NSO Group, an Israeli cyber intelligence company, got into the limelight last year. An activist named Ahmed Mansoor has been targeted with NSO Group’s iPhone spyware, dubbed Pegasus. This spyware contained zero-day iOS exploits, so it was able to silently jailbreak Mansoor’s iPhone and install itself on it. Apple had to urgently patch their mobile OS as a result. A couple of days ago, another NSO Group’s product got into the news. Google and Lookout have detected an Android spyware app, dubbed Chrysaor, running in the wild of a few dozen devices. Chrysaor has been attributed to the NSO Group by the researchers.
Information on NSO Group is scarce. The company only deals with governments, hence it has no website or social media. The founders, Omri Lavie and Shalev Hulio, don’t give interviews to foreign press as a policy. Two years ago Hulio did speak on an Israeli tech podcast “Hashavua” (The week). What follows is a transcript of the cybersecurity related parts of the podcast, with the questions highlighted in bold:
- Tell us about NSO and Kaymera
- And what is Kaymera?
- Tell us a bit about cybersecurity
- How many offensive cyberSecurity companies are there in the world, in Israel?
- Why are they called offensive?
- So is it a kind of weapon? Are you an arms dealer?
- So to summarize, cybersecurity companies provide the means to monitor to end users and to conduct surveillance on them on the offensive end, and to prevent the same thing on the defensive end?
- How are cyberSecurity companies structured? For example, Facebook has a mobile development team, design team, etc. Now A cyberSecurity Company would have an exploit research team, OS research team, etc. Can you tell us about that?
- How are exploits found?
- After all, WhatsApp doesn’t want you to read their messages. Google and Apple don’t want you to break their operating systems.
- Let’s talk about the business side of cyberSecurity. Is it a good niche for a tech entrepreneur?
- Does every cyberSecurity StartUp founder needs to know that they will have to face the government a lot?
- Are there lots of investors in this field?
- Offensive cyber is strictly regulated by the state, and defensive is less regulated?
- So You give this advice to young cyber entrepreneurs: 1. Have someone in your team who has government facing skills . 2. Defensive cyber is growing right now and is less regulated.
- Last question. You’ve told us that you love technology, but you don’t code. A lot of people want to found start ups, but they cannot code, they don’t have the knowledge. So a tech entrepreneur who doesn’t code, what should he do? We ask you as a non-technical founder who has founded a 100 million USD start up.
- Thank you, Shalev
Tell us about NSO and Kaymera
NSO was founded by me and Omri Lavie, it was a kind of reincarnation of CommuniTake, a company that still exists in Yokneam. We had started with MediaND in 2006, later founded CommuniTake in 2008 and finally NSO in 2010.
Communitake allowed mobile network operators to control devices remotely for tech support purposes. Then we became aware of the operational and intelligence needs of those law enforcement agencies that work tightly with mobile operators. They have asked us to respond to these needs through Communitake, but Communitake was a bit reluctant to do that. So we told ourselves, if we cannot do it in-house, let’s exit and do it with NSO. That’s how NSO started.
With NSO we had a plan to build a system that would let all the law enforcement and intelligence agencies to control phones and exfiltrate data remotely(with or without the user’s knowledge), and then to collect and to present the data to the agencies. We thought that it would be simple, and of course it proved to be very complicated. But this is what NSO has been doing until now.
We work with many government agencies around the world. Solely with government agencies. We help with all the problematic hubs: fighting the drug cartels in Central America, war against terror(including ISIS) in Africa and Europe – in these areas we are very active and help government agencies.
And what is Kaymera?
We saw that the amount of data that can be exfiltrated from a phone is immense, and that there are no secure phones in existence. We have decided to build the most highly secure phone that we can – nothing can be 100% secure, but we are close to that.
Tell us a bit about cybersecurity
It’s very difficult to explain cybersecurity. I can divide the field into defensive and offensive.
In the past it was very simple to wiretap the bad guys. The law enforcement would just sit at the mobile operator’s office and listen to the bad guys talk. Since then surveillance has become much more challenging. WhatsApp, Skype, Viber, encrypted emails – law enforcement agencies are blind to all these technologies. Think about terrorists who plans an attack via WhatsApp, which is fully encrypted.
Here cybersecurity companies enter the picture. The idea is not to place a wiretap in the middle like they did in the old days, but to get to the end devices, to place trojan horses on the end devices and to monitor everything that takes place on the device. When you talk on Skype on your computer, it doesn’t matter that Skype encrypts the call – the trojan horse on your computer listens to your mic and records everything.
How many offensive cyberSecurity companies are there in the world, in Israel?
There are dozens of them in the world.
Why are they called offensive?
We talked about old style wiretapping, it was very passive. You sit in the middle and listen to what’s going on around you. In cybersecurity you have to know who is your target, what’s his laptop, what’s his phone. You need to identify an attack vector so that you can place your trojan horse in his phone or laptop. This is an offensive action and this how the Ministry of Defense defines it for the purposes of limiting sales and marketing of these products.
So is it a kind of weapon? Are you an arms dealer?
Yes, I am a warlord (laughs sarcastically). In my opinion, it’s not a weapon because it is not lethal. I think that weapons are supposed to kill and this is not my way, this is not our field. Our job is to protect, even if it’s called offensive cybersecurity. I cannot go into details, but in all the places where we have sold our systems – every day our systems save lives – they prevent terror attacks, help to locate hostages, help to prevent drug smuggling and even help to prevent armed insurrections.
At the end of the day, NSO is a technology company. We don’t perform operations by ourselves, we develop technologies. We sell these technologies to intelligence agencies, to governments and those use our technologies to stop crime, to stop terror and to maintain proper governance.
So to summarize, cybersecurity companies provide the means to monitor to end users and to conduct surveillance on them on the offensive end, and to prevent the same thing on the defensive end?
Not just to monitor, at the end of the day some cybersecurity companies work even on wreaking havoc and destruction – think about people who conduct DDOS attacks on servers. DDOS is another type of a cyber attack, it’s not for intelligence purposes but for causing damage.
How are cyberSecurity companies structured? For example, Facebook has a mobile development team, design team, etc. Now A cyberSecurity Company would have an exploit research team, OS research team, etc. Can you tell us about that?
Omri and me also invest in other cyber companies, so I can tell you about those. Big R&D department, a bit of marketing and sales, tiny management and that’s it. Usually, the founders of these companies are very tech-minded people who do research by themselves – NSO Group is an exception to this rule. Successful cybersecurity companies can employ just 10-20 people, mostly R&D people who are expert in operating systems, reverse engineering and exploits.
How are exploits found?
Operating systems are written by people, so there are bound to be mistakes and bugs. Nothing is perfect. So the idea is to find security faults.
After all, WhatsApp doesn’t want you to read their messages. Google and Apple don’t want you to break their operating systems.
Yes. This is what we have to deal with.
Let’s talk about the business side of cyberSecurity. Is it a good niche for a tech entrepreneur?
A very good niche, not just on the offensive end. But you have to understand that this is a market in which it’s extremely difficult to operate. First, there is regulation. Every meeting abroad needs to be approved by the Ministry of Defense, there is lots of bureaucracy involved.
Does every cyberSecurity StartUp founder needs to know that they will have to face the government a lot?
Are there lots of investors in this field?
In 2010 when we have founded NSO, it was hard to find investors who believed in this. We raised money only from angel investors. Now there is a lot of opportunity in this field and I meet a lot of young entrepreneurs, small startups of 2-3 people, usually graduates from the Intelligence Corps technological units. Usually they are interested in the offensive cybersecurity and I always recommend to focus on the defensive, because it less regulated.
Offensive cyber is strictly regulated by the state, and defensive is less regulated?
Correct. Think about Israeli companies like Checkpoint, they can sell their products to anyone without government approval. But even their firewalls eventually become vulnerable to cyber attacks. So I am saying that right now there are no good defensive security solutions, neither for enterprises nor for consumers.
So You give this advice to young cyber entrepreneurs: 1. Have someone in your team who has government facing skills . 2. Defensive cyber is growing right now and is less regulated.
I talked about regulation as one entry barrier. The other barrier is sales and marketing. Normal apps are sold via the app store. Enterprise software is distributed in Office Depot or sold by calling the relevant guy in the organization.
But in the cybersecurity case, imagine that you have to sell the government of Brazil. Actually, you don’t sell directly to the government, you sell to one of the Brazilian intelligence or counter-intelligence agencies. And this is a very complicated process for a startup. Israeli startups are technologically excellent, but are weaker with sales and marketing. And how do you find the relevant guy to sell to in the Brazilian intelligence? You can’t just google them. So sales and marketing here are very complex. They demand a lot of networking, a lot of legwork, find the relevant people. It is a very big challenge.
With NSO we have been very lucky. We have met the right person by chance and they managed to connect us. It’s clear that it’s easier for the new startups, because there are already some experienced people who can help. But still, it’s very difficult for a small startup with two co-founders from the Middle East to sell to an intelligence agency. So if anyone would ask me today, “should I found an offensive cyber start up that would sell to governments, or should I focus on the defensive consumer side?”, I would tell them to focus on the defensive. Your chances of success are much higher.
Last question. You’ve told us that you love technology, but you don’t code. A lot of people want to found start ups, but they cannot code, they don’t have the knowledge. So a tech entrepreneur who doesn’t code, what should he do? We ask you as a non-technical founder who has founded a 100 million USD start up.
An entrepreneur is an entrepreneur. An entrepreneur is someone who wakes up in the morning into a war zone. The whole world is against him. You have to solve problems the whole day, to face difficulties. You go against the grain. The fact that you don’t code is just another bump on the road.
It depends on the person. If you’re good at raising money, then raise money and hire coders. Or find a technical co-founder. There are lots of individual solutions, and lack of coding skills shouldn’t stop anyone. But what you have to do as a non-technical founder, is to consult with technical people and verify that your idea is viable. Don’t declare yourself a tech expert without being one – I have seen cases like this. Entrepreneurs should have a passion for technology, but coding skills are definitely not necessary.
Thank you, Shalev
Photo: JACK GUEZ / AFP