In a special interview to Israel Hayom, NSO Group co-founder and CEO Shalev Hulio says the latest affair was created by “Qatar or the BDS movement – maybe both,” and stresses that NSO Group does not maintain lists of targets. “If anyone uses our software to spy on journalists, they won’t be a customer anymore.”
NSO Group co-founder and CEO Shalev Hulio | Courtesy: NSO Group
NSO Group CEO Shalev Hulio welcomes the decision to look into claims that various governments used the company’s attack software to spy on tens of thousands of clients, including politicians, journalists, and human rights activists.
“We’ll be very happy if there is an investigation into the affair, because we’ll be able to clear our name,” Hulio says in an interview to the Israel Hayom weekend supplement.
“We don’t have and have never had any ties to the list that was published, and if it turns out that there was some client who exploited our system to track journalists or human rights workers, they’ll be cut off immediately. We’ve proven that in the past, including with some of our biggest customers, and we stopped working with them,” he says.
Q: If your system wasn’t used for nefarious purposes, like you claim, why don’t you open everything and show everyone that everything is fine?
“Because there are issues of privacy, and matters of national security and trade agreements with the countries we work with, and I can’t go out and say, ‘This we did, and this we didn’t do.’ But if any government entity approaches me – anyone, from any country – I’m willing to open everything, let them come in, dig around. Let them come.”
Pegasus is considered the most advanced program in the world when it comes to cracking cellphones. It allows the user to pull all the data out of the device, including correspondence (even encrypted) and photos, without leaving traces. It also allows the program user to activate the compromised device’s camera and microphone remotely. The expose published this week was based on a leaked list of 50,000 cellphone numbers that various governments allegedly asked to crack using NSO’s program.
Hulio, 39, says that he first learned of the affair about a month ago.
“A third party reached out to me, someone we work with not involved [in the affair] and said, ‘Listen, they’ve broken into your servers in Cyprus and the entire list of NSO targets has been leaked.’ I started to get stressed, but after a moment I calmed down, both because we don’t have servers in Cyprus and also because we don’t have a list of ‘targets.’ It doesn’t work that way: every customer is a unique customer. We don’t have any central location where all the customers’ targets are collected.”
Q: What did you do?
“In the meantime, we checked our servers, and we checked with the customers, and we didn’t find anything that had been cracked. But because it seemed strange, I asked the guy to bring us examples from the leaked list. We got them – a few phone numbers – and started to check them with our customers. Not a single one was a target for Pegasus. I realized it had nothing to do with us, and we moved on.”
“There are people who don’t want Israel to import ice cream or export cybertechnology”
But the story refused to die. A few days later, Hulio was contacted by another businessman with an identical story about an NSO “list of targets” that was going around the market, and beyond that, a list of questions from the consortium of journalists who exposed the affairs this week in the international media.
“There were crazy allegations there. At first, I laughed, and said to myself that someone is going to fall hard, but then a friend told me I wasn’t getting that they were going to come down on us, hard. At that stage, we already knew it was a list that had nothing to do with us. We hired a firm of lawyers and started to send out letters, and the fact is that most media outlets were convinced. The editor [in chief] of the Washington Post even wrote that she didn’t know where the list had come from or who had put the numbers on it, and that she had no confirmation that the numbers were associated with Pegasus or had even ever been targets or potential targets.”
Q: So who is behind this story?
“It looks like someone decided to come after us. This whole story isn’t just incidental. The Israeli cyber sector is under attack, in general. There are so many cyber intelligence companies in the world, but everyone just focuses on the Israeli ones. Forming a consortium like this of journalists from all over the world and bringing Amnesty [International] into it – it looks like there’s a guiding hand behind it.”
Q: Whose?
“I believe that in the end, it will turn out to be Qatar, or the BDS movement, or both. In the end, it’s always the same entities. I don’t want to sound cynical, but there are people who don’t want ice cream to be imported here [to Israel] or for technology to be exported. The way I see it, it’s no coincident that the same week that people try to prevent Cellebrite’s IPO, an expose about [cyber firm] Candiru is published, and now us. It can’t be that this is all coincidental.”
Q: The expose indicated that of the 65 numbers that were checked, 37 were targets of Pegasus.
“They have a problem with their story. Let’s assume that this is a list of Pegasus targets – where are all the cases that claims were made about in the past, from journalists to human rights activists in Mexico? Why aren’t they there? They need to decide. Either the reports in the past were wrong, or the current list is wrong. I’m saying with certainly that it’s nonsense. Since we founded the company, all the years [we’ve operated], we haven’t had 50,000 targets.”
Hulio says that NSO currently has 45 customers, and each one is permitted by their program license to track 100 targets, on average, per year. It’s the customer who chooses the targets, and NSO is uninvolved in the selection or the tracking.
“When we founded the company we decided on four rules. First, we would sell to governments only, and not companies or individuals. You can imagine how many people and companies tried to buy the technology, and we always said no. The second rule is that we don’t sell to every government, because not every government in the world should have these tools. Looking back 11 years after the company was founded, we have 45 customers, but 90 countries to whom we refused to sell. The third rule is that we don’t activate the system, we just install it, instruct how to use it, and leave. The fourth rule is that we want to be under the Defense Ministry’s regulatory oversight. We have been under voluntary oversight since 2010, even though the law for defense and security oversight of cyber companies was written only in 2017. We haven’t ever made a deal that wasn’t under oversight.”
Q: Why did you refuse to sell to certain countries?
“Because there are governments that you know you can’t trust. That violate human rights, that bug journalists, that are corrupt.”
Q: Some of the countries you do sell to also have problematic track records: Saudi Arabia, Morocco, the United Arab Emirates.
“I won’t discuss any specific customer, but most of the countries we work with, more than two-thirds, are European countries. They comprise most of our business, and these are countries that use this tool to fight terrorism and crime. The attempt to portray a situation in which all these governments do is sit and listen to journalists is completely delusional.”
Q: Still, the list that was published includes plenty of journalists who were allegedly tracked.
“If any of our customers listened to journalists, that’s really bad, and they won’t be a customer any longer.”
Q: You say that it’s the customer who decides the list of targets. It could be that your customers exploit the system, and simply haven’t been caught.
“We choose our customers carefully, and we make very strong deals with them that allow us – in the case that they are found to be exploiting [our tools] – to cut them off. Every customer receives very clear instruction about what they are allowed and forbidden to do with the system.”
Q: Still, what oversight do you have for them?
“There is plenty. We limit the number of targets, and we limit them to certain territory in which they are allowed to operate. In every instance when we receive reliable information about abuse, we investigate. According to the contract, the customer has to give us access to some log and shows all the actions in which the system is used, and if we see anything out of bounds, we can shut them down.”
Q: Has that happened?
“Yes. We had five customers whose systems we shut down in the past few years.”
Hulio defines Pegasus as a “lifesaving program.” He says that in a world in which conversations are encrypted end-to-end, there is no other alternative when it comes to battling major crime and terrorism.
“Once, you’d go to a cellular operator with a warrant and listen in on conversations. Today, there are applications that process data [in a way] that even the companies that develop them can’t access. So encryption is fantastic for regular citizens, but intelligence and law enforcement organizations need tools to prevent the next terrorist attack or crime. Thanks to our program, terrorist attacks have been prevented on almost every continent, and in the last few years over 100 pedophiles have been arrested. That wouldn’t have happened without Pegasus.”
Q: You always fall back on catching pedophiles and terrorists.
“Why was the company founded?”
Q: To make money.
“If all I wanted to do was make money, I wouldn’t forgo customers. In the past two years, we declined $300 million because of customers we shut off or did not agree to sell to, so apparently it’s not just about money.”
Q: Pegasus is a weapon. It’s good when it’s in good hands, and can be bad when it’s in less good hands.
“Unlike guns, which the minute you sell them you have no control over them, here we have control. If someone misuses it, we can cut them off.”
Q: But you say that you don’t have control, that the customer decides whom to track.
“I don’t understand. Mercedes sells a care, then a drunk person gets behind the wheel, runs someone over, and kills them. Does anyone blame Mercedes? It’s not clear why we are under fire. If there are complaints, they should be directed at the governments who violated [regulations] and listened in on journalists. Let people claim they violated human rights.”
Q: You really don’t understand? As we’ve said, this is a weapon. There are claims that your system helped with the murder of [Saudi journalist] Jamal Khashoggi.
“That claim was made, and we checked with all our customers to see if Pegasus had been activated against him, his family, his wife, his fiancée. We investigated very carefully, and discovered that our tools weren’t employed at any stage. It’s simply incorrect.”
Q: You claim that this is part of a wave of allegations, but NSO has been making negative headlines for years. There have bene plenty of reports that exposed cases of your system being exploited.
“I think that there is someone who is trying to paralyze these technologies by any means possible, and bringing everything possible to bear on the matter.”
Q: The fact is, NSO has become synonymous with “bad company.”
Why is Israel allowing Qatar constant nefarious conduct?