NSO is just a strawman for the government of Israel. Surveillance technology is a very successful soft power tool, as the dictators crave its capabilities to stay in power. Pegasus is world class technology, so Israel could score a lot of brownie points by allowing these sales. Too bad they got too greedy and sloppy and allowed the phones of some US officials in Africa to be infected. Coincidentally there was a leak of 50000 phone numbers and NSO goes boom. Israeli "security diplomacy" rebuilt NSO and is still going strong, surprised i am not :-(
Why? It serves no purpose, if it wasn't them, it would be New NSO Group instead. So long as these vulnerabilities exist, they're going to be exploited. Every time they find an exploit it's a moment of pure genius. With every new baseband and every new OS update there's a good chance that they find they have no answer. I don't blame the hackers in the slightest. It's also not useful to blame governments.
More useful to blame the systemic issues that allow these things to take place: the one that pops to the front of my mind is that the FCC has such a high degree of standards with modems that it results in a severe lack of competition. Google and Apple choose to release phones without contractually demanding full source access to the entirety of it so that it can be audited by their security teams. Those are things that can and should change.
What? Pegasus is not enabled by modem vulnerabilities. The primary vulnerabilities used on iOS phones are in Apple designed and implemented components and the primary vulnerabilities used on Android phones are in Google designed and implemented components.
The problem is not that Google and Apple did not have the opportunity to secure the vulnerable components. The problem is that their best teams with thousands of people and billions of dollars are completely incapable of designing systems secure against moderately resourced attackers.
They openly admit that their systems are defenseless against attackers with resources. Every single time their security is completely invalidated they make press releases like: "It was a unprecedented attack using never-before-seen techniques by highly sophisticated attackers." implying that they can not be blamed because look, they were "highly sophisticated" and it was "unprecedented" there is no way we could stop that. Even though every single attack is described that way.
You would be hard pressed to find a single technically competent security developer in any of these organizations which would claim their systems could stop their systems being totally and utterly compromised and their security completely invalidated by a single, individual, lone competent hacker with a year to work on attacks. A team of 3, forget about it. That is only in the low millions of dollars to completely invalidate their entire security story for all hundreds of millions to billions of systems worldwide.
No, the problem is not a lack of accessibility, effort, resources, or focus. The problem is that all of these large companies have failed for literal decades to develop systems secure against competent attackers. And the entire time they have been intentionally deceiving the public into thinking they can even though they know and admit they can not.
The solution is to stop believing these perennial incompetents and liars until they present solid, auditable proof. At least then they can not suck all of the air out of the room from people who actually know what they are doing.
> The NSO is only supplying a product for which there is insatiable demand from every government.
There is also insatiable demand for nuclear weapons, but if a private company from the US started selling them to random dictatorships, yes, I would blame them.
Pegasus is notoriously sold to more than 40 countries worldwide, among them a fair share of dictatorships: Saudi Arabia, Belarus, Kazakhstan, Azerbaijan, (Hungary?), Bahrain, Russia...
Nobody thinks that we can prevent everyone from doing something. The point of regulating (or making it illegal) and then enforcing those laws is to increase friction, increase costs, and thus making the thing difficult enough to obtain that the problems it causes become manageable. If there are 3 vendors of this sort of thing, then shutting down one of them definitely will make it more difficult for would-be customers by increasing costs and risks. Something does not have to be perfect to be good.
> They're kind of like arms manufacturers. Do you blame them if your government shoots you?
When Iran sells weapons to the Russians we definitely blame them, yes. And the Russians for using them, as well.