because of that. We're the only company in Israel and one of the few cyber companies in the world that has adopted the UN human rights standard. We do appropriate checks on every customer, put out transparency reports through a US legal firm, maintain an external committee that reviews us, and we also have internal committees that approve every deal. The amount of energy we invest in this is endless, and any attempt to create another story is bullshit. Just delusional."
Q: Why don't you put together a team of your own to probe this affair?
"Because we've already checked, and if new information arrives, we'll check again. We check every number that we get. Thus far, we've received about 50 numbers off the list. Of all the big names that have come up so far – French President Emmanuel Macron, the king of Morocco, French journalists and diplomats, the prime minister of Belgium – none has ever been a target. So I'm saying – I wish they'd investigate. Anyone who wants is welcome to."
Q: How can you be so confident they won't find anything? You yourself say that you don't know whom your customers track.
"Because I know what we do, and with whom we do it."
Q: You do realize that this could reach critical mass, and defeat you.
"So what? The world will be more of a bummer, with more crime and more terrorism and more pedophiles. That's exactly what will happen. And apparently there will be a lot more small companies, without regulation, who will go to all sorts of havens abroad and do the same thing. So now we're doing everyone a favor and drawing all the fire for the industry, but I'm not willing to break. On principle. Because I don't think we've done anything bad. The opposite. I think we do good things, and that our customers recognize that, and our workers recognize that, and mainly – the alternative is much worse."
Q: The government could step in and say that NSO Group does Israel more harm than good.
"If the government says that it doesn't want any more cybertechnology in Israel, I'll salute it and close up shop. But I don't think that's the situation."
Q: Still, NSO is creating quite a headache for Israel.
"That's true, and the country doesn't deserve it. If we were a company operating in the US or Britain, this wouldn't be happening. A big part of what comes our way is because we're Israeli."
Q: Maybe the regulatory bodies in the US or Britain wouldn't have allowed you to operate in some of the places you do.
"I don't think so. We don't currently sell anywhere that the Americans wouldn't allow us to operate. China, Russia, Qatar, Egypt, North Korea – these are countries we won't sell to, on moral grounds. There's not even a question."
Q: But it's in the Israeli government's interest that you keep operating, certainly in countries with which our relations are sensitive, like some Arab states.
"Any attempt to ties us to the state is wrong. We're a private company. The government gives us permits to sell, just like they give Elbit or Rafael."
Q: So why are you under attack?
"Because no missiles have hit anyone, but everyone has iPhones. Everyone is afraid of it. It's gotten to the stage where people get a text message with a coupon for pizza and email us saying that someone tried to infect their phone with Pegasus. The amount of disinformation is insane."
Q: Can't you understand why?
"Yes, but I want to make it clear – it's not like we're talking about something on a grandiose scale. All the headlines and noise right now are because of 100 targets per year per customer. We're not Microsoft."
Q: How will the affair end?
"I've already said I'll be happy if there's a probe, and that I'm committed to cooperating fully with any such probe. And I believe with all my heart that the probe will end with nothing, and it will turn out that the list has nothing to do with us. I only hope that all the newspapers that attacked us this week will apologize. Beyond that, I don't want anything."
In the past few days, Israeli officialdom has been squirming after the wave of reports about widespread spying by governments around the world using NSO's Pegasus software.
NSO might be a private company, but its activity is fully under the oversight of the Defense Export Control Agency (DECA) in the Defense Ministry. Apart from that, the government has a clear interest in NSO's activity, for a few reasons. Cyber sales in general and cyberattack sales in particular currently comprise a major part of defense exports, and bring billions of dollars into Israel per year; advanced cybertechnologies allow it to strengthen ties and cooperation with various countries, including ones with whom we do not have formal relations, in the battle against common enemies like Iran or various terrorist groups; and various past reports have claimed that some of the technologies have backdoors that allow the government to use them for its own purposes.
Given all this, it's clear why the top political and defense echelons are disinclined to launch an immediate and open investigation into the affair. The most obvious concern is not only the economic ramifications to cyber companies and thereby to national revenue, but possible harm to relations with some countries. Naturally, this applies mainly to NSO's most sensitive customers – Saudi Arabia, the UAE, Bahrain, and Morocco, countries with problematic human rights records, certainly when compared to most of NSO's customers, which are western democracies.
On the other hand, officials in Israel realize that the flood of reports by media outlets worldwide cannot go unanswered. Not only because of the need to clarify that Pegasus has not been used for widespread attacks against citizens, but also because there is indirect criticism of Israel for allowing – if not pushing and promoting – sales of the system throughout the world, making the government complicit in alleged wholesale human rights violations.
Ultimately, the government decided on a probe that will be managed by officials from the Prime Minister's Office and the foreign, defense, and justice ministries, as well as from the Mossad and the IDF. The purpose of the probe is not only to determine whether the system has been used for unacceptable goals that violate its license, but also to placate governments and organizations around the world that have expressed concern following reports of the affair.
Clarifying the facts of the case is important not only to NSO and its sales, but also to Israel. It will allow the government to handle diplomatic pressure that could spring up on other governments to refrain from buying Israeli cybertechnology, and also deal with international lawsuits and boycotts, should there be need to. Even if due to the nature of the affair and privacy not all the details are made public, the probe has to go ahead. Anyone who claims they have nothing to hide has no reason to worry.