On Tuesday, news broke of a potential acquisition that could upend the surveillance industry if approved: NSO Group, one of the most well-known and troubled spyware vendors on the market, may be bought by L3Harris Technologies, a major American defense contractor that specializes in a wide assortment of surveillance and military products. The next day, the White House fired a shot across the bow, putting both companies on notice.
The acquisition, which was originally reported by Intelligence Online, has been met with consternation from both government and industry. For one thing, NSO has been tied to surveillance scandals all over the world and has been broadly decried by civil society groups as violating human rights. For another, the U.S. Commerce Department blacklisted NSO from doing business with any American companies in November. The White House lambasted the acquisition, which has not materialized yet and is subject to government approval, as an attempt by the embattled company to get around the ban and refurbish its public image after several years of nearly incessant controversy related to its powerful malware, particularly the mobile spyware Pegasus.
In an email to Gizmodo, a senior White House official said that the government “opposes” the circumvention of U.S. sanctions. “The U.S. Government, and the White House specifically, has not been involved in any way in this reported potential transaction,” said the official. “While we can’t speak to this particular report, the U.S. Government opposes efforts by foreign companies to circumvent U.S. export control measures or sanctions, including placement on the U.S. Department of Commerce’s Entity List for malicious cyber activity.”
After being tied to a number of high-profile spying scandals, the Israel-based NSO was placed on the Commerce Department’s “Entity List”—which is effectively a blacklist of foreign companies whose operations run counter to the interests of the U.S. Government. Inclusion on the list means that companies can’t receive products or services from U.S.-based firms, and firms that do want to provide such services have to acquire a special license—which is a hoop that most just don’t want to jump through. Since NSO has historically relied on digital infrastructure from tech giants like Amazon, its placement on the blacklist is thought to have seriously hobbled its business operations and led to ongoing financial turmoil. In short, the company is broke.
An acquisition might not solve NSO’s business woes, though. In a statement to The Guardian, a WH official said that even if a cleared defense contractor acquired a company on the Entity List, it would “not automatically remove a designated entity from the Entity List, and would spur intensive review to examine whether the transaction poses a counterintelligence threat to the US Government and its systems and information, whether other US equities with the defense contractor may be at risk, to what extent a foreign entity or government retains a degree of access or control, and the broader human rights implications.”
Gizmodo reached out to NSO Group and L3Harris Technologies for comment but did not hear back. We will update this story if either company responds.
In a statement to The Guardian, L3Harris said: “We are aware of the capability and we are constantly evaluating our customers’ national security needs. At this point, anything beyond that is speculation.”
A White House official similarly told Gizmodo that surveillance systems like those sold by NSO “pose a serious counterintelligence and security risk to U.S. personnel and systems.” While the official didn’t extrapolate on what kind of “counterintelligence” risk he was talking about, it isn’t that hard to figure out.
The problem appears to be the NSO Group’s ties to the Israeli government, which are reputed to be quite extensive. Many of the company’s employees formerly worked for Unit 8200, the nation’s spooky cyber intelligence division (it’s a little bit like the American National Security Administration), and NSO is also thought to have acted as a diplomatic tool, allowing the Israeli state to develop closer ties to governments all over the world through the firm’s powerful spyware sales. As a result of this close relationship, allowing NSO’s products to flourish in the U.S. could pose serious surveillance risks, experts believe.
“The CIA isn’t going to use Russian radios to communicate with its agents, right?” said John Scott-Railton, a senior researcher at Citizen Lab at the University of Toronto. “NSO’s code is developed by former members of the Israeli intelligence services and the company is very closely connected to those services. Using code developed by people from another intelligence service is an obvious counter intelligence risk if you’re using it for high-sensitivity activities.”
While the U.S. and Israel are officially allies, even the best of international friends can’t necessarily be trusted on a technical, code-based level. The FBI reportedly spent two years mulling whether to acquire a surveillance system from NSO dubbed “Phantom.” The bureau later claimed that this had been engaged in a “counterintelligence” effort, though questions still remain whether that was truly the case or not.
“What’s interesting is that the White House has clearly also flagged the same concerns that civil society is talking about. It’s not just that there are human rights concerns here, it’s not just that there are concerns about transparency and accountability, it’s also that there is a big, blinking national security and counterintelligence problem with NSO Group,” said Scott-Railton.
Even though the U.S. and Israel are considered to be “special” allies, that hasn’t stopped the two countries from targeting each other with espionage—over and over again. In the 1980s, the Pollard affair—which involved a U.S.-born intelligence analyst passing secrets to Israel—caused no small amount of acrimony. In 2014, a classified U.S. intelligence briefing led one Congressional staffer to call Israel’s spying efforts “very sobering…alarming…even terrifying.” In 2019, Israeli operatives were discovered planting mysterious cell phone surveillance devices near the White House, though the Trump administration declined to pursue any sort of punitive action.
In the case of NSO, where the company has close ties to the Israeli government and is flaunting some of the most powerful digital surveillance equipment in the world, security concerns may be high. In one case already, NSO’s Pegasus was allegedly used to spy on U.S. State Department officials in Africa.
If NSO’s reputation were to be rehabilitated, but its products posed too much of a security risk to be adopted by federal agencies, Scott-Railton worries that the tools might find their way into the hands of local police departments in the U.S. Previous reporting has shown NSO is willing to sell its surveillance products to local police agencies in the U.S., most notably the San Diego Police Department.
From Scott-Railton’s perspective, NSO’s more odious activities have been driven by a relatively mundane corporate imperative: growth.
“At the end of the day, this is about making money,” he said. “The way the industry is structured, to really make big returns, you have to sell to problematic customers. So the industry in its current form...is just a walking abuse problem.”
Private equity firms have largely provided the financial backbone that has allowed the spyware industry to thrive. NSO’s current owner is Novalpina Capital, a private equity fund managed by consulting firm Berkeley Research Group. Before that, NSO was owned by Francisco Partners, another private equity firm, which took leave in 2019 amidst one of many scandals.
Scott-Railton further said that the ongoing issues with NSO could help determine the future support private equity firms show to the spyware industry.
“If NSO manages to come out with some sort of a win, then there’s going to be a lot of [future financial] support. If they wind up looking really bruised from this, then I think a lot of investors are going to continue to stay away,” he said.