[dredmorbius]

NSO (and its infrastructure) are the vulnerable single point of control. That's in fact part of the service they're offering, whether they realise it or not: outsourcing blame, exposure, culpability, and liability. Something like how a re-entering spacecraft is fitted with a sacraficial ablative heat shield. The shield's job is to absorb punishment, often destroying itself in the process, protecting the more valuable payload.

The problem with this model is that NSO are, as with heat shields, replaceable. A new target will appear to take its place.

But that too will draw attention, it will have to assemble talent (leadership, engineering, sales, operations), and will itself have vulnerabilities. As I suggested in a thread yesterday, playing in the field of dirty ops raises prospects for piercing the corporate shield of liability for all those involved: the firm, its personnel, investors, creditors, suppliers, and where identifiable, clients.