In November 2021, the Biden administration added Israel’s NSO Group to the U.S. Department of Commerce’s trade-restricted Entity List. Officially, this was because the organization had “engaged in activities that are contrary to the national security or foreign policy interests of the United States,” and the designation was a part of the White House’s “efforts to put human rights at the center of U.S. foreign policy, including by working to stem the proliferation of digital tools used for repression.” In effect, any of over 1,200 companies on the Entity List are banned from directly or indirectly obtaining items such as chips, software, or telecommunications equipment without explicit U.S. government approval.
But does this decision really support human rights?
Sensationalism and exaggerations should not substitute for facts: sovereign governments and their authorized agencies have a universal need to acquire information for security purposes against the wishes and without the knowledge of its originators or possessors. Liberal democracies have long enacted “exceptional access” laws, typically tasking private network and platform operators with two types of actions. First, telephone companies, internet service providers, and service providers must retain all communications records and metadata for a certain period and provide them to competent authorities for future investigations. Second, they must assist in or possess capabilities to perform “lawful interception”: covert network wiretaps for competent authorities.
It no longer works. Baked into the American-owned mobile ecosystem for over a decade, data and communications encryption have rendered network-based intelligence collection obsolete. Edward Snowden’s revelations on the National Security Agency’s network-based bulk collection methods predate end-to-end encryption (E2EE) and pushed the industry to bolster privacy-preserving features. Understanding the details is essential to realizing the challenges intelligence and law enforcement agencies must overcome to perform their missions. E2EE of data-at-rest (iPhone or Android smartphones with security on) or data-in-transit (Signal, WhatsApp, iMessage) means that network carriers are blind to the content they carry; peer-to-peer communication apps (P2P) mean that people can converse without passing through the Microsofts, Apples, or AT&Ts of the world. Disappearing encrypted messages (think Snap, Wire, Signal) mean that no trace of past communications remains on the devices of potential suspects.
To succeed, lawful interception must target the endpoints—smartphones, cars, wearables, security cameras, personal computers—rather than network hubs. This is exceedingly hard feat. Even a recent, critical Atlantic Council report inadvertently acknowledged that top-tier technical prowess is required for developing operational cyber intelligence capabilities. Therefore, effective digital intelligence collection will remain well beyond the reach of all but a handful of nation-states that can operate in the domain controlled by the Apples and Googles. As always, governments turn to markets for solutions.
Texas Tech University’s Peace, War, and Social Conflict Laboratory compiled a dataset of over 1,700 Private Military and Security Companies (PMSCs) worldwide, aggregating them into five categories. NSO Group, a private Israeli firm, is one of eighty-nine cyber and intelligence-related PMSCs—legitimate companies operating in plain sight. More than half of these are in the high-tech hubs in the United States (thirty-six) and the United Kingdom (fourteen).
NSO does not engage in espionage and certainly does not use force. It develops technology and licenses solutions to sovereign law enforcement, intelligence, and military agencies: only sixty customers in forty countries. Its flagship solution, Pegasus, tops the wish lists of law enforcement and intelligence agencies everywhere. Pegasus is like a traditional wiretap fit for modern mobile ecosystem: covert, targeted, persistent, and precise, and has repeatedly established intelligence superiority by providing competent national security agencies with covert, remote, and persistent access to the handsets of criminal masterminds and terrorists. Furthermore, NSO does not operate Pegasus, has no visibility into its usage, and does not collect information about its customers.
Naturally, no government official ever testified to Pegasus’ superb value: it would directly jeopardize their own agency’s mission. Additionally, each agency can only deploy it against a handful of targets and only within its sovereign jurisdiction; technical, financial, and contractual architecture ensure these constraints.
Vilifying technology vendors for their clients’ misuse has become bon ton. Unlike most of its competitors, NSO Group subjects itself to the Israeli Ministry of Defense’s Defense Export Controls Agency regulations. Separately, internal compliance and human rights policies led NSO to reject over $300 million in sales opportunities and terminate contracts worth $100 million due to alleged misuse.
Pundits preach that deliberately weakening intelligence capabilities protects human rights, but they are wrong. Dealing with the world as it is demands moving beyond utopian visions. The Hobbesian state of nature is easy to decry from the comforts of North American prosperity but cannot be wished away.
Denying advanced cyber intelligence tools to less-capable nations brings human suffering for multiple reasons. First, crime and terrorism thrive and become pervasive, with common citizens bearing the brunt of violence. Second, security agencies devoid of effective cyber intelligence tools inevitably resort to tried-and-true brute force. Rather than hacker jargon, this actual force is truly brute: think armed troops on the streets, raids, roadblocks, physical harassment, and preventive detentions. Emergency powers permit domestic law enforcement and intelligence to ratchet up pressure to disrupt and discover the bad guys. Inevitably, armed with swords only, boots on the ground inflict collateral damage.
Even if insecurity leads to regime change, it is not a liberal democracy that will replace it. Instead, people frustrated with insecurity either propel populist strongmen to power or turn to radicals for salvation.
Private technology firms that develop and export advanced cyber intelligence technology to competent authorities are a force for good, including human rights. Responsible governments equipped with better intelligence capabilities prevent greater human suffering: rulers can quell their toxic insecurity; sovereign governments can better disrupt criminal and terrorist plots; police needs not to turn to real mercenaries for extra muscle. Innocent civilians gain quieter and safer lives. Unfortunately, if the Biden administration believes that blocking states from acquiring advanced cyber intelligence technology will improve human rights, they are utterly mistaken.
Lior Tabansky, Ph.D., is Head of Research Development at the Blavatnik Interdisciplinary Cyber Research Center, at Tel Aviv University (TAU).