Ten years after founding the company, he made the rare decision to speak about NSO Group, the intelligence industry, and what transparency could look like for spyware companies. This, he says, is the most important thing the industry can do now: “We’ve been accused, with good reason, of not being transparent enough.”
Culture of silence
Formerly a search-and-rescue commander in Israel’s military and then an entrepreneur focused on technology that remotely accessed smartphones, Hulio has said he founded NSO Group in 2010 at the urging of European intelligence agencies. Back then, NSO marketed itself as a state-of-the-art cyberwarfare firm.
It entered the global spotlight in 2016 when Ahmed Mansoor, a human rights activist in the United Arab Emirates, received what’s been called the most famous text message of all time. Researchers say it was a sophisticated phishing lure sent by a government; it contained a link that, if clicked, would have taken over Mansoor’s phone with spyware. Experts at Citizen Lab, a research group at the University of Toronto, analyzed the link and pointed to Pegasus, NSO’s flagship product. The revelation led to a great deal of scrutiny of the company, but NSO remained silent. (Mansoor is currently serving a decade-long prison sentence for insulting the monarchy—a dictator’s description of his work to further human rights.)
That response was partly a function of the company’s ownership at the time. In 2014, NSO had been bought for around $100 million by the American private equity firm Francisco Partners, which had a strict no-press policy that Hulio says led to a harmful culture of silence.
“No interviews—we couldn’t talk to journalists except to say no comment, no comment, no comment,” he says. “It created lots of bad things for us, because every time we were accused of abuse, we had no comment.”
This, he says, was a mistake to be avoided in the future by companies like NSO—which last year was sold for $1 billion to the European private equity firm Novalpina and the original founders, including Hulio himself.
“The industry should be more transparent,” Hulio says. “Each company should be much more accountable for who they sell to, who are the customers, what is the end use for each customer.”
In fact, the text sent to Mansoor proved to be a blessing in disguise for investigators. Mansoor, who had already been targeted by surveillance for many years, was suspicious and didn’t click the poisoned link. Instead, he shared it with experts. But these days the hacking industry is increasingly using more advanced techniques that keep their activities as unobtrusive as possible—including so-called “zero-click” techniques that infect targets without their taking any action at all. WhatsApp is suing NSO Group for hacking the app to silently infect phones. Targets in Morocco have reportedly experienced “network injection” hacks that raise no alarm, require no cooperation from the victim, and leave little trace.
“The pitch from hacking companies is that criminals and terrorists are going dark because of encryption and states need an ability to chase them down their dark hole,” says John Scott-Railton, a senior researcher at Citizen Lab. “Increasingly, at the high end, companies selling these techniques are the ones going dark. It’s not just WhatsApp. We’ve seen sales of vulnerabilities against iMessage, [telephone software] SS7 as a delivery for zero-click vulnerabilities, and a lot of network injection. Because of this, it’s almost impossible for us to get visibility of the scale of the problem. We can only guess at scale. We only know some players. The market is growing, but we lack a lot of information about abuses.”
It was never an easy job to understand the full scope of the hacker-for-hire industry. Now the techniques and indicators investigators have long relied on as clues are becoming rarer, quieter, and more difficult to spot. The stealthy new arsenal makes it extraordinarily difficult to hold hacking companies and intelligence agencies accountable when human rights abuses occur.
Perhaps surprisingly, Hulio agrees emphatically that the hacking industry is going dark. When I ask him if the industry is taking enough steps toward transparency and accountability, he shakes his head and points a finger at his competitors:
“Actually, I think it’s the other way around. The industry is going away from regulation. I see companies trying to hide activity and hide what they’re doing. It’s damaging the industry.”
By contrast, Hulio claims, NSO is trying to reverse course under its new ownership. Although it is facing the high-profile WhatsApp lawsuit and dozens of allegations of abuse of Pegasus, Hulio insists the company is evolving. The fact that he’s talking to journalists at all is one obvious change, he says, and so are the new self-governance policies and a public commitment to adhere to the United Nations Human Rights Guidelines. How much the talk translates to reality is still an open question: three days after the company announced a new human rights policy in 2019, researchers from Amnesty International say, Pegasus was used to hack Moroccan journalist Omar Radi.
But Hulio suggests that his rivals are dodging transparency and accountability by moving their businesses or finding havens to operate from.
“They’re opening companies in countries where you don’t have regulation mechanisms, in Latin America, Europe, the Asia Pacific region—where regulation is very weak, so you can export to countries that you cannot export to from Israel or other places in Europe,” he explains. “I see companies trying to hide activity by changing the name of the company over and over again. Or through mechanisms like building research and development in one site, sales cycle to a different company, deployment through a third company, so you cannot trace who is doing what.”
That may be true, but NSO Group itself goes by a string of other names, including Q Cyber Technologies in Israel and OSY Technologies in Luxembourg. It has a North American wing called Westbridge. Its employees are spread out internationally. Israeli media have reported on company’s links to shell companies and byzantine deals. Over the years, it has operated a confusing network of other companies around the world, and this corporate maze has made it nearly impossible to understand its dealings and actions—a crucial task when hacking tools can be abused by authoritarian governments with devastating consequences.
So what would accountability look like? When NSO Group first appeared, the Wassenaar Arrangement, a crucial arms export control agreement between 42 countries, had no cyber dimension. Israel had no cyber export law. Now Israel’s Ministry of Defense is governed by the country’s Defense Export Control Law—NSO Group has reportedly never been denied an export license—but on a global scale, the hacking industry remains largely hidden, opaque, and unaccountable despite its growing power and capabilities.
“There are loopholes,” Hulio says. “Not all countries are part of the Wassenaar agreement. I truly think it’s very hard to do something international. Obviously international is a great idea, but just like there are countries that act as tax shelters, there are countries that act as export regulation shelters. Those countries need global mechanisms of regulation.”
Who is in the crosshairs?
Dozens of abuses by users of NSO’s technology have been alleged since the Mansoor incident first pointed a spotlight at the company. When such allegations are made, NSO begins an investigation. If accounts conflict, NSO can demand logs that reveal targets. More often than not, Hulio says, the customer will say that the allegations against it are true, the targeting is real—but that their actions were legal under local law and the contract they signed. That leaves it up to NSO and the customer to hash out whether the targeting is indeed legitimate.