This is how NSO decides whether to sell the Pegasus to a customer

NSO is the only company in the offensive cyberspace that adopted the UN guidelines for protecting human rights in addition to complying with DECA’s export requirements. This is how it works.

Close up of a man using mobile smart phone (photo credit: INGIMAGE)
Close up of a man using mobile smart phone
(photo credit: INGIMAGE)
 In recent months, NSO’s name has featured in national and international press in relation to violation of human rights. The agenda is being promoted by various factors, among them Amnesty International (Amnesty Tech) and several reporters that cover human and privacy rights. Another entity fueling the fire in the media is Facebook, which is in a legal battle with NSO around the claim that the company’s product, publicly known as Pegasus, was activated against 1,400 WhatsApp users. The legal case is being managed in the United States and is creating a lot of buzz in relevant media.
Despite the headlines, NSO is not the only company in the world that operates in the offensive cyber arena. There are several other companies in Israel like Candiru and Merlin International, as well as Italian Hacking Team, which changed ownership two years ago. These companies also operate spyware or other tools to collect data from mobile devices or desktop computers based on Windows, Linux, or MAC OS.
In this article, I will try to describe the idea behind the export of such tools from Israel. The explanation will be based on personal knowledge and on conversations with senior NSO personnel who agreed to talk about the subject. This is part of the transparency process the company is undergoing under its new owners. To date, NSO is the only company in the world in the offensive cyberspace that adopted the UN Guiding Principles on Business and Human Rights. Moreover, since its inception, the company is under supervision by the Ministry of Defense (Israeli Defense Export Controls Agency, DECA), same as any other Israeli company in the security and defense fields. Monitoring is according to the Wassenaar Arrangement, which is updated at the end of every year and is automatically adopted by Israel as a law.
Export Controls
For those who are not familiar with this topic, let’s start from the beginning. Offensive cyber tools enable people to hack the phone or computer of an intelligence target based on vulnerabilities in the device’s software. The vulnerability can be in the operating system or in any of the applications installed in the device. In simple terms, these vulnerabilities are divided into two – weaknesses that do not require user intervention (zero click), or vulnerabilities that require user intervention (one click). As far as I’m aware, Israel does not authorize exports of zero click vulnerabilities for fear that they may be used to attack Israeli targets. 
By law (Wassenaar Arrangement) any vulnerability that has to be exported from Israel to a customer abroad must be approved by DECA, regardless of whether it requires a double approval (marketing and export) or single approval (export only), which depends on the country of destination. Moreover, customers acquiring the vulnerability must enter into an end-user agreement where they declare to the seller the countries in which the attack tools will be used, as well as the type of targets (criminal, terrorist, military, espionage). The purpose of these controls is to prevent violating human rights using such tools against regime resistances, journalists, or innocent civilians (for example, surveilling a person’s partner or spouse).
Control of NSO is not out of the ordinary. The Ministry of Defense (MOD) monitors every defense company in Israel. Any defense or security exporter must be registered with DECA, otherwise it will be in violation of the law. Note that in Israel there are cyber companies that established centers of operation in countries like Cyprus or Bulgaria where supervision is more lenient than in Israel, enabling them to bypass DECA. Most cyber professionals I met are aware of this issue, but the MOD turns a blind eye on a trend that has been going on for years. It is not clear why. NSO operates from Israel (Hertzlia) and is supervised by the MOD.
Another important fact is that according to DECA’s supervision regulations, sales can be made only to national entities, that is, intelligence organizations, police forces, homefront command, presidential security forces, etc. Operating within this framework, NSO or any other cyber company in Israel sells to those they are authorized to sell to. Recently, several articles were published indicating that NSO wants to sell to police forces and the secret service of the United States. Despite the headline, there’s nothing wrong with that. NSO is a commercial company that wants to profit, and it can sell to whoever it wishes under the restrictions imposed on it. This is how all cyber companies in Israel and globally conduct their business, without exception. 
Compliance with UN Guidelines
The company’s processes to comply with the requirements of DECA and the UN’s Guiding Principles on Business and Human Rights include the creation of a suitable legal team. These operations are managed by a person with an impressive resume and years of experience in the security field in Israel. NSO also has a DECA Licensing Officer, conducts training in matters related to exports, and holds regular discussions on the subject. The company also sells products that are unsupervised, which do not require DECA control.  
Compliance with the UN’s requirements began in September last year. This is a document on Guiding Principles on Business and Human Rights, which is not legally binding, but which defines the code of conduct in everything related to the violation of human rights. UNGP comprises two main groups of guidelines, for countries or for companies. The focus is on companies that violate human rights. As a software company, NSO is in between the two. On the one hand, it sells software to state entities and, as such, it does not violate human rights. NSO does not operate Pegasus for its customers, they operate it themselves. However, there is the potential that customers operating the system will violate human rights.
Since these are only guidelines, NSO decided to take the general knowledge about compliance and adapt it to the UN guidelines for human rights. Since this is a new field in the world of control of cyber companies, they consulted with international legal firms that specialize in human rights. As a result of this work, NSO consolidated a program that was implemented already a year ago. 
The program has several layers. First, it executes a due diligence process of each entity in each country the company wants to sell to. This includes an internal analysis based on information in the public domain that can be collected about the country’s regime, its culture, approach towards human rights, and related publications about the institution to which the company wants to sell. Then the data is combined with several other public indexes that rank countries according to how they approach human rights and freedom of expression. 
Risk Management
After obtaining a weighted score, the risk emerging from the tool that is to be marketed to the customer is added. If NSO wants to sell Pegasus, the risk will be higher than if it wants to sell Eclipse, for example, a cyber counter-drone platform, or a system for data fusion. Each product has a different risk potential. This is how NSO determines the initial risk score of a transaction with a specific customer. 
This standard or score is used by the legal team to conduct the due diligence process. There are three risk levels – low, medium, and high. If NSO wants to sell Pegasus to North Korea, for example, the risk will be high. If it wants to sell it to the US’ secret service, the risk will be low. According to the risk level, the company decides on the level of investment in the due diligence. If the risk is low, the due diligence is internal; if the risk is high, the due diligence may also include outsourced investigation or intelligence services. 
A total of 10-12 categories are evaluated for each transaction. The process may include direct questionnaires to people, meetings with the customer, officially receiving information from the customer, and more. Sometimes the process also uses international commercial investigation firms like Kroll. They also study the legislation in the target country in terms of unlawful interception or similar. Is there such legislation in place? Can citizens appeal to a court in that country? And similar matters. The team also checks legal proceedings against the target customer in respect of human rights. 
The entire process is executed before NSO receives authorization form DECA. After consolidating a final score, the company makes an additional analysis. Does the risk require special limitations on the sale? Or can the product be sold with no restrictions? The decision reaches a dedicated committee headed by NSO’s President which makes the decision. If necessary, the decision can also reach the company’s board, which has veto rights. In any case, each transaction reaches the board’s knowledge a posteriori. Any agreement with a customer is contingent upon obtaining the required approval from DECA. Furthermore, the higher the risk, as indicated above, the more contractual restrictions the agreement with the customer will have. 
Suspicion of Unlawful Use
While the system is being used, there may be publications about unlawful use by the customer. Such publications may originate in the press, a person, the customer’s employees, NGOs, and sometimes even the customer itself. When such report is received, NSO proceeds to study the event. First, they ask the customer to provide information about the event, based on which they decide whether additional steps are required. Such steps may include a temporary shutdown/disconnection of the system. If the customer’s replies are not satisfactory, NSO will request additional, more detailed clarifications. 
Note that these publications sometimes originate in an ongoing operation by the customer against criminal or terrorist targets. Such operations usually last months to years. When the system is shutdown in the middle of such endeavor, the work of years can go to waste. The cancellation or failure of such operations may ‘release’ criminals or terrorists, who will continue to harm innocent people. This is an extremely difficult decision for NSO – to disengage the system in the middle of an operation. 
Such decision, although not many, were made in the past. However, in most cases the customer provides initial responses about the event that are satisfactory. Customers who opt not to cooperate with NSO will risk infringing the terms of contract and the system being disconnected. Company officials say that, to date, there has been full cooperation from customers on any suspicion that arose.
In addition to the dialog with the customer, NSO also verifies the legal procedure according to which use of the system was justified. In some cases, the company retains the services of local lawyers to verify the customer’s claims. If legal orders were signed authorizing the system’s use, they verify their content. Each case reviewed must reach a conclusion whether the customer acted in compliance with the provisions of the contract and local laws. If NSO is convinced, they close the case. Sometimes, they need to consult an international legal firm. Due to their complexity, such investigations may take several months. I would like to mention here that, recently, there were such claims in Spain and Morocco, both of which are still under investigation by NSO.   
Independence Model
In an effort to work against the violation of human rights, from day one NSO developed the system in a structured manner whereby NSO as a software provider is completely independent from the operating customer. This enables customers to operate the system by themselves. Even NSO’s support and upgrades are provided separately from the operational path, the company states. In other words, NSO’s employees have no access to the operation of the Pegasus – full independence.
When an event is being investigated, this independence means that the customer must cooperate with NSO. Without such cooperation, NSO has no knowledge whatsoever of the alleged victim. This independence between the seller of the software and the buyer and operator is also required due to possible legal repercussions. “We are a software vendor, not an intelligence institution” the company says. 
Sometimes, however, there are situations when the customer is at a crucial point in an operation and suspicions of the unlawful use of the system arise. In most cases, a security/defense customer will avoid cooperating with NSO as much as possible so as not to damage the operation. In these cases, the company investigates each case specifically. Based on their knowledge of the customer, they may initially decide to trust the customer until all details are verified. 
In addition to monitoring events related to NSO’s system use, the company also controls changes in the political climate in the customer’s country. Events like a change of regime, for example, may affect the score of an existing deal and require the company to reactivate the due diligence of that customer.
Coming Soon – Annual Transparency Report
Despite the activities outlined in this article to prevent violation of human rights, the question arises how does NSO handle internally the pressure on their salespeople, legal department, and management. At the end of the day, anybody can claim that the pressure to sell is stronger than the willingness and commitment to comply with the international code of ethics. The company states that whereas such pressure does indeed exist, like in any business enterprise, history will attest to the fact that NSO rejected business to the tune of millions due to the potential of violations of the rights of innocent civilians.
The company uses internal analysis mechanisms before each transaction, authorization is required from DECA, as well as approval from the board and the company’s management, which exposes NSO’s senior officials to legal suits. All these create several layers of control that regulate the pressure from sales and force the company to adhere to international codes of ethics. Moreover, next year the company is planning to publish its first ever transparency report as part of its commitment to uphold human rights. 
In conclusion, NSO is no different than any other supervised defense company. As such, it will try to sell its products to every possible customer under export and ethical restrictions. Improved transparency of sale processes, the adoption of the UN guidelines, and the variety of control mechanism the company uses minimize the unlawful use of the Pegasus. As mentioned above, NSO is currently involved in several investigations regarding alleged suspicions of wrongdoing by customers using the Pegasus. No conclusions have yet been published. For the ‘average Joe’, the conclusion of this article is that, in the future, if and when more headlines talk about the unlawful use of the Pegasus, they must be treated with a grain of professional doubt.