The Daily - The U.S. Banned Spyware — and Then Kept Trying to Use It
Episode Date: May 15, 2023A little over a decade ago, a small Israeli company created what would become the world’s most powerful and notorious hacking tool.Mark Mazzetti, who is a Washington investigative correspondent for ...The Times, explains the surprising story of the NSO Group and why, despite banning its technology, the United States kept trying to use it.Guest: Mark Mazzetti, a Washington investigative correspondent for The New York Times.Background reading: The Biden administration has been trying to choke off use of hacking tools made by the Israeli firm NSO. It turns out that not every part of the government has gotten the message.The president signed an executive order seeking to limit deployment of a tool that has been abused by autocracies — and some democracies — to spy on dissidents, human rights activists and journalists.For more information on today’s episode, visit nytimes.com/thedaily. Transcripts of each episode will be made available by the next workday.
Transcript
Discussion (0)
From The New York Times, I'm Sabrina Tavernisi, and this is The Daily.
A little over a decade ago, a small Israeli company created what would become the world's
most powerful and notorious hacking tool.
powerful and notorious hacking tool. Today, my colleague Mark Mazzetti on the surprising story of NSO and why, despite banning its technology, the U.S. kept trying to use it.
It's Monday, May 15th.
So, Mark, where does this investigation start for you? I've been covering national security and intelligence issues for a number of years.
And several years ago, became interested in this group of companies that were offering this
new weapon, a kind of hacking tool that could crack the iPhones that all of us carry around
every day. And what I thought was particularly interesting was that whereas sort of hacking tools were once the purview of a small group of very
powerful and wealthy countries, what these new companies offered was to kind of democratize this
in a way, right? Give every nation on earth access to powerful hacking tools that they could just sort of buy off the shelf.
And so the landscape of surveillance fundamentally changed.
Any country can buy this for the right price.
And pretty soon it became apparent that there was one company that stood out from the rest. And that was a company called NSO.
from the rest. And that was a company called NSO. NSO was founded in Israel by three men who had done their military service, which is mandatory in Israel, came out of the military, and they
realized that they could recruit from the ranks of these elite Israeli hackers who were coming out of these highly secretive units
of the Israeli intelligence services
at a time when cyber warfare was becoming a big deal.
And there was this recognition that the skills
that these people learned in the military
and intelligence services actually could be applied
in the private sector.
And in 2011, the company unleashed this powerful tool called Pegasus.
Tell me about Pegasus. What exactly does it do?
So what Pegasus does is it is able to penetrate smartphones and extract basically every bit of
data from the phone, whether it's photos, emails, messages, videos, basically anything your phone,
Pegasus can get to. And not only that, it can kind of reverse itself and turn your phone into a recording device to record you.
Whoa.
And then that gets sent back to whomever is targeting you.
So it is both a tool that extracts information, but it's also a powerful spying tool in itself.
That's like James Bond.
So your phone actually becomes a device that spies on you.
Yes.
Bond. So your phone actually becomes a device that spies on you. Yes. And most importantly,
it finds its way around the problem of encryption. And what I mean by that is,
one of the things that had bedeviled hackers was the fact that there was this rise of encrypted information. That if we have a phone call, if I send a message, it was encrypted so that those
who were trying to steal it couldn't steal it because it would just be a bunch of gobbledygook,
right? What Pegasus did was find a way around encryption. So any phone could be targeted,
no matter whether it was using encrypted software or not. And this became incredibly appealing for governments
to use for both good and for ill.
Basically, any government that is trying to track people
and get information are potential clients.
Law enforcement services, intelligence services,
police forces, that they could basically sell this tool
to governments around the world.
And they sold it as this tool that could revolutionize espionage, revolutionize policing.
So the first client of NSO was the government of Mexico, which at the time then and now is dealing with a major problem of narco traffickers.
And what they were particularly interested in was hacking the BlackBerrys of narco traffickers.
Okay. BlackBerrys. This is a while ago.
Remember that?
Yes.
And so they signed a deal with NSO for Pegasus. And there was, soon enough, a pretty big success,
which was capturing the notorious drug trafficker,
Joaquin El Chapo Guzman.
So huge success.
I mean, that was a very famous high-profile catch.
That was.
What soon happens, though, was that the Mexican government
not only used it to go after the people it was intended
or sold on to go after,
but it started going after journalists, political dissidents, human rights activists,
basically others that they saw as threats.
So it's becoming this double-edged sword, really, in a way.
That's right.
But all the while, NSO is signing up new clients left and right. And it's the sort
of boom time for the company because it is taking its successes with its previous clients using
Pegasus and signing on new governments that are interested in the powerful tool. They even signed a deal for $55 million with the Kingdom of Saudi Arabia.
And the Saudi government quickly used Pegasus as part of its broad campaign to crack down on
dissent inside and outside of Saudi Arabia. There was even evidence that Pegasus was used to track the associates of Jamal Khashoggi,
the reporter who was killed in 2018. In Istanbul, famously, yes.
That's right. And so this notoriety with Pegasus culminated in the summer of 2021.
This might sound like the plot of a Hollywood spy movie.
When a consortium of news organizations published what they called the Pegasus Project.
A group of media organizations has uncovered evidence of a massive spying effort.
Revealing how the hacking tool Pegasus has been used by governments around the world
to spy on dissidents and journalists via their mobile phones.
The project revealed a whole host of examples of abuse of Pegasus and ways that governments
had bought the tool for one reason but used it for different purposes.
Big names have now been added to the list of possible targets.
French President Emmanuel Macron, Pakistan's Prime Minister Imran Khan.
Several members of Arab royal families, at least 65 business executives, 85 human rights activists.
And it showed the use of Pegasus was far larger and more widespread than was ever known before.
The evidence would suggest that the company has been all too willing to sell its spyware to repressive governments known to crush dissent.
And it created a reaction across the globe.
Governments from India to Jordan to Morocco
had to face new accusations
that they were spying on their own citizens.
And I think in many ways it crystallized this issue
that had been percolating for many years,
and now it was revealed that this is a full-blown scandal.
So it was kind of a wake-up call in a lot of ways.
Like, hey guys, you know, these governments, yes, may be using this technology to find terrorists and hunt down criminals, but also are using this technology to spy on their own citizens,
to take down human rights activists.
That's right.
And these revelations really were a catalyst for Western governments
calling for the end of the use of these kind of tools.
for the end of the use of these kind of tools.
And the Biden administration, in the fall of 2021,
takes this big step,
and it puts NSO on a Commerce Department blacklist,
which basically bans American companies from doing business with NSO.
Okay, so a bunch of countries, including the U.S.,
are taking this very principled position that these tools are anti-democratic and should not be used.
So is that the end for NSO? Is it dead at that point?
Well, it wasn't dead, but I'd say it was on life support.
were investigating at the time and have subsequently revealed
is that despite these public comments
by the U.S. and others
about the threat that NSO poses,
the United States government
was far deeper into NSO and Pegasus
than it ever wanted to let on.
We'll be right back.
So, Mark, you said that the U.S. was far more involved with Pegasus than they ever had let on publicly.
What did you find?
Well, we found three main things.
The first is that despite this very public stance by the U.S. government against NSO, the FBI actually bought Pegasus back in 2019.
Huh.
The FBI, like law enforcement agencies around the world, are looking for any tools they can get to better surveil their targets.
Now, it might be possible that various intelligence agencies like the National Security Agency
might have tools that are similar to Pegasus.
But that doesn't necessarily mean they're sharing them with the FBI.
And so the FBI, to a degree, was seduced just like all these other countries were by the
power of Pegasus.
Okay, so you reveal this connection between the FBI and Pegasus.
What was the fallout?
Well, after we reported it, the FBI director, Chris Wray, had to testify before Congress about why the FBI had purchased the tool and did it ever get used.
was we mostly purchased this just to see how bad guys might use it.
Like, we're the FBI.
Our job is to sort of study how bad guys operate.
And we bought it to, in essence, sort of reverse engineer it and just sort of see how it works.
But through a Freedom of Information Act request, we got a whole lot of documents from the FBI.
And it tells a different story. What the documents show is that the FBI got pretty close to actually deploying Pegasus. And there was a lot of interest in parts of the FBI to use it in
FBI investigations, to go after the targets of the FBI. There were memos circulated,
there were briefings to a pretty high level of the FBI. And were memos circulated. There were briefings to a pretty high level of
the FBI. And there was even discussion of, well, how would you represent to a judge that you'd use
Pegasus as part of your investigations? Is any of this legal? So it's a very interesting window
into the FBI sort of looking at a new tool and trying to figure out about whether it could use
them. Okay, so the first takeaway is that the FBI actually got a lot closer to using Pegasus than
it seemed from the director's public comments. What was the second thing you found?
We found that there was this pretty aggressive campaign by NSO and the private equity firm that owns NSO to kind
of Americanize the company.
In other words, take the tools that NSO would become famous for and strip it away from the
scandal and just take those tools and be able to sell them to American law enforcement, intelligence
agencies, and the closest partners of the United States.
Okay, so what happens?
What do they end up doing?
So NSO set up kind of an American holding company that is tasked only with trying to
find American government clients for Pegasus and the other NSO tools. And they actually found
someone. So not long after the Biden administration decides to blacklist NSO, the company starts
having discussions with a big defense firm called L3Harris. And L3Harris specializes in this kind of
hacking and electronic warfare stuff. And L3Harris clearly saw the potential benefits of
taking over these tools that so many governments around the world had wanted to buy.
But how did they get around the blacklist?
They had to try to convince the government to take them off the blacklist.
So another Freedom of Information Act request we put in was to the Commerce Department.
And what we found in those documents was that L3 Harris pretty aggressively lobbied the
Commerce Department.
And in meetings and emails, they had a pretty big Washington law firm advance their cause
with the clear aim of basically putting this in stark terms.
This is an American national security issue.
in stark terms. This is an American national security issue. So they went pretty hard at trying to, it seems from the documents, get NSO off the blacklist, because that would have seemed
to have been a prerequisite before they bought it. And so these talks go ahead until they leak
out in the middle of last year. There are some reports that L3 is in talks to purchase NSO,
year. There are some reports that L3 is in talks to purchase NSO. And pretty much immediately,
the White House puts its foot down and say, no defense firm should think that just by purchasing a blacklisted company that we don't worry about those tools anymore,
or that the company gets off the blacklist. So in other words, hey, L3 Harris, don't think that
you can pull a fast one here.
We are on to you and we're not going to let this happen.
So the White House steps in, says, stop your lobbying.
We don't want to have this.
This is not going to happen.
Right.
And that effectively killed the deal.
OK, so now NSO was trying to revive itself. Again, it fails. So what's the third thing you found?
The third thing we found kind of takes us right up to the present day.
We kept learning of other parts of the U.S. government that had some interest in, you know, these kinds of tools.
you know, these kinds of tools. And we came across a contract that, interestingly, was signed just days after the Biden administration put NSO on a blacklist.
So wait, even after the government swore off working with NSO, it had signed a deal with a company? Well, yes. So the contract is between NSO
and this American firm that the FBI had used a couple years ago to purchase Pegasus. And in the
contract, it says quite explicitly that the U.S. government is the end user of this product.
And what the product is, is it's another NSO tool
to help track people around the world.
It's called Landmark.
And from our reporting,
we found out that this contract was still active
and it had been used to target phone numbers in Mexico.
And when we went to the White House,
they said it was news to them
that they didn't know about this active contract with NSO. So it became this big mystery.
Okay, so maybe one hand doesn't know what the other hand is doing, but it also could be a case
of, you know, the technology is just so good. Like, we can't resist it. We're addicted to it.
Like, we can't resist letting bad guys use it when we have the chance to get in there and use it as well.
I think if you look at these tools kind of like weapons, as we have, you know, history has shown that powerful weapons are coveted by powerful governments around the world. And governments that have them don't want to give them up.
And those that don't have them want to get them.
And so I think this is just another example of that phenomenon, that these tools which
give governments an enormous amount of power to spy on people around the world, they're
not only coveted, but they're not going away.
Already, we've reported that there's another Israeli company, one called Paragon,
that the U.S. is using. It's very similar to NSO. It doesn't have the reputational baggage.
But when we went to the White House and said, OK, do you have a problem with this company?
They said, well, no, there's no history of its tools being abused. So for now, we're OK with it.
So kind of like nuclear weapons, right? Like on some level, we all think to ourselves,
this is a very bad idea. I mean, it can only lead to bad outcomes. But somebody creates it
and there's a lot of public hand-wringing,
but then everybody wants it. And the next thing we know, we're in an arms race.
We're in an arms race. And the interesting thing is like, unlike nuclear weapons, which were so
powerful that eventually sort of a whole group of rules developed about when you might use them.
In this case, these are sort of so easy to deploy,
and you can do it without sort of having any fingerprints of you deploying them. So it's
sort of lowered the bar even more for governments to want to use them. In other words, there really
aren't any repercussions for governments to use these weapons. Despite the damage that they do.
Right.
Mark, thank you.
Thank you.
We'll be right back. Transcribed by — in Turkey went to the polls on Sunday in what was a referendum on the country's populist leader,
Recep Tayyip Erdogan. Preliminary results released by Turkey's election board early Monday
show that Erdogan had 49.5% of the vote and his main challenger, Kemal Kilicdaroglu, had 44.8%.
If neither candidate wins an outright majority, as looked likely early Monday,
they will go to a runoff at the end of May. It is the closest challenge to Erdogan's rule since
he took power in Turkey, a member of NATO and a U.S. ally, 20 years ago. He faced an extremely
tight race, largely because of anger at the state of the economy and concerns among many voters
that he has pushed the country toward autocracy.
And President Vladimir Zelensky of Ukraine met with Germany's leaders in Berlin on Sunday,
his latest stop on a diplomatic tour aimed at shoring up support among Western allies
and pushing for faster deliveries of weapons as a Ukrainian
counteroffensive looms. The visit followed meetings with Pope Francis and the Italian
prime minister and came as Germany pledged nearly $3 billion in fresh assistance for Ukraine,
an arms package that amounted to as much as Germany has given since the war began.
Zelensky ended his tour of European capitals in Paris on Sunday evening,
where he dined with French President Emmanuel Macron.
Today's episode was produced by Asta Chetrevedi,
Rochelle Banja, and Mary Wilson,
with help from Sydney Harper and Claire Tennesketter.
It was edited by Michael Benoit and Mark George, contains original music by Marian Lozano and Rowan Nemisto. Thank you. That's it for The Daily. I'm Sabrina Tavernisi.
See you tomorrow.