Roads of surveillance Episode 3: Israel – Global Hub of Cyber Offense

The software allows a smartphone to be penetrated without a click, without an alert, without a trace. A tool that officially serves to fight terrorism. Unofficially, it was allegedly sold to states under contracts authorized by the Israeli government. The controversy centers on how some client states may have used it beyond the officially declared purposes, notably for spying on journalists, human rights defenders, or political opponents.

This media outcry shed light on the abuses and dangers posed by spyware. But beyond the scandal, something deeper unfolded. What did the Pegasus affair really reveal about the surveillance market? How was this model built? And what role did it play in shaping the spyware industry?

Visual: World map of Pegasus usage showing countries where numbers were identified, with color coding by type of target (journalists, opponents, diplomats, etc.).

From Unit 8200 to NSO Group: The Genesis

South of Tel Aviv, in a discreet complex resembling a technology campus, the digital backbone of Israel has been formed for decades: Unit 8200. It is here that a generation of engineers, cryptographers, and analysts emerged, helping transform a country under constant threat into a global intelligence power.

Created in the years following the founding of the state, the unit is built around a vital imperative: know before being struck. Every war, every attack, every intelligence failure reinforced this conviction. After the Yom Kippur War in 1973, marked by a major intelligence miscalculation, the military overhauled everything: new structures, new budgets, and a lasting watchword—innovate.

Charles Freilich, former Israeli National Security Advisor, summarizes this logic as follows: “Israel has always faced a fundamentally asymmetric threat. The Arab world had the numbers… The only way to compensate for that gap was quality. Hence a very strong emphasis, from the beginning, on science and technology.”

When the high-tech revolution arrived in the 1990s, Israel rode the wave. This type of innovation requires neither massive manpower nor colossal investments, but rather creativity and improvisational capacity, in an environment (the Middle East) that is, it bears repeating, in constant flux.

At the same time, military threats no longer concerned only the external front: the internal front and the civilian sector also became targets. Israel was one of the first states to conceptualize cybersecurity at a national scale, across civil, commercial, and military domains. In this context, Unit 8200 cultivated a distinctive approach: doing more with less. It recruited brilliant profiles, often very young, and granted them an unusual degree of autonomy. This culture of structured improvisation, flexibility, and agility would become one of the signatures of the “Start-up Nation.”

Freilich describes an almost unique symbiotic relationship between the military and the private sector: “In Israel, almost everyone in the commercial sector has served in the army, and many continue in the reserves. They know what the armed forces and intelligence services need. The country is small; everyone knows each other. Companies can anticipate needs, and the military also tells them what it expects.”

To feed this talent pool, the army launched cyber courses in schools, followed by a National Cyber Education Center. Students trained there, later called up for military service, often join cyber units before founding startups in cybersecurity after demobilization. Upon leaving service, many launch their own companies: Check Point, Palo Alto Networks, CyberArk, Imperva, or later NSO Group. A true factory of entrepreneurs that accelerates the partial privatization of intelligence. A report by the Center for Security Studies also shows that Israel heavily relies on close collaboration between the private sector and Israeli cyber-defense structures, fostering the diffusion of expertise and strengthening national cybersecurity capabilities.

A Trade Under State License

Spyware is considered by Israel to be cyber defense equipment. As such, the sale and export of products like Pegasus by NSO Group must be expressly approved and authorized by the Israeli Ministry of Defense, which issues the required export licenses. This state supervision creates a direct link between industry, the military, and diplomacy. Israel actively supports companies emerging from this military ecosystem (NSO, Candiru, Paragon, Cognyte). This licensing regime constitutes a form of transactional cyber diplomacy, where access to these technological capabilities is exchanged for political and security cooperation.

State supervision of exports has sparked intense debate, particularly after the Pegasus Project revelations. Some organizations, such as Amnesty International, sought in court the revocation of NSO Group’s export license, arguing that the Israeli state should be held accountable for abuses committed by certain client countries.

The question of exporter state responsibility remains legally complex. A 2025 study notes that international human rights law (IHRL), as it stands, offers only limited grounds to engage such responsibility. Based on the principle of territoriality, IHRL recognizes extraterritorial obligations only when a state exercises direct or effective control over the situation at hand. In the case of spyware, however, final use depends entirely on the purchasing country, breaking the causal link necessary for legal attribution.

In other words, the current legal framework struggles to address technologies whose chain of action spans multiple jurisdictions. Several scholars thus call for the development of more precise and binding international mechanisms to regulate the export and use of these tools. This debate highlights a persistent legal vacuum, revealing the limits of IHRL in the face of the transnational circulation of surveillance technologies.

In response to the controversy, Israel nevertheless took steps to tighten controls, notably reducing the list of countries authorized to receive these technologies. The number of client countries for NSO Group, for example, reportedly fell from around 102 to just 37, according to reports citing defense officials. The goal was to limit sales to states deemed stable and respectful of human rights, or with which Israel maintains close diplomatic and security ties. Israel also reaffirmed and strengthened the classification of these technologies as “cyber defense equipment” (or “cyber weapons”), ensuring that their trade is governed by defense export control law and fully supervised by the Ministry of Defense (via SIBAT).

Unlike many Western states, Israel is not a signatory to the Wassenaar Arrangements, the main multilateral framework regulating exports of conventional arms and dual-use goods, including certain cyber technologies. In the absence of this international constraint, export control rests exclusively on a national regime, without multilateral mechanisms for transparency or accountability.

Although not an Israeli measure per se, U.S. action had a major impact and forced the government’s hand when, in November 2021, the United States placed NSO Group on its blacklist. This prevents it from purchasing components or technologies made in the U.S. The decision had an immediate effect on the entire Israeli sector, weakening not only NSO but the whole ecosystem of offensive cyber exports.

NSO and the Boomerang Effect: A Displaced but Unregulated Market

It is precisely this systemic effect that Charles Freilich highlights. In his view, even if NSO “went too far,” the impact of sanctions extended well beyond the company itself: “The sanctions practically destroyed the Israeli offensive industry. Companies went bankrupt, others pivoted, some moved abroad. NSO kept a low profile for a long time and nearly disappeared.”

Freilich places this episode in a long-standing dynamic: the United States has previously intervened to impose limits on Israeli exports, notably to China, whether in arms or dual-use technologies. Israel, he explains, constantly seeks markets where it does not directly compete with American, French, British, or German giants—“sometimes in good places, sometimes in less good ones.”

Beyond the industrial and diplomatic impact, the Pegasus affair above all marked a shift in political visibility and global perception. It is important to recall that cyber-surveillance practices, the privatization of intrusion capabilities, and the sale of hacking technologies to states existed long before NSO. What changed with Pegasus was not so much the existence of these practices as their global visibility, and the realization of the rapid proliferation of surveillance technologies previously reserved for a very limited number of state actors.

Jurist Michael Silberman summarizes the historical significance of the affair in Policing Pegasus (2023): “NSO Group symbolizes the democratization of espionage: making available to secondary regimes capabilities that only powerful states could once afford.”

However, Silberman also warns of the perverse effect of U.S. sanctions: “U.S. sanctions have produced a perverse effect: they have displaced demand toward even less regulated suppliers.”

Since the sanctions, the industry has not vanished; it has recomposed itself. Some companies shifted toward defensive activities, others moved their centers of gravity outside Israel, while new, more discreet actors emerged in a now more fragmented ecosystem. This dispersion makes the market even more opaque today and, paradoxically, potentially harder to control than when a few major players concentrated attention. Indeed, sanctions and export control laws, while effective in crippling specific companies like NSO Group, fail to fully regulate the spyware industry. Growing demand for these technologies pushes buyers toward less scrupulous, second-tier companies, often located in countries such as India, the Philippines, or Cyprus. This perpetuates issues of accountability, transparency, and respect for human rights.

In this context, the Ministry of Defense, facing limited human resources, finds itself caught between the need to maintain strict control and the desire not to stifle a sector it considers strategic for the country’s security and economy.

This recomposition is not limited to the emergence of new actors: it is reshaping a global, sprawling market that has now reached considerable economic scale.

• 2009–2010 — Creation of NSO Group → Emergence of the “offensive platform sold to states” model.
• 2012–2015 — Domination of a few actors → Concentrated market: NSO, FinFisher, Hacking Team.
• 2017–2020 — Global expansion + arrival of Israeli actors → Candiru, Quadream; first zero-day brokers.
• 2021 — The Pegasus Project → 50,000 targets, global scandal, perception shift.
• Nov. 2021 — U.S. blacklist → NSO cut off from U.S. technologies; major industrial shock.
• 2022–2023 — Market fragmentation → Proliferation of offshore actors; greater opacity.
• 2023 — Reduction of countries authorized by Israel → 37 approved states; no transparency gain.
• 2024–2025 — Total fragmentation of the model → Surveillance-as-a-Service, modules, cloud, zero-days → Traditional regulations become inadequate.

Anatomy of a $12 Billion Gray Market

By nature, it is extremely difficult to precisely measure the scale of the global spyware market. A report by Institut Montaigne nevertheless estimates it at around $12 billion in 2023. A colossal sum that explains the persistence of these activities despite controversy.

Israel occupies a central position, alongside Italy, Hungary, Germany, and the United States. These companies operate in a legal gray zone, marketing an “Access-as-a-Service” model: access to vulnerabilities, often based on zero-days—flaws unknown to vendors.

This model is now complemented by a fragmented value chain:

• Sale of vulnerabilities,
• Rental of exploitation capabilities,
• Exfiltration modules,
• Cloud-based intrusion services,
• Outsourced command-and-control infrastructures.

This modular architecture allows diverse actors (private companies, zero-day brokers, commercial intelligence firms, offshore subcontractors) to contribute to building an offensive capability without ever holding the whole. It is precisely this fragmentation that makes regulation more complex, controls more difficult, and traceability nearly impossible.

State Control: Real, but Opaque

In Israel, the Ministry of Defense is responsible for issuing export licenses. An article in The Jerusalem Post reveals that more than 3,600 licenses were revoked in one year after the NSO scandal.

This procedure is inherently confidential, as is often the case with arms exports or sensitive technologies in many countries. The main criticisms of this regime focus on the absence of a public, transparent, and systematic mechanism to audit the actual use made of exported tools by client states. According to a 2021 Amnesty International report, even if sales permits are granted under conditions tied to security checks and country assessments, there is insufficient ex post control to ensure tools are not diverted from legitimate uses (counterterrorism and crime).

The Israeli state thus finds itself in an ambivalent position: regulator tasked with preventing abuses, promoter of a sector strategic to its economy, and diplomatic beneficiary of sales that sometimes serve as tools of influence.

Since 2023, several regulatory adjustments have been announced: stricter criteria for certain “high-risk” states, tougher export reviews. In practice, no structural transparency has been introduced, and the concrete modalities of control remain inaccessible to public debate.

Charles Freilich nevertheless urges nuance regarding perceptions of an all-powerful state: “The Israeli system is not the colossus people imagine. Decision-making is often chaotic. Cyber is one of the few areas where things have been relatively well organized.”

In Israel, technological innovation is not merely an economic lever but a full dimension of national security. Private companies are not seen as external actors to the state apparatus, but as extensions of its technological power. This is where one of the most striking paradoxes of the Israeli model lies. “Israel doesn’t really do grand strategic planning like other countries. Most of the time, the country manages immediate emergencies. Cyber was an exception,” Freilich notes.

Under the direct impetus of Benjamin Netanyahu, Israel developed a genuine national cybersecurity strategy, even though it has neither a formal national security strategy nor a unified defense doctrine. The constant threat encourages close cooperation between the military, intelligence services, and an extremely dynamic private sector. This institutional porosity, rare in Western democracies, partly explains why the offensive industry developed so rapidly: the state set a direction, the ecosystem innovated, and operational control long remained permissive.

A Widely Imitated Strategy

The Israeli state therefore does not merely regulate this market; it structures it, directs it, and exports it as an instrument of power. Private companies extend state action, forming a model where intelligence and market intertwine. Far from being an isolated singularity, this model has been adopted in various forms by other powers such as France, Italy, and India, showing that regulating cyber exports is now a global geopolitical issue.

The Pegasus affair ultimately lifted the veil on a global system of commercial surveillance—structured, industrialized, and now impossible to contain through control mechanisms designed for a world that no longer exists (Sheniak, 2025). NSO Group was neither an anomaly nor a mere “rogue company”: it embodied, at a given moment, the avant-garde of a market where intrusion capabilities, once reserved for great powers, became exportable products. And this model now reveals its blind spots: an assumed porosity between civilian and military spheres, state control that is both real and opaque, and a cyber diplomacy where technological tools become levers of influence.

From this point on, the question is no longer solely that of the responsibility of a state or a company, but of our collective capacity to govern the era of permanent intrusion. As long as cyber-surveillance is conceived merely as an export commodity or a security tool like any other, without a binding international framework, it will continue to thrive in the blind spots of the law. Pegasus will then have been less a stopping point than a warning signal.

Sources

• Israel’s National Cybersecurity and Cyberdefense Posture, Cyber Defense Project (CDP), Center for Security Studies (CSS), ETH Zurich, 2020
• Spyware Exports: Recognizing the Limits of Human Rights Law, Tamar Megiddo, 2025
• Israel restricts cyberweapons export list by two-thirds, from 102 to 37 countries, The Record, 2021
• Policing Pegasus: The Promise of U.S. Litigation for Commercial Spyware Accountability, Michael Silberman, 2024
• De la prolifération à la déstabilisation : l’industrie spyware, une spirale centrifuge, Institut Montaigne, 2023
• Amid NSO scandal, over 3,600 export licenses revoked in the past year, The Jerusalem Post, 2022
• Uncovering the Iceberg, Business & Human Rights Resource Centre / Amnesty, 2021
• Bringing Technology Back into Spyware Regulations, Amit Sheniak, 2025