Pegasus, the NSO Group, and Cyberweaponry (Part I)

CNN and the Washington Post have both reported over the past week that Israeli company the NSO Group and their Pegasus monitoring system may have been the driving force for the detainment and murder of American resident, reporter, and Saudi dissident Jamal Khashoggi. Citizen Lab has likewise reported that Omar Abdulaziz, a Canadian resident and Saudi activist, was likewise targeted by this specific spyware.

The NSO Group, for their part, denies involvement in either of these cases. Whether that's true or not, I really can't say. I do think it's pretty clear that their products were certainly used to surveil Omar Abdulaziz, at the very least. They also claim that they sell only to governments that are approved by the Israeli government. That, I fully believe is the case.

But these points really don't mean much. The larger question is, how are we going to handle regulating cyber weaponry in the future?

After all, everything that the Pegasus package does is illegal. In just about every country that has regulation handling cybersecurity. Yet the use of these tools is approved by governments that in many cases affect citizens that are residents in other countries. In this latest case, both of the affected activists lived in North America, but were targeted by Saudi Arabia by software that was approved for use by Israel, as well as the Saudis. They were both still Saudi citizens.

But is it legal for the government of the countries these two had citizenship with to commit crimes against them when they were resident in completely different sovereign nations? Say this was a different, more obvious crime, like assault. Would it be legal for either of these two to be assaulted by the Saudis in either Canada or the United States? I'm not sure, but when I've traveled it's been clear to me that I needed to follow the law of the country I visit, so I suspect it would not be legal. As I expect it would not be legal for any government (including that of the United States) to place spyware on my personal phone (though the US certainly has authority to do that after appropriate due process).

Also, there are a small number of other companies that do this kind of thing, including Hacking Team (though they may not be as active now as they have been) and Azimuth Security (they offer other services as well). This model reflects the migration of weapon systems to outside providers that we've seen in the past. But how does this work, really? I mean, if I start a small company that does this kind of thing and sells the use of my platform to anybody with the money to hire me, I'd expect to be spending a significant amount of time in a very small, dark room shortly after my first gig. The sale of these kinds of systems seems to reflect the processes used for other weapon systems, where national governments approve or disapprove of specfic sales. But will this model work for weaponized software?

Probably not.