During a House Intelligence Committee hearing on foreign spyware Wednesday, one company dominated discussion: NSO Group.
The controversial Israeli spyware company is best known for Pegasus, a spyware capable of discreetly extracting messages, contacts, photos, and videos from a target’s phone without ever even needing to click a link. Pegasus has been used by client governments from Saudi Arabia and United Arab Emirates to Mexico and Rwanda to infect the phones of dissidents, journalists, human rights organizations, and even U.S. officials.
Carine Kanimba, the daughter of arrested Rwandan dissident Paul Rusesabagina, testified about her experience as a victim of Pegasus even after seeking refuge with her family in Texas; “It is horrifying to me that they knew everything I was doing, precisely where I was, who I was speaking with, my private thoughts and actions, at any moment they desired,” she told the committee.
Shane Huntley, the Senior Director of the Threat Analysis Group at Google labeled Pegasus “a weapon against which there is no defense.”
Last November, the Biden Administration blacklisted NSO Group after a series of national security breaches were brought to light – including the infection of the phones of 11 American diplomats in Uganda. Kanimba, an American citizen, testified that there were times when the spyware “was active during calls with the U.S. presidential envoy for Hostage Affairs team and the U.S. State Department,” despite NSO Group’s claims that its spyware cannot be used against Americans.
Rep. Joaquin Castro (D-TX) drove this point home while addressing Kanimba:
“NSO Group claims its spyware cannot be used against Americans…Your experience is clear evidence that this is simply not true, as [is] the experience of U.S. diplomats in Uganda and other locations who had their phones hacked with NSO spyware.”
Perhaps Pegasus’ most famous target is Jamal Khashoggi, a Saudi dissident and American resident murdered at the direction of Saudi Crown Prince Mohamed bin Salman. Though it’s unknown whether Khashoggi’s own phone was infected with Pegasus, the phones of several people in Khashoggi’s inner circle, including his close friends and fiancée, were penetrated. Now, an organization created by Khashoggi, Democracy for the Arab World Now, or DAWN, is mobilizing pressure against NSO Group’s lobby operation in Washington.
But even as Pegasus has been used to target Americans and American residents, some in government have wanted to weaponize what NSO Group is offering. Last month, defense firm L3Harris was in talks to buy NSO Group’s spyware capabilities, and even claimed that U.S. intelligence agencies “supported the acquisition as long as certain conditions were met.” ( L3Harris has reportedly dropped its bid under pressure from the Biden administration.) Meanwhile, the FBI even tested NSO’s spyware, with the Israeli company reportedly offering it an attractive workaround designed specifically to target American phone numbers and turn them into “intelligence gold mine(s).”
To NSO Group, potential business with the federal government represents redemption for a company in a tailspin with a mountain of debt. John Scott-Railton, a Senior Researcher at the Citizen Lab, explained to the committee:
“Right now, doing business with the federal government, getting acquired by a U.S. company, or even doing business with an American police department is the golden prize for many in the spyware industry. As long as that remains a possibility for problematic actors, they are going to get support from investors because that is the prize…If we can make it clear that the door closes, then we can accomplish a lot.”
To keep that door open, NSO Group is doubling down on an all-American strategy: lobbying.
After NSO Group’s blacklisting, the company hired a series of lobbying firms in D.C. Today, the Israeli spyware company maintains an impressive influence operation that spans four separate firms: Chartwell Strategy Group, LLP, Pillsbury Winthrop Shaw Pittman, LLP, Paul Hastings, LLP, and Bluelight Strategies. DAWN’s Adam Shapiro told Responsible Statecraft that the hiring spree is likely related to renewed attention to the agency’s operations. “With the Whatsapp lawsuit, their placement on the entity list, and several Congressmen calling for Magnitsky sanctions, they needed to bring in a whole new batch of lobbyists.”
These firms have distributed materials to government officials papering over NSO Group’s human rights concerns. In a document distributed by Pillsbury titled “NSO Group: Here for You, Here for Good,” the firm boasts that it has developed an “unparalleled human rights governance program” and that its technologies have “made our world immeasurably safer.” In a position paper sent by Paul Hastings to Lisa Peterson, the Acting Assistant Secretary of the Bureau of Democracy, Human Rights, and Labor, “human rights” is referenced 104 times.
But those same lobbyists are now in hot water, facing accusations of violating the Foreign Agent Registration Act (FARA), the law that requires people representing foreign interests to register with the Department of Justice and disclose their relationship.
Last Friday, DAWN filed a complaint with the FARA Unit charging that lobbyists misrepresented the relationship between NSO Group and the government of Israel. In their FARA filings, all of the lobbyists reported that their client was not “supervised…owned…directed…controlled…financed by…or subsidized in part by…a foreign government, foreign political party, or other foreign principal.”
DAWN’s investigation alleges this is a misrepresentation. It cited “numerous examples” that indicate the Israeli government’s de facto control over NSO Group. It points, for instance, to a Guardian report detailing how “Israel blocked Ukraine from buying NSO Group’s Pegasus spyware for fear that Russian officials would be angered by the sale of the sophisticated hacking tool to a regional foe.”
On occasion, even revenue-driven lobbyists will reject contracts because of the reputational cost. Former Senator Barbara Boxer (D-Calif.) registered to lobby for Chinese surveillance company Hikvision, only to resign four days later due to public outrage. Yet, with NSO Group, that hasn’t happened. As Raed Jarrar, Director of Advocacy at DAWN asked, "What more must a company do to support dictators, enable gross violations of human rights, and attack privacy rights before lobbyists in Washington will say no to a contract.”
Not only is their lobbying operation intact, but the United States and its allies are home to some of the largest investors in NSO Group. Scott-Railton testified that “The largest owner of the majority owner of NSO Group is Oregon PERS (Public Employee Retirement System).”
Congress appears to be waking up to Washington’s complicity, passing provisions in both the annual defense and intelligence bills that, according to Tim Starks of the Washington Post, “would make it harder for U.S. firms to purchase companies on a Department of Commerce trade restriction list.” But Shapiro tells me that Congress needs to do more. “It’s really concerning that Khashoggi was murdered 5 years ago and in some ways, Congress is still at the beginning of figuring out what to do with this technology.”