header
Tech

‘Somebody Has to Do the Dirty Work’: NSO Founders Defend Pegasus Spyware

Hulio and Lavie’s version of the Silicon Valley story starts in a renovated chicken coop on a kibbutz in central Israel. Eleven years later, NSO is a 750-employee company that is valued by investors at over $1.5 billion.

Herzliya (Israel): It was a proposition that would change everything.

Two 20-something Israeli entrepreneurs who had been running a small customer service start-up for mobile phones were at a client meeting in Europe in 2009 when they received a visit from law enforcement officials.

The entrepreneurs’ first instinct was fear. Maybe they had done something wrong that they weren’t aware of, Shalev Hulio and Omri Lavie recalled in interviews this week with The Washington Post.

Instead, the officials made an unexpected request. The agents said the Israelis’ technology, which helped carriers troubleshoot their customers’ smartphones by sending them an SMS link that enabled the carrier to access the phone remotely, could be useful for saving people’s lives. Traditional methods of wiretapping calls were becoming obsolete in the age of the smartphone, the officers explained, because early encryption software blocked their ability to read and listen to the conversations of terrorists, pedophiles and other criminals. Would Hulio and Lavie be able to help them, by building a version of their technology that the officials could use?

More than a decade later, the cybersecurity company that arose out of that fateful conversation — the NSO Group, an acronym based off the first names of the three founders — is at the centre of a global debate over the weaponisation of powerful and largely unregulated surveillance technology.

This week, The Washington Post and a consortium of 16 other media partners reported that the company’s military-grade spyware was used in attempted and successful hacks of 37 smartphones belonging to journalists, business executives, and two women close to the murdered Saudi journalist Jamal Khashoggi.

Hulio’s journey — recounted to The Post in interviews with friends, investors, colleagues and Hulio himself — has been hailed over the years as an Israeli version of a Silicon Valley success story, a shining showcase of the potential of a tiny nation that boasts the highest per capita concentration of start-ups in the world, according to Startup Genome, a San Francisco-based research group. But NSO also demonstrates the more troubling side of that story, some experts say — the tale of a country too eager to make friends in a hostile region and too willing to take controversial actions in the name of survival, as well as the limitations of technology companies’ abilities to control the abuse of their products by their customers.

Hulio has acknowledged that some of NSO’s government customers had misused its software in the past — describing it as a “violation of trust” — and said NSO shut off five clients’ access in the past several years after conducting a human rights audit, and had ended ties with two in the last year alone. Hulio said he was bound by strict confidentiality agreements with law enforcement agencies that prohibit him from naming clients or describing their activities. He said he could not name the country or agency that initially approached him in Europe because it later became a client.

But two people familiar with the company’s dealings said the clients that have been suspended include Saudi Arabia, Dubai in the United Arab Emirates and some public agencies in Mexico. One of the people said the Saudi Arabia decision was a response to the Khashoggi killing, and two others said that Mexican agencies continue to use another NSO product designed to help first responders in search-and-rescue missions.

Shalev Hulio. Photo: Twitter/Shalev Hulio

“There is one thing I want to say: We built this company to save life. Period,” Hulio said in a late-night interview Monday on a high-up floor of the company’s unmarked office tower in the upscale Tel Aviv suburb of Herzliya. “I think there is not enough education about what a national security or intelligence organisation needs to do every day in order to give, you know, basic security to their citizens. And all we hear is this campaign that we are violating human rights, and it’s very upsetting. Because I know how much life has been saved globally because of our technology. But I cannot talk about it.”

Asked about the 37 attempted and confirmed hacks, he said: “If even one is true, it is something we will not stand as a company.” The phones appeared on a list of more than 50,000 numbers that are concentrated in countries known to engage in surveillance of their citizens and also known to have been clients of NSO Group, the consortium’s investigation found. Hulio said the company was still investigating the numbers provided by news outlets and that assertions of any link between the list and NSO were false.

In the first weeks after founding the company, in 2010, “before we’d even written a line of code,” Hulio said he and Lavie established three guiding principles that remain in place today. First, they would license only to certain government entities, recognising that the technology could be abused in private hands. Second, they would have no visibility into the individuals targeted by customers after selling them a software license. The third, which Hulio said was the most important, was to seek approval from the export controls unit of Israel’s Ministry of Defence, an unusual decision because at the time the unit only regulated overseas weapons sales (Israel enacted a cyber law in 2017).

The three decisions were made, Lavie said, so that “we’d be able to sleep at night.” He said he and Hulio strongly believed it was not appropriate to have any direct knowledge of the internal national security matters of foreign countries. They also thought they weren’t equipped to make political decisions about whom to sell to.

NSO also requires customers to sign an agreement promising to use the software only for law enforcement or counterterrorism purposes.

In recent days, some Israeli political leaders have started to argue that the export controls rules that govern cybertechnology companies might have become too prone to political influence. Some of the countries where NSO had agreements, including Saudi Arabia and the UAE, are places where Israel’s last prime minister, Benjamin Netanyahu, sought to forge new alliances.

Hulio and Lavie’s version of the Silicon Valley story starts in a renovated chicken coop on a kibbutz in central Israel. Eleven years later, NSO is a 750-employee company that is valued by investors at over $1.5 billion.

Also read: Pegasus Project: 136 Names Revealed By The Wire On Snoop List So Far

Hulio — described by friends as a relentless optimist and unassumingly charismatic — has posed for photographs holding a Superman figurine that he kept in his office alongside other action figures and Israeli prime minister statuettes. At age 39, he serves in the Israeli military reserves, where he has volunteered for numerous search-and-rescue missions, including the 2010 Haiti earthquake.

Hulio and Lavie were high school best friends, inseparable after they met on a school trip to Europe where they toured the sites of former concentration camps. Lavie was business-focused while Hulio was a theatre kid. Both were computer geeks, spending hours in online chat rooms and playing video games in the middle-income port city of Haifa, they said. The friends entered the army after high school, as is required for the majority of Israeli citizens, but served in nontechnical roles.

“They didn’t have the background of the typical Israeli entrepreneur,” said Eddy Shalev, the company’s first investor. “They didn’t come from intelligence, or from money. They weren’t computer people at all. But he [Hulio] had that charisma of a true entrepreneur.”

After the army, Hulio was in law school when he and Lavie got an idea to build software that could allow people to shop for products they saw on TV shows. The company, MediAnd, ran out of money during the market crash of 2008. Dejected and out of work, Lavie began working selling Nokia phones and BlackBerrys in a mall kiosk. The men grew frustrated by how difficult it was for carriers to do basic updates on mobile devices. They decided to co-found the mobile customer service company CommuniTake, named because they were taking over people’s phones with authorisation of the customer.

After the impromptu meeting with law enforcement in Europe, Lavie said he and Hulio “were amazed” by how quickly the pace of tech and the advent of smartphones had enabled criminals to outrun law enforcement.

They went straight to CommuniTake’s board and declared that they wanted to change the company’s direction. The board, they said, scoffed at the idea of making such a drastic and difficult pivot when CommuniTake was already showing signs of success.

A few months later, Hulio was on a volunteer search-and-rescue mission in Haiti, pulling bodies out of the rubble of a collapsed university.

“I thought, you know, if you have something that can save lives, why don’t you do it? This is the moment,” he said.

He persuaded Lavie to join him, and the entrepreneurs left CommuniTake after making one more failed attempt to persuade the board to change course.

But Hulio said he soon realised he had no idea whether his goal — building software to enable law enforcement to take over a cellphone — was technologically feasible.

Also read: Forensic Evidence Shows Attempts Were Made to Infect Phones in Kashmir With Pegasus

One day, he and Lavie struck up a conversation in a coffee shop with two strangers whom he had overheard talking about how to gain remote access into phones, they said. The strangers said they had a friend, an engineer who worked at a local branch of Texas Instruments, who could build the software Hulio envisioned. The strangers called the engineer, and Hulio offered him a job on the spot — promising him a huge salary bump, though at the time he had no investors. (Eddy Shalev and a few others soon dedicated $1.5 million to the venture.)

NSO got its first office — the renovated chicken coop. Around seven months later, they demoed an early version of the product and the following year landed their first customer, Mexico, according to a person familiar with the company and an Israeli media report. They called the spyware Pegasus, after the winged horse in Greek mythology, because Hulio said the software was like a Trojan horse sent through the air to people’s phones. (The third founder in the NSO acronym, Niv Carmi, left soon after).

On Christmas morning that same year, Mexico’s president called to thank NSO for the “biggest Christmas present you could ever give to the Mexican people,” the apprehension of a major criminal, according to two employees familiar with the conversation who spoke on the condition of anonymity because they aren’t authorised to discuss the matter publicly.

Two people familiar with the company’s dealings said the NSO spyware had twice helped Mexico capture drug kingpin Joaquín “El Chapo” Guzmán, first in 2014 and then again in 2016. A 2019 report by the Israeli newspaper Yedioth Ahronoth reported the same assertion; The Post has not independently confirmed an NSO role in El Chapo’s capture.

After that, Lavie — who is still a board member and has since founded another cyber start-up — began a years-long effort to find the name of well-connected fixers who work with intelligence agencies around the world.

Soon the company was doubling its clientele every year, said one of the early employees. He said sometimes clients would show their thanks by sending a news article about a criminal figure arrested — without references to any stealthy role NSO played in the arrest — an experience he said that felt like “magic.”

The employee said Hulio is obsessively persistent but realistic. “If 50 people tell him something isn’t possible, he will just keep looking until he finds the person who can do it. But then, if the person says they can do it, he will say, how can it be that you can do something when 50 people before you said it was not possible? Prove it.”

As NSO grew, the company was showered with awards by Israeli’s top academic institutions. In 2018, a gossip show covered NSO’s all-expense-paid company retreat in Thailand; Hulio had flown some of Israel’s top celebrities to the resort for the occasion.

But even before NSO’s mounting controversies, some people in Israel’s tightly knit technology community said they thought NSO’s business was unethical and said they eschewed what is known as “offensive cyber,” focusing instead on tech that helps victims defend against attacks.

These days, Hulio, is running on little sleep, Diet Coke and takeout sushi, trying to explain himself without much hope that the world will listen.

He vacillates between contrition and defensiveness: He says he believes that interests hostile to Israel are behind some of the attacks on his company and other Israeli cyber firms. He notes that the United States has for years sold military equipment to Saudi Arabia, a country that NSO has been identified as having worked with.

At the same time, Hulio said the company will continue to immediately shut down any clients that have “violated trust” and has refused to sell to 90 countries, including Russia and China. NSO started asking customers to sign a human rights pledge in 2020, and last month it published its first transparency report.

But NSO’s ability to investigate is also fundamentally hampered by its policy of having no visibility into clients’ activities.

If it learns or suspects that a client broke its rules, it can hit a kill switch that cuts off access to Pegasus. It has the technical means to identify phone numbers that were targeted by its software, but only if the client or some outsider, such as a whistleblower or news organisation, provides the numbers and the client gives permission to access its system.

Also read: On the List: Anil Ambani, Dassault’s Rep and the India Head of French Energy Firm EDF

The situation would be better, Hulio said, if the cybersecurity industry were regulated by a global body. More importantly, he said, the Israeli government has a role to play: Countries that violate their agreements should be banned from being recipients of any of Israel’s cybertechnology.

And he insists that what NSO has built is still for the greater good.

“If somebody says, I found a better way to get criminals, get terrorists, get information from a pedophile, I will shut down this company,” he said. “I will shut down Pegasus completely.”

Lavie put it in even starker terms.

“It’s horrible,” he said of the reports of the attacks on journalists and other abuse. “I am not minimising it. But this is the price of doing business. … This technology was used to handle literally the worst this planet has to offer. Somebody has to do the dirty work.”

This article was originally published on The Washington Post and is republished here as part of the Pegasus Project collaboration.

The Pegasus Project is a collaborative investigation that involves more than 80 journalists from 17 news organisations in 10 countries coordinated by Forbidden Stories with the technical support of Amnesty International’s Security Lab. Read all our coverage here.