Following media accusations that Israel's police misused NSO Pegasus spyware — which is able to closely monitor mobile phones — against its own citizens, including a state witness in the ongoing trial of former Prime Minister Benjamin Netanyahu, a government investigation recently determined that the police did nothing wrong and acted within the law.
What's important here is not the outcome of the investigation itself but the fact that Israel investigated the police rather than NSO, a local company that also exports its products. But the police investigation appropriately underlines that the ethical burden of how these tools are used ultimately lies with their direct users and the governments that buy them — or allow them to be exported — and not on the vendors alone.
The same technology has come under fire for its use abroad, including allegedly being used to aid the Saudi government in its killing of columnist Jamal Khashoggi and to track dissidents in Mexico and the United Arab Emirates. In addition to receiving public criticism for how its product was used, NSO and another Israeli cyber company have also been blacklisted by the US government, which means American companies cannot sell technology to them. These moves show how some government administrators (and public opinion) are wrongly placing all of the blame for how spyware is used on the makers of the spyware itself.
Who Is Responsible for the Use of Offensive Cyber Tools?
The world must recognize that offensive cyber tools have evolved into weapons that are no different from tanks, drones, or missiles. Thus, as with traditional weapons, the responsibility for their use is ultimately in the hands of those who use them, whether that is law enforcement, militaries, or intelligence agencies, as well as the governments that allow them to be exported.
Although it may sometimes be technically possible for the company to see where the tools are being used, or how often, it is naive to think that these companies are able to monitor their use in any meaningful way. It is logistically impossible, especially since the tools are often used by those who require intelligence clearance to aid in classified activities. Private companies should also not be in the position of deciding what tools the police can use, and for what; that is the role of the government.
Regarding the export of these tools, the Israeli government approves which cyber technologies can be exported and to whom — similar to how it and many other countries regulate traditional weapons exports. The Israeli government also recently said that it would reconsider its list of foreign governments that these tools can be sold to, following the US blacklisting amid public concerns and allegations that foreign governments that bought the tools used them to target dissidents and human-rights activists.
But again, NSO — or any similar company for that matter — cannot reasonably be held responsible or blamed for the use of the tools. After all, the company sold them only to countries that the Israeli government had cleared (and mainly to countries that regularly buy powerful traditional weapons from Israel and the US); any responsibility for their misuse abroad lies with the government that approved their export (as well as with the foreign users) — not with the maker of the cyber tools.
Of course, this does not mean that cyber companies are exempt from any ethical code; in fact, they have strict red lines they cannot cross. These include that they can export attack tools only to approved lists of governments and cannot sell them to individuals, non-government groups, or to terrorist organizations. If they did indeed follow all of these guidelines, the company has done its job, at least on an ethical level.
After all, a private company cannot be expected to understand the intentions and ethical and legal posture of foreign governments that may be interested in buying or using such tools, fully grasp the intricacies of the society they may use them in, and their possible ramifications. While this is also challenging for governments, they have more expertise and have taken on this responsibility for decades when it comes to deciding to which countries they export traditional weapons.
There is no question that as the cyber industry evolves, the tools, both defensive and offensive, will become more powerful. When used appropriately, these tools can save lives by stopping violent crimes through tracking phones, or preventing cyberattacks on critical infrastructure. They can also, no doubt, be abused. But this fine and complicated line, especially when the potential buyers of the tools are one’s own government or an allied nation, is way beyond the scope of the private sector. This is a judgment call for governments.
Expecting cyber companies alone to play the main role in deciding who uses their tools is not only unreasonable, it is dangerous.