Since the NSO / Pegasus investigation broke there are now 18 high end global media outlets that are working in consortium to track the story and the fallout. They have the data, and we rely on them. This is a very different set of circumstances than the Snowden revelations eight years ago. With that story, only two outlets had real access. Those outlets were firmly dealt with by the Anglo American intelligence community. The Washington Post got bought out by Jeff Bezos with the CIA's money in a deal brokered by former CIA Director George Tennet, who was now head of the Allen and Company investment firm. The Guardian.UK eventually had a number of it's computers seized and destroyed on their own premises by officials from Government Communications Headquarters (GCHQ), which is what the UK calls their version of the NSA. The lead reporter on these stories, Glenn Greenwald, was exiled to the Intercept, and Brazil.
The NSO / Pegasus story arc will likely not see the same level of Anglo-American pushback and the public should understand why. As we previously reported, Although the NSO Group is an Israeli company, it is owned by an Anglo-American investment firm investing American public sector pension funds. This has not been reported in the consortium press, but the Washington Post did manage to get an unforced error in a statement from NSO “We also stand by our previous statements that our products, sold to vetted foreign governments, can not be used to conduct cybersurveillance in the United States, and no customer has ever been granted technology that would enable them to access phones with U.S. numbers.”
In light of the President of France appearing on the list of targets this is a huge reveal. Macron's phone number appeared in a group of Algerian and Moroccan phone numbers during a time that he was visiting Algeria. Morocco is a known client of NSO and was likely spying on both domestic dissidents and their Algerian neighbors. Getting the President of France while he was in a targeted country will still yield information that is useful to Morocco as both an intelligence trade item and for it's own sake. Macron was collateral damage.
France and Belgium, who also had their head of state targeted, are not amused. Pakistan, which had some of it's top tier politicians targeted, likely by India, is not amused. Pakistan and France are nuclear powers. In France's case, a major power had it's head of state snooped on by a smaller state. The asymmetrical capability that Pegasus software grants smaller countries is not a laughing matter to larger countries.
The NSO Group is closely connected to the Israeli government and intelligence establishment. Buky Carmeli, the Former Director General and Founder of the Israeli National Cyber Security Authority, works there. As reported in Axios, Israeli officials said “NSO's export license included terms about the misuse of spyware, the reports would likely influence future deals involving NSO and other Israeli companies.” The key words there are “NSO's export license.” The official's did not say software license or terms of use. The license being discussed was not issued by the NSO Group to their clients. The license being discussed was an export license issued to NSO by the Israeli government. This sentence, together with the slip to the Washington Post, tells us a great deal about the nature of the software and the nature of the law and international agreements that govern it.
If I were to give myself sufficient coffee and time and walk across the hall from my office to my workshop I could build some hacking tool or another. It would not be as good as Pegasus, but it would do.. something. Then I would have a hacking tool in my workshop and a coffee induced ulcer. Where the problems would begin for me is if that tool left my workshop. My legal problems would be very serious if I sold this tool outside the United States, regardless of how I or my buyer used it or even if either of us used it at all. I would have violated arms export laws.
This has been known in the hacker community since the early 1990s when I was a college student and Phillip Zimmerman first released his free version of PGP on the internet and I downloaded it. PGP, or Pretty Good Privacy, was the first publicly available implementation of the RSA public key algorithm. Zimmerman faced a long legal struggle over this, and some hacktivists went so far as to print the meat of the code on t-shirts purely for the purpose of walking through an airport and getting on a plane to thumb their nose at the then Customs Department. Military grade cybersecurity tools, both offensive and defensive, are considered arms by our government and almost all governments around the world.
The right to export hacking tools is a foreign policy decision. Should I wish to export my previously mentioned hypothetical hacking tool, I would have to apply for a license to the State Department. A similar legal pathway exists in all countries. This is an international norm.
NSO was granted the right to export these tools to other countries by Israel. Israel said so today. NSO admitted that their little toy does not work on phones with American numbers. The Israeli defense establishment clearly knows this. No such safeguard stops Pegasus from working on a British of French phone, as the consortium's reporting has shown.
American public sector pensions paid for this, and it is clear that Israel was not going to let this technology be used on Americans. This can only mean that the American government was aware that the technology was being developed for export by Israel and asked for or imposed certain conditions. Israel, like any state, will always act in it's own interest, even when that involves spying on the United States for nuclear secrets, which it has been caught doing.
Why is Pegasus different? What did Israel gain aside from a revenue stream? What did the United States gain? The obvious answer is intelligence access. NSO, and therefore Israeli intelligence, obviously has access to take from it's product. They are obviously sharing it with the NSA while not spying on Americans. Pegasus is a joint project with United States intelligence that just got caught with it's hands in Macron's cookie jar. The consortium is allowed to pass the blame to Israel, who is not accountable, and there will be little interference from the United States because the American role in the affair will be largely ignored.