Export controls strangling cyberattack industry
In the past few days, a small, little-known Israeli cyberattack company called Nemesis shut down. The company, which tried to compete with NSO Group with spyware that takes control of smartphones, was never exposed by the media and did not even have a company website.
Its closure marks for many in the Israeli cyberattack sector a new era in relations between the Defense Ministry and the Israeli industry.
Several senior figures in the sector told Globes Nemesis shut down after the Israel Defense Exports Control Agency (DECA) refused to grant a license to export its intelligence software to countries in South America and Africa. In several other instances, the approval process was continually extended with no further response. Eventually, the company collapsed under the weight of its employees’ salaries – most of whom were highly skilled cyber coders, who expect the highest of salaries.
US pressure
Many senior executives in Israel’s cyberattack industry have complained in recent weeks of an abrupt change in policy by the Defense Ministry toward Israeli companies exporting spyware for intelligence use. Since January, the Defense Ministry has limited the number of countries with an exemption for marketing licenses for spyware to 38 countries in Western Europe and North America, as well as Asia-Oceania countries such as Australia and New Zealand, South Korea and Japan.
Israeli defense exports totaled $11.3 billion in 2021, of which about 4% was in intelligence and cyber systems worth about $450 million.
When new measures were announced last November, the widespread assumption in the industry was that cyberattack exports would not be banned to countries that were not blacklisted, such as India, Poland, Chile, Mexico and the UAE. The expectation was that individual export permits would be needed from the Defense Ministry for the sales process of each individual deal.
However, in the past few months, it has become clear that the Defense Ministry has been issuing few, if any, marketing or export permits to countries outside the aforementioned list of exempted countries. This is likely following US pressure exerted on Israel.
Last November, the Biden administration declared that war on harmful spyware was part of US foreign policy, which, among other things, was intended for tracking opposition figures or human-rights activists around the world. The US struggle on the matter focused on Israeli companies NSO and Candiru, which were put on the Department of Commerce’s blacklist, while a range of Greek, French, German and Chinese companies were not blacklisted.
A starved industry
The closure of Nemesis is a portend of future difficulties for other companies in Israel’s cyberattack industry, senior sources told Globes. Companies such as NSO itself – as well as
Cognyte, Quadream, and Wintego – are among those who have suffered in recent months from lack of approvals for new deals and cancellation of export permits. Some have claimed that their permits were canceled just before they expired; in more extreme cases, some were canceled long before they expired.
The Defense Ministry, in cooperation with the Foreign Ministry, IDF and other organizations, examine every deal in which a cyberattack company is interested; this procedure takes about 45 days. In recent months, senior sources have reported that DECA personnel have repeatedly required an extension of the examination process so that requesting a marketing license will take longer. Ultimately, most of the requests are not approved.
“An entire industry is being starved,” a senior executive at one company told Globes. “They leave us in the dark, and they don’t tell us where our request stands, and if it has not been approved, they don’t explain why. It seems as if the state has given up on the cyberattack industry without actually saying so. but if that is the policy, then why not say so upfront? They are chewing things over until the entire industry bleeds to death.”
Another senior executive in the industry said: “The state is trying to tell us that we should forget about markets in South America, Africa and some of the countries in Asia. But it’s simply not possible to close down complete markets for an entire industry, while also asking it to rely on just Europe and North
America. It’s a crowded and unprofitable market that cannot support Israel’s industry as it is today.”
Many countries that were once seen as viable export markets for Israeli products have undergone dramatic changes. South America, for example, has seen a wave of progressive socialist governments come to power in some of its countries, and they are not terribly fond of Israel.
Eastern Europe fills the vacuum
Foreign companies have naturally stepped into the vacuum that has been created by DECA, including the European countries that have been operating in the cyberattack market since its formation. Although three veteran European cyberattacks companies – German company FinFisher, French company Emsys and Italian company Memento Labs (formerly Hacking Team) – are no longer active due to stricter EU regulation, other companies from Eastern and Southern Europe have become active exporters of spyware.
One of them is Intellexa, founded by Col. (ret.) Tal Dilian, who formerly headed a technological unit in the IDF Intelligence Corps and currently lives in Greece. Research by the University of Toronto’s Citizen Lab said Intellexa markets Cytrox Predator spyware, which obtains software from cellphones and competes with NSO’s Pegasus.
Intellexa reportedly undertakes its sales operations from North Macedonia, which is not an EU member and not subject
to its supervision; instead, North Macedonia is subject to the Wassenaar Arrangement on cyberattack exports.
Among Intellexa’s customers are countries that DECA no longer provides permits for, including Bangladesh, Turkey, Egypt, Indonesia, Saudi Arabia and Oman. In addition, the company is conducting talks with the UAE, a country in which many other Israeli cyberattack companies operate.
Another issue that DECA must cope with is the export of intellectual property (IP) of cyberattack companies. Cyberattack companies divide their IP into two categories. The first is cyber vulnerabilities; in other words, information about breaches that can affect operating systems or apps on various smartphone devices. The second category is attack systems
– hacking tools that exploit security vulnerabilities to enter and draw out content from the user’s device.
Companies supervised by DECA cannot export vulnerabilities or attack tools without an explicit permit. However, supervision in recent months might encourage Israelis to set up companies specializing in the development of cyber vulnerabilities that can theoretically be sold overseas without supervision by the Defense Ministry.
Alternatively, some Israelis could shut down their companies and reopen them abroad, although this would require foregoing IP developed in Israel.
“We live in a global world, and within five minutes, you can open a company abroad and do things no less sophisticated in the US and Europe,” said a senior executive. “And if they make it difficult to live here and do the things that we are good at doing, we won’t fight over something that we cannot win.”
The Defense Ministry said: “The Ministry, in cooperation with the Ministry of Foreign Affairs, has tightened supervision over the past year on cyber exports and, among other things, has published a revised formulation for the ‘end user declaration’ that every country is required to sign as a condition for receiving licenses, for the export of cyber gathering systems and or intelligence systems. Alongside this, the State of Israel is examining special assistance for the cyber industry, which will protect their capabilities, even in a reality of stricter global regulation.” (Globes/TNS)