The weapons have given governments the power to conduct targeted, invasive surveillance in ways that were unavailable before the advent of the tools. This power has led to abuses, from the Mexican government spying on journalists who were investigating military crimes to Saudi Arabia using NSO technology to hack the devices of political dissidents. The use of spyware against journalists and opposition figures sparked a political scandal in Greece.
Rampant abuse of commercial spyware has led to growing calls from Western political leaders to limit access to them. And yet their power makes the tools alluring to intelligence services, militaries and law enforcement agencies in democracies and autocracies alike. The story of NSO’s push to break into the United States market brings to life how these tensions have played out.
President Biden signed an executive order last week to clamp down on government use of commercial spyware. It prohibits federal departments and agencies from using hacking tools that might be abused by foreign governments, could target Americans overseas or could pose security risks if installed on U.S. government networks. The order covered only spyware from commercial entities, not tools built by American intelligence agencies, which have similar in-house capabilities.
After this article was published online, the senior administration official told The Times that if there was a contract in November 2021 giving the United States access to the NSO tool, it would violate the new executive order.
Even as the Biden administration has showcased its efforts to drive NSO out of business, it was clear even before the revelation of the latest contract that some agencies have been drawn to the power of these cyberweapons.
Elements of America’s expansive national security apparatus in recent years have bought the weapons, deployed them against drug traffickers, and have quietly pushed to consolidate control of them into the hands of the United States and its closest allies. As The Times reported last year, the F.B.I. purchased access in 2019 to NSO’s most powerful hacking tool, known as Pegasus, which invades mobile phones and mines their contents.
A subsequent Times investigation has found:
-
The secret November 2021 contract used the same American company — designated as “Cleopatra Holdings” but actually a small New Jersey-based government contractor called Riva Networks — that the F.B.I. used two years earlier to purchase Pegasus. Riva’s chief executive used a fake name in signing the 2021 contract and at least one contract Riva executed on behalf of the F.B.I.
-
The deal unfolded as the European private equity fund that owns NSO pursued a plan to get U.S. government business by establishing a holding company, Gideon Cyber Systems. The private equity fund’s ultimate goal was to find an American buyer for the company.
-
A potential deal last year with L3Harris, the American defense giant, to buy NSO’s hacking tools and take on the bulk of its work force was far more advanced than previously known. Despite NSO being on the Commerce Department blacklist, L3Harris executives had discussions with Commerce Department officials about the potential deal, according to internal department records, and there was a draft agreement in place to finalize it before the White House publicly objected and L3Harris dropped its plans.
This article is based on more than three dozen interviews with current and former American and Israeli government officials, corporate executives, technology experts and a review of hundreds of pages of government documents, some of them produced under Freedom of Information Act requests by The Times.