Pegasus Spyware and NSO Group

## The Mainstream Narrative

NSO Group positions itself as a legitimate cybersecurity firm selling "lawful intercept" technology exclusively to vetted government intelligence and law-enforcement agencies for combating terrorism, drug trafficking, and serious crime. The company insists it has no access to collected data, cannot operate the system for clients, and maintains strict export controls aligned with Israeli defense regulations. Israeli officials have historically defended NSO as a strategic asset, arguing that offensive cyber capabilities serve national security interests and that the technology prevents attacks when used appropriately.

## What's Been Under-Reported

The scale and indiscrimination of Pegasus deployment far exceeds NSO's stated use cases. The 2021 Pegasus Project investigation analyzed a leaked list of 50,000 phone numbers selected as targets by NSO clients since 2016—including at least 180 journalists, 600 government officials, and 85 human rights activists. Forensic analysis confirmed infections on devices belonging to Washington Post journalists, French cabinet ministers, and Mexican cartel investigators. NSO's client roster has included Saudi Arabia (linked to Jamal Khashoggi's family surveillance before his murder), UAE, Hungary, Rwanda, India, and Mexico—governments with documented records of targeting political opposition and press freedom. Internal Facebook litigation revealed NSO exploited WhatsApp vulnerabilities to infect 1,400 devices across 20 countries. Israel's Ministry of Defense maintains an export-license approval process, raising questions about governmental complicity in authoritarian misuse.

## Credible Dissenting Perspectives

Some cybersecurity professionals argue that sophisticated surveillance tools inevitably proliferate and that singling out NSO ignores similar capabilities developed by U.S., Chinese, and European firms. Former intelligence officials note that alternatives to commercial spyware—state-developed malware programs—may have even less oversight. NSO's lawyers contend that leaked data cannot be verified as authentic targeting lists and may represent phone numbers that were never actually surveilled. Israeli defense analysts warn that dismantling NSO could eliminate Western alternatives, pushing clients toward Chinese or Russian vendors with zero accountability mechanisms.

## Follow the Money and Power Dynamics

NSO Group was acquired by private equity firm Francisco Partners for $130 million in 2010, then later by Novalpina Capital for $1 billion in 2019. The valuation reflected booming demand from government clients willing to pay millions per deployment. Pegasus licenses reportedly cost $650,000 setup plus $500,000 annually for 10 phones, with premium add-ons for zero-click exploits. The Israeli government's role is pivotal: export licenses function as implicit endorsements, and intelligence-sharing arrangements with client states create diplomatic dependencies. After U.S. Commerce Department blacklisting in 2021, NSO faced credit defaults and reportedly explored sale to U.S. defense contractor L3Harris—a potential restructuring that would shift oversight to American jurisdiction while preserving capabilities governments consider essential.

## Open Questions

Does effective regulation of spyware require international treaty frameworks, or can export controls suffice? Can technical safeguards—audit logs, usage caps, client vetting—prevent abuse, or is misuse inherent in selling surveillance to authoritarian regimes? What legal liability should vendors face when clients violate human rights? How many other firms operate with similar capabilities but less public scrutiny? And fundamentally: should private companies profit from technologies that enable state surveillance of civilians?