“The hacker-for-hire industry is now too big to fail”
MIT Technology Review, December 28, 2021
by Patrick Howell O’Neill
“This is a big moment of turbulence and change for the hacking business. But the demand is here to stay.”
A shock has reverberated inside Israel in the last few months. NSO Group, the billion-dollar Israeli company that has sold hacking tools to governments around the world for more than a decade, has drawn intense scrutiny after a series of public scandals. The company is in crisis. Its future is in doubt.
But while NSO Group’s future is uncertain, governments are more likely than ever to buy cyber capabilities from the industry NSO helped define. Business is booming for “hackers for hire” firms. In the last decade, the industry has grown from a novelty into a key instrument of power for nations around the world. Even the potential failure of a major firm like NSO Group isn’t likely to slow the growth.
Just this month, Facebook reported that seven hacker-for-hire firms from around the world had targeted around 50,000 people on the company’s platforms. The report spotlighted four more Israeli companies alongside operations from China, India, and North Macedonia. The fact that the investigation didn’t even mention NSO Group shows that the industry and its targeting are far more vast than what the public can typically see.
NSO Group has been besieged by criticism and charges of abuse for years. In 2016, the United Arab Emirates was caught targeting human rights activist Ahmed Mansoor using NSO Group’s Pegasus, a tool that leverages software flaws to hack iPhones and turn control over to NSO Group’s customers. In that case, the UAE government was seen as the culprit, and NSO walked away unscathed (Mansoor is still in prison on charges of criticizing the country’s regime).
The pattern repeated for years–over and over again, governments would be accused of using NSO hacking tools against dissidents but the company denied wrongdoing and escaped punishment. Then, in mid-2021, new reports emerged of alleged abuse against Western governments. The company was sanctioned by the US in November, and in December Reuters reported that US State Department officials had been hacked using Pegasus.
Now NSO Group faces expensive public lawsuits from Facebook and Apple. It has to deal with debt, low morale, and fundamental threats to its future. Suddenly, the poster child for spyware is confronting an existential crisis.
All of this is familiar territory. The secretive hacker-for-hire industry first splashed across international newspaper headlines in 2014, when the Italian firm Hacking Team was charged with selling its “untraceable” spyware to dozens of countries without regard for human rights or privacy violations.
Hacking Team opened the world’s eyes to a global industry that bought and sold powerful tools to break into computers anywhere. The resulting storm of scandals seemed to eventually kill it. The company lost business and the ability to legally sell its tools internationally. Hacking Team was sold and, in the public’s mind, left for dead. Eventually, however, it rebranded and started selling the same products. Only this time, it was a smaller fish in a much bigger pond.
“The demise of Hacking Team did not lead to fundamental change in the industry at all,” says James Shires, assistant professor at the Institute of Security and Global Affairs at Leiden University. “The same dynamic and demand still exists.”
About the Author:
Patrick Howell O’Neill is the cybersecurity senior editor for MIT Technology Review. He covers national security, election security and integrity, geopolitics, and personal security: How is cyber changing the world? Before joining the publication, he worked at the Aspen Institute and CyberScoop covering cybersecurity from Silicon Valley and Washington DC.