What Was Behind Failed U.S. Purchase of NSO Group and Pegasus?

This studio photographic illustration shows a smartphone with the website of Israel's NSO Group which features 'Pegasus' spyware, on display in Paris, on July 21, 2021. (Joel Saget/AFP)

​Last February, PPSA reported that NSO Group, the Israeli cybersecurity company that produced the malware Pegasus, had been placed on a U.S. Commerce Department blacklist. Pegasus is to malicious spyware what a supercomputer is to a calculator. It penetrates smartphones remotely, without requiring any security mistakes or phishing attempts. Once inside a smartphone, Pegasus extracts all its information. Then it reconfigures the smartphone into a tracking and recording device.
 
The U.S. blacklist heavily restricts the ability of American companies to do business with NSO Group. Despite the ban, the FBI purchased Pegasus in 2019 and stores it under lock and key. It has long been an open question whether a U.S. administration would succumb to the temptation to use Pegasus for domestic surveillance purposes.
 
Now, we have some idea of the degree of U.S. government interest in Pegasus.
 
It has been revealed that L3Harris, an American military contractor, had been in recent talks to purchase NSO Group. It is hard to imagine that occurring without the secret blessing of at least some U.S. intelligence officials. People familiar with the negotiations said the technology has been of interest to the FBI and the CIA for several years. The negotiations continued well after the Commerce Department’s blacklist was issued and were only discovered in June when the proposal was leaked to the press. Since then, the Biden White House has signaled outrage over the potential sale and vowed to challenge any deal. Although L3Harris has since withdrawn from negotiations, the role of U.S. intelligence officials raises several questions.

• The role of U.S. intelligence officials in the planned NSO Group acquisition is troubling. Does this attempt to buy NSO Group mean that the U.S. national security apparatus has changed its mind about using Pegasus?

 

• If so, how seriously were some in the government contemplating deploying Pegasus for U.S. domestic surveillance?

 

• Given the fierce response from the White House against L3Harris, was this a case of poor internal communication, or was the U.S. intelligence community and L3Harris intending to do a runaround of the blacklist?

 

• On the other hand, given Pegasus’ abilities, could the case be made that the purchase of NSO Group by a U.S. firm might be the most reasonable option? Is it wise to leave such a powerful piece of malware in the hands of those who have sold it around the world, with the risk Pegasus will become the security equivalent of the Covid-19 pandemic?

 
Unless or until there is another leak or an enterprising journalist digs deeper, we can only ask these questions.