Nearly every member of NSO’s research team is a veteran of the intelligence services; most of them served with AMAN, the Israeli Military Intelligence Directorate, the largest agency in the Israeli espionage community — and many of them in AMAN’s Unit 8200. The company’s most valuable employees are all graduates of elite training courses, including a secretive and prestigious Unit 8200 program called ARAM that accepts only a handful of the most brilliant recruits and trains them in the most advanced methods of cyberweapons programming. There are very few people with this kind of training anywhere in the world, and soon enough, few places would have a higher concentration of them than NSO’s headquarters in Herzliya — where there were not just a few top specialists but hundreds. This would provide NSO with an incredible competitive advantage: All of those engineers would work daily to find “zero days,” ie, new vulnerabilities in phone software that could be exploited to install Pegasus. Unlike rival firms, which generally struggled to find even a single zero day and therefore could be shut down if it were made public, NSO would be able to discover and bank multitudes of them. If someone locked one back door, the company could quickly open another.
In 2011, NSO engineers finished coding the first iteration of Pegasus. With its powerful new tool, NSO hoped to quickly build a stable of clients in the West. But many countries, especially those in Europe, were initially wary of buying foreign intelligence products. There was a particular concern about Israeli companies that were staffed by former top intelligence officials; Potential customers feared that their spyware might be contaminated with even deeper spyware, allowing the Mossad access to their internal systems.
Reputation mattered, both for sales and for holding onto the well-trained coders who had made Pegasus a reality. Hulio appointed Maj. Gen. Avigdor Ben-Gal, a Holocaust survivor and a highly respected combat officer, as NSO’s chairman, and established what he said would be the company’s four main pillars: NSO would not operate the system itself. It would sell only to governments, not to individuals or companies. It would be selective about which governments it allowed to use the software. And it would cooperate with Israel’s Defense Export Controls Agency, or DECA, to license every sale.
The decisions NSO made early on about its relationship with regulators ensured that it would function as a close ally, if not an arm, of Israeli foreign policy. Ben-Gal saw that this oversight was crucial to NSO’s growth — it might restrict which countries the company could sell to, but it would also protect the company from public blowback about what its clients did. When he informed the Defense Ministry that NSO would voluntarily be subject to oversight, the authorities also seemed happy with this plan. One former military aid to Benjamin Netanyahu, at the time Israel’s prime minister, explained the advantages quite clearly. “With our Defense Ministry sitting at the controls of how these systems move around,” he said, “we will be able to exploit them and reap diplomatic profits.”
The company quickly got its first major break. Mexico, in its ongoing battle against drug cartels, was looking for ways to hack the encrypted BlackBerry messaging service favored by cartel operatives. The NSA had found a way in, but the American agency offered Mexico only sporadic access. Hulio and Ben-Gal arranged a meeting with Mexico’s president, Felipe Calderón, and arrived with an aggressive sales pitch. Pegasus could do what the NSA could do, and it could do so entirely at the command of Mexican authorities. Calderon was interested.
Israel’s Ministry of Defense informed NSO that there was no issue with selling Pegasus to Mexico, and a deal was finalized. Soon after, investigators at an office of the Center for Investigation and National Security, or CISEN — now called the Center for National Investigation — went to work with one of the Pegasus machines. They fed the mobile phone number of a person connected to Joaquín Guzmán’s Sinaloa cartel into the system, and the BlackBerry was successfully attacked. Investigators could see the content of the messages, as well as the locations of different BlackBerry devices. “Suddenly we started to see and hear anew,” says a former CISEN leader. “It was like magic.” In his view of him, the new system had revitalized their entire operation — “Everyone felt like maybe for the first time we could win.” It was also a win for Israel. Mexico is a dominant power in Latin America, a region where Israel for years has waged a kind of diplomatic trench warfare against anti-Israeli groups supported by the country’s adversaries in the Middle East. There is no direct evidence that Mexico’s contracts with NSO brought about a change in the country’s foreign policy toward Israel, but there is at least a recognizable pattern of correlation. After a long tradition of voting against Israel at United Nations conferences, Mexico slowly began to shift “no” votes to abstentions. Then, in 2016, Enrique Peña Nieto, who succeeded Calderón in 2012, went to Israel, which had not been seen an official visit from a Mexican president since 2000. Netanyahu visited Mexico City the following year, the first visit ever by an Israeli prime minister . Shortly after, Mexico announced that it would abstain from voting on several pro-Palestinian resolutions that were being considered by the United Nations.