Israeli Defense Ministry tightens cyber exports post-NSO scandal

A new declaration all companies will be required to sign doesn't define criticism of governments as a crime, which could allow for the same issues as with NSO.

 A man walks past the logo of Israeli cyber firm NSO Group at one of its branches in the Arava Desert, southern Israel July 22, 2021 (photo credit: REUTERS/AMIR COHEN)
A man walks past the logo of Israeli cyber firm NSO Group at one of its branches in the Arava Desert, southern Israel July 22, 2021
(photo credit: REUTERS/AMIR COHEN)

The Defense Exports Control Agency (DECA) announced late Monday that it was tightening its regulation on exports of offensive cyber-related products, with the move coming less than two weeks after it was leaked that the ministry had massively shrunk the list of eligible client states.

DECA published a new version of its “Final Customer Declaration,” which countries wishing to purchase cyber offensive technologies – such as NSO’s Pegasus software for hacking cell phones – will be required to sign.

Under the terms of the new declaration, countries commit to using the technology exclusively for preventing terror and serious crimes – and the document explicitly excludes political speech or criticism of governments from being defined as a crime.

This is a major move, since many non-democratic countries define opposition to their regimes, even if peaceful, as a crime – and much of the criticism of NSO has related to dictators using its technology to hack and track human rights activists, journalists and others who committed no crime according to Western standards.

The document says explicitly that anyone who violates the commitment will immediately lose use of the cyber-offensive system in question.

 Defense Minister Benny Gantz is seen in Morocco, on November 24, 2021. (credit: DEFENSE MINISTRY) Defense Minister Benny Gantz is seen in Morocco, on November 24, 2021. (credit: DEFENSE MINISTRY)

On November 25, the ministry cut the list of countries permitted to buy cyber-offensive products down to only 37, compared to the old list of 102 permitted nations, Calcalist reported.

Notably, Jerusalem’s growing relationships with new allies, Morocco and the UAE, as well as behind-the-scenes ally Saudi Arabia, were taken off the permitted list.

Countries remaining on the list – like the US, Canada, Australia, European countries, India, Japan and South Korea – are all democratic countries with stronger protections against violating privacy rights and civil liberties.

It was unclear if Monday’s new document was part of a process to try to re-authorize some of the countries removed from the permitted list under stricter conditions or if it was just an added measure in addition to the stricter list.

These last two announcements could both be a major short-term blow to the Israeli cyberattack firm industry, especially for NSO and Candiru, both of whom were blacklisted by the US Commerce Department based on a finding of misuse by non-democratic regimes of the technology to violate human rights.

Although NSO has been hammered for years by Amnesty International and some other human rights groups, several things seem to have put it in much greater jeopardy than before, including reports of clients abusing the company’s technology to perpetrate human rights violations by 17 media organizations in July; a lawsuit by WhatsApp in a US federal court; and being blacklisted.

Only days after announcing that NSO CEO Shalev Hulio would be replaced by former Partner CEO Isaac Benbenisti – seemingly an NSO attempt at a makeover to ride out the storm – the new company head pulled out.

Then in November, Apple unleashed its own major lawsuit in the US against NSO, and the credit rating agency Moody’s downgraded it two levels to Caa2, which is eight levels below investment grade.

Moody’s warned that the company is at growing risk of defaulting on its $500 million in debt, citing that NSO only had $29 million in free cash in June after maxing out its $30 million banking credit line.

ALL OF THIS comes after NSO was valued at $1 billion two years ago and after it was getting credit in late 2020 for having helped build bridges with all four countries that  later joined the Abraham Accords with Israel.

Prior to that, it had defrayed criticism from NGOs with news stories about its technology stopping ISIS and other terrorists from committing mass murder in Europe and elsewhere.

As recently as Prime Minister Naftali Bennett’s meeting with French President Emmanuel Macron in Glasgow, the government still seemed to be trying to protect NSO and rescue it from the situation.

But the new limited list and the new document could be a turning point where the defense establishment has decided that the damage NSO has done, or is perceived as having done to Israel’s image and relations in the West, now outweighs ensuring its survival.

Even if the ministry has not gone that far, the new document and the drastic reduction in countries with which NSO and other cyberattacks firms can do business means that it is heavily reducing their playing field to reduce future embarrassments.