The international trade in digital surveillance tools has long been controversial, particularly their sale to repressive governments that have allegedly used them to target dissidents and journalists. That controversy reached a new level last year, when a handful of Israeli cyber firms were accused of selling highly sophisticated spyware to authoritarian regimes.
One firm, in particular, the NSO Group, became the focus of an international investigative consortium, composed of 17 leading media organizations, including the Washington Post, the Guardian, Le Monde and Haaretz, as well as Amnesty International and a media nonprofit. The consortium’s dozens of articles detailing its investigation were further amplified by the New York Times and other leading news outlets.
The consortium found that almost 200 journalists, dissidents, human rights activists and political leaders in 21 countries may have been targeted for surveillance using NSO’s Pegasus spyware tool. Controversially, the list included 13 current and former presidents and premiers, a king, the wife and fiancé of slain Saudi journalist Jamal Khashoggi and a murdered Mexican reporter. Allegations that then-Israeli Prime Minister Benjamin Netanyahu and the Israeli Defense Ministry sponsored some of the initial contacts between the Israeli firms and their future clients, including the UAE, Bahrain and Saudi Arabia, added to the damage.
While the revelations made it clear that the Israeli government should have exercised more stringent controls over exports, it had already taken steps to improve oversight and has since taken more. Importantly, despite the focus on Israeli companies in the consortium’s investigation, they are far from the only ones engaging in the kinds of practices it detailed. Firms from the U.S., U.K., France, Germany, Italy and elsewhere export similar software. A report from Meta, Facebook’s parent company, emphasized in late 2021 that “it is important to realize that NSO is only one piece of a much broader global mercenary ecosystem.”
Nevertheless, the consortium’s investigation put Israel’s cyber and high-tech export sector, and its relationship to the Israeli government and security services, in the spotlight.
Israel’s economy is the most tech-dependent in the world, with the largest number of high-tech startups per capita and the most investment as a percentage of GDP in high-tech R&D and venture capital. In 2020, just under one-third of global cyber investment was in Israel. And with its 13 percent share of all global cyber firms, Israel is second only to the U.S., which is home to 59 percent of them—but also approximately 37 times Israel’s population. It is not hard to understand why Israel has come to be known as the “startup nation.”
Israel’s cybersecurity sector, in particular, has been a remarkable engine of economic growth, part of a high-tech ecosystem that is based on a symbiotic relationship between the government, defense establishment, academia and commercial sectors. The importance of the defense establishment for Israel’s high-tech prowess cannot be overstated. The Israeli Defense Forces, or IDF, and intelligence agencies, in particular, have become important startup incubators and accelerators, with knowledge, capital and resources flowing back and forth between them. Compulsory military service enables the IDF to harness Israel’s best and brightest tech talents, providing Unit 8200—Israel’s version of the U.S. National Security Agency—with a total talent pool that rivals that of major global powers. The IDF’s critical need for highly trained and innovative personnel has made it one of the driving forces behind cyber education in Israel, both by supporting the public school system and in numerous IDF training programs.
Given its great importance for Israel economically, diplomatically and militarily, the cybersecurity sector will undoubtedly continue to enjoy strong governmental backing.
Cyber exports, including surveillance tools, have also become an important component of Israel’s foreign relations. “Cyber diplomacy” has helped build ties with a variety of states, including a number of regional neighbors, which have overcome their historical animosity to Israel in part to gain access to Israeli cyber technology. Cyber diplomacy proved especially important in the decisions by the United Arab Emirates and Bahrain to normalize relations with Israel in 2020, and has become a part of Israel’s deepening security ties with Morocco.
Last year’s investigation into NSO Group’s clients, and the use they made of its tools, put that cyber diplomacy in a more problematic light, as those clients included several repressive governments. But they also included democracies, such as India, as well as the CIA, which bought Pegasus on behalf of the government of Djibouti, and the FBI, which bought it for use in criminal investigations but ultimately decided not to use it. The Secret Service, U.S. Africa Command and the Drug Enforcement Agency also considered buying Pegasus, but apparently rejected it because of the cost.
After the scandal erupted, the U.S. government put NSO and one other Israeli firm on a sanctions list, prohibiting them from acquiring U.S. technology. France and the European Union, as well as leading multinationals—including Apple, Microsoft and Facebook—and a number of human rights groups either expressed concern or called upon Israel to institute more stringent cyber export regulations.
Some six months after the international scandal, a domestic uproar erupted in Israel following reports that the Israeli police had made unauthorized use of Pegasus against prominent Israeli citizens. A formal inquiry subsequently disproved the charges, but not before the Israeli public became more sensitive to the dangers associated with spyware of this sort.
Until 2018 Israel had limited the export of cyber tools to defensive software, while essentially leaving it to the exporter to determine whether the product was offensive or defensive in nature. That was clearly an untenable approach. Israel subsequently began approving sales of offensive software, as well, leading to growing international criticism and demands for tighter controls. Israeli exporters countered that Israel’s export controls were already stricter than those of most countries, requiring a lengthy and demanding licensing process as well as a security clearance, which placed them at a competitive disadvantage. Israeli officials worried that a further strengthening of controls might result in firms moving abroad, depriving Israel of any ability to supervise their sales.
The government had thus already sought to balance these conflicting considerations even before the NSO scandal erupted, and it took further measures thereafter. On the one hand, it streamlined the rigorous export license process, shortening it from a commercially unviable year or more to just months. On the other, it adopted a number of measures designed to strengthen oversight. A new division was established in the Ministry of Economy and Industry to oversee civil cyber exports, in addition to the already extant Defense Ministry mechanism for defense-related exports. And the number of states to which offensive cyber software could be exported was cut by two-thirds and restricted mainly to Western democratic countries.
Israel at least initially considered lobbying the Biden administration to remove NSO from the sanctions list, although it is unclear whether these efforts continue or if Israel has instead decided to cut its losses and abandon them. Given the rapid development in ties between Israel and the UAE, Bahrain and Morocco in recent months, the NSO scandal does not appear to have affected these emerging relationships. As for NSO, it is reeling from the ongoing media attention and blacklisting, and it has reportedly negotiated its possible sale to a U.S. buyer and is considering shuttering the Pegasus division.
Despite all of the bad publicity, Israel’s cyber sector continues to flourish, with 2021 and early 2022 proving to be banner years. The cybersecurity sector alone, which employs just 1 percent of Israel’s national labor force, constitutes 10 percent of total exports and one-third of all tech exports. Given its great importance for Israel economically, diplomatically and militarily, the cybersecurity sector will undoubtedly continue to enjoy strong governmental backing. Much attention is also being given today to the areas of artificial intelligence and quantum computing, again with strong governmental involvement.
Israel’s cyber export sector paid a reputational cost for last year’s controversy, but its companies are just a part of the large international market for the surveillance tools that Israeli firms excel in. Intergovernmental efforts to regulate that market to prevent the kinds of abuses detailed in last year’s investigation have so far stalled. Until that changes, the reality of the international demand for Israeli companies’ expertise means they will continue to play a major role in Israel’s economy and its cyber diplomacy.
Chuck Freilich is a former deputy national security adviser in Israel and the author of “Israeli National security: A New Strategy for an Era of Change” and the forthcoming (fall 2022) “Israel and the Cyber Threat: How the Startup Nation Became a Global Cyber Power.”