A Case Against Security Nihilism blog.cryptographyengineering.com

I get the feeling I am going to be linking to a lot of NSO Group-related pieces over the next little while. There are a couple of reasons for that — good reasons, I think. The main one is that I think it is important to understand the role of private security companies like NSO Group and their wares in the context of warfare. They function a little bit like mercenary teams — Academi, formerly Blackwater, and the like — except they are held to, improbably, an even lower standard of conduct.

The second reason is because I think it is necessary to think about how private exploit marketplaces can sometimes be beneficial, at great risk and with little oversight. There are few laws associated with this market. There are attempts at self-regulation, often associated with changing the economics of the market through bug bounties and the like.

Which brings me to this piece from Matthew Green, cryptographer at Johns Hopkins University and mobile device security researcher:

NSO can afford to maintain a 50,000 number target list because the exploits they use hit a particular “sweet spot” where the risk of losing an exploit chain — combined with the cost of developing new ones — is low enough that they can deploy them at scale. That’s why they’re willing to hand out exploitation to every idiot dictator — because right now they think they can keep the business going even if Amnesty International or CitizenLab occasionally catches them targeting some human rights lawyer.

But companies like Apple and Google can raise both the cost and risk of exploitation — not just everywhere, but at least on specific channels like iMessage. This could make NSO’s scaling model much harder to maintain. A world where only a handful of very rich governments can launch exploits (under very careful vetting and controlled circumstances) isn’t a great world, but it’s better than a world where any tin-pot authoritarian can cut a check to NSO and surveil their political opposition or some random journalist.

Sounds appealing, except many of the countries NSO Group is currently selling to are fantastically wealthy and have abysmal human rights records. I must be missing something here because I do not know that there is a way to increase the cost of deploying privately-developed spyware so that its use is restricted from regimes that many people would consider uniquely authoritarian, since they are often wealthy. Amnesty researchers found evidence of the use of NSO’s Pegasus on Azerbaijani phones, too: like Saudi Arabia, Azerbaijan is an oil-rich country with human rights problems. And then there is the matter of international trust: selling only to, for example, NATO member countries might sound like a fair compromise to someone living in the U.S. or the U.K. or Canada, but it clearly establishes this spyware as a tool of a specific political allegiance.

We must also consider that NSO Group has competitors on two fronts: the above-board, like Intellexa, and those on the grey market. NSO Group may not sell to, say, North Korea, but nobody is fooled into thinking that a particularly heinous regime could not invest in its own cybercrime and espionage capabilities — like, again, the North Korean ruling party has and does.

But — I appreciate the sentiment in Green’s post, and I think it is worthwhile to keep in mind as more bad security news related to this leak will inevitably follow in the coming days and weeks.