ALPS blog

NSO Group debate: Responsible disclosure versus profit

by Richard Werner, Business Consultant

A few days ago, in a globally coordinated coverage, various media houses uncovered a cybersecurity story on alleged state-used cyber espionage software. At the centre of the affair is the software Pegasus, an infiltration tool targeting vulnerabilities in the code of mobile operating systems, from the Israeli NSO group. The group specialises in selling hacking tools or services to interested state parties. Its stated purpose is to fight terrorism and crime. According to the company, lives have been saved with its software because potential perpetrators could be identified in time. On the other hand, there is the accusation that it is also used to monitor human rights activists. For example, a connection was made between NSO Group’s software and the journalist Jamal Kashoggi, who was murdered in Turkey in 2018. What responsibility does a manufacturer have for its product? Backgrounds and debates.

Modern monitoring devices

The NSO Group’s tools are known in the cyber community as technically sophisticated and allow smartphones to be taken over, among other things – because many functions can be performed remotely by a principal. The special feature is that no jailbreak or rooting is necessary to achieve this goal. For the victim, an attack is therefore very difficult to identify as such. The smartphone then becomes a surveillance unit… a “modern bug”, if you will. By arbitrarily activating the microphone or camera, it is possible, for example, to eavesdrop on confidential conversations within one’s own four walls and to identify contact persons. It is not surprising that such misuse of a smartphone is possible. Under the keyword “parental control” or also “employee monitoring”, commercial tools can be found that can be rented for a few hundred euros a year as a service to intervene deeply in the private lives of others. In contrast to the NSO tool, however, these require a jailbreak/rooting. So you should theoretically be in possession of the phone to install something like this… or google it to find out how to do it without. (By the way: the Trend Micro Mobile Security solutions do identify such tools as malicious. This is also confirmed by AV Test).

Fighting crime with surveillance software

The term “fighting crime” is politically defined. Thus, in the “western” world, terrorists and criminals belong to this group of criminals, while in monarchies it refers to democratically minded persons and in totalitarian systems also to human rights activists. From the point of view of the software producer, only the purpose can be defined, and in the case of the surveillance tools currently being debated, the purpose is to digitally intervene in a person’s private life against their will.

Whether the “end justifies the means” or said person is a justified target remains a political and legal question. For the technical production of such software, this consideration is irrelevant. It is developed to work on systems that are used by many people, not just criminals. Only who coordinates the use of these tools and the data flowing back decides who becomes the “victim”. In a statement, the NSO Group explains that it does not control its own services and therefore does not have any data on the people concerned – a perfectly understandable statement given the purpose of the software. However, it also implies that the moral decision to use the software rests with the buyer.

Selling security vulnerabilities to states

The discussion on Pegasus rehashes an older topic. Manufacturers of operating systems or applications usually do their utmost to protect their products from abuse of this kind. As always, there are exceptions, as reported by the Süddeutsche Zeitung.

A loophole of any kind that allows external access to data or information is naturally also abused by cyber criminals. This must be prevented by all means. That is why security researchers from all over the world are looking for such loopholes. On the one hand, researchers are rewarded for their findings with bug bounty programmes; on the other hand, they work together with the affected manufacturers to close these gaps.

Such security gaps are what open up their niche for companies like the NSO Group. Because they also specifically search for such vulnerabilities, which they either find themselves or buy from third parties. However, unlike members of the security community, these gaps are not closed, but kept secret for as long as possible: Because the company’s business model includes selling them on to states with or without services, exclusively or not. This is interesting for all governments that cannot afford to finance their own researchers or specialists for such tasks. However, there is a certain “entrepreneurial risk” that security vulnerabilities will be found and closed early by the IT security community and thus these attacks will also be uncovered and discussed internationally. As already happened in the case of Pegasus in 2016.

To be fair, it must also be said that the group is not the only company with such offerings. Trading in unpatched vulnerabilities represents a business model that is currently completely unregulated. The intentions of an institution to buy such a vulnerability and then not pass it on to the manufacturer should always be questioned.


Every government and government agency that buys from such a company must be aware of the fact that the supplier also supplies other states, which may include those that commit acts of injustice from a Western democratic perspective.

This makes one’s own actions, of whatever kind, a politically sensitive issue. Finally, in the public discussion, surveillance is often equated across-the-board with spying on people who have been unjustly persecuted, thus calling into question the political integrity of the government in question. This explains both the clear denial in the answers of many states questioned about cooperation with the NSO group and the thoroughly aggressive argumentation in which they are presented. Regardless of whether a government is really a customer of such a company, any kind of proximity to it is vehemently denied. In the process, it is being concealed that precisely such tools are needed for the digital fight against crime, which is also demanded in many EU countries.

The position of the cybersecurity community

From our point of view, security gaps – as soon as they are discovered – must also be closed. Trend Micro runs the world’s largest bug bounty programme, the Zero Day Initiative. We are supported by other industry partners and independent security researchers around the world. The vulnerabilities acquired through this programme are immediately reported to the manufacturer of the affected software so that they are able to close the gaps. The technical term for this is “responsible disclosure”. Only through such programmes can the use of security gaps by cyber criminals be effectively combated. We would very much welcome it if states contributed to the general security situation with their financial resources by also closing such gaps. However, as long as we evaluate cyber-attack tools according to the motivation of their users, this will remain merely a naïve wish.


Featured News