What does US blacklist mean for future of NSO? - analysis

The US Commerce Department's decision could be framed in terms of competition over which countries dominate the cyberattack sphere.

 A man walks past the logo of Israeli cyber firm NSO Group at one of its branches in the Arava Desert, southern Israel July 22, 2021 (photo credit: REUTERS/AMIR COHEN)
A man walks past the logo of Israeli cyber firm NSO Group at one of its branches in the Arava Desert, southern Israel July 22, 2021
(photo credit: REUTERS/AMIR COHEN)

The US Commerce Department’s blacklisting of NSO Group and Candiru on Wednesday was unequivocally bad for business for the two cyber firms.

How bad?

That is a matter of speculation and a lot may depend on how aggressively the US and other democratic countries act against not only NSO and Candiru, but against the cyberattack sector in general.

At one end of the spectrum, some are ready to eulogize NSO and much of the cyberattack sector. It was one thing when human rights groups and some media outlets lambasted the company and its clients – but the US government’s blacklisting of NSO is a much more dire scenario for the firm.

At the other end of the spectrum, some seem to suggest that the US action may have been more symbolic, and if it is not followed with aggressive enforcement, NSO and others in the sector may be able to continue operating as usual, although they may have to choose their clients more carefully.

ISRAELI CYBER firm NSO Group’s exhibition stand is seen at ISDEF 2019, an international defense and homeland security expo held in Tel Aviv in 2019. (credit: KEREN MANOR)ISRAELI CYBER firm NSO Group’s exhibition stand is seen at ISDEF 2019, an international defense and homeland security expo held in Tel Aviv in 2019. (credit: KEREN MANOR)

Amit Meltzer, a former government official who served in the intelligence community, said he thought that “the practical aspects of the announcement will only become clear in several months.”

He said the question would be if export licenses to trade with NSO would be given “routinely based on the identity of the end client and declared usage,” in which case “the impact will be minimal, but provide the US with effective oversight.”

Or if the US “will stonewall or deny permits,” which would be “an all-out attempt to curb the offensive cyber marketplace. Such a move will likely trigger significant reaction, as it will threaten the entire emerging segment.”

Meltzer, now a top cyber security consultant, said, “I suspect the initial behavior will be restrained, and licenses will be granted. If I’m wrong, expect to see many offensive cyber companies switching to non-US components to avoid debilitating oversight. China would gladly accommodate the exiles, making the move dramatically counter-productive.”

Another source also framed the US decision in terms of competition over which countries dominate the cyberattack sphere.

The source suggested that there was no way to put the genie back in the bottle and that if the Israeli cyber offensive sector craters, US cyber offense firms or other countries which are more problematic for Israel, could fill the vacuum.

But Dr. Matan Gutman of Reichman University wrote in a column in Yediot Ahronot that NSO and the Israeli cyber offense sector would be hit and possibly hobbled in a number of ways.

Gutman said there was a good chance that other democratic countries would follow its lead on the issue.

Even if other democratic governments do not formally go as far as the US, the damage to NSO’s reputation in other democratic countries or even non-democratic countries who want to build their relations with the US, could be massive.

Another area where the decision could have a vital impact would be in the Facebook-WhatsApp lawsuit against NSO in the US.

A lower federal court previously ruled against NSO’s claim of sovereign immunity from being sued for allegedly hacking 1,400 WhatsApp clients.

NSO appealed and the last thing it would want as it tries to convince an appeals court that it is a positive force for helping good governments fight terrorism and drug kingpins is an official condemnation from the US executive branch.

It is unclear whether the US Commerce Department declaration will decisively influence the court case, but it could, and even if it does not do so formally, the judges deciding the case will not have missed the message sent Wednesday.

If NSO loses and it is ordered by the US judiciary to expose its foreign government intelligence clients, there could be a giant and unpredictable impact on the Israeli cyber offense sector and even beyond.

It seems that the US Commerce Department has changed NSO’s reputation for an extended period, perhaps permanently, and that it has altered the current dynamics in the cyber offense industry.

But whether NSO, Candiru and others will fail (and who would replace them if they did) or be given a chance to find a more careful path is still an open question.