It’s Not Malware, It's a Sovereign Weapon
The first mistake was thinking of Pegasus as just another piece of sophisticated malware. It wasn't. Pegasus was a turnkey intelligence agency in a box. For a multi-million dollar fee, a government didn't just get software; it got a fully managed service
that could reliably crack the world's most secure smartphones. NSO Group's employees handled the technical heavy lifting, providing clients with a simple dashboard to target phones and hoover up data: texts, emails, calls, location, and even encrypted messages. We tend to think of hacking as a messy, unpredictable craft. NSO Group turned it into a reliable, productized, and scalable corporate service. This wasn't a tool for cybercriminals; it was a sovereign capability sold to other sovereigns, and that distinction is everything.
They Weren't a Rogue Company
The media often painted NSO Group as a 'rogue' entity, a shadowy arms dealer of the digital age. This narrative, while dramatic, misses the most crucial fact: NSO was an instrument of the Israeli state. Any sale of Pegasus to a foreign government required an export license from Israel's Ministry of Defense. Far from being rogue, NSO was a key player in Israel's foreign policy, a powerful diplomatic chip that could be granted or withheld. Giving a country access to Pegasus was a way for Israel to build alliances, gather intelligence, and exert influence in regions where it had few other levers to pull. When observers saw a private company, they missed the state-level strategy playing out. The company wasn't going off-script; it was performing a state-sanctioned role.
We Focused on the 'Who,' Not the 'Why'
The horrific stories of journalists, activists, and political dissidents targeted by Pegasus were essential to report. They revealed the human cost and moral bankruptcy of its misuse. However, an exclusive focus on the victims—the 'who'—obscured a more fundamental question: 'why' was the market for this so vast and eager? Dozens of countries, including democracies and autocracies, lined up to buy it. Why? Because for decades, governments had been losing a cat-and-mouse game with technology. End-to-end encryption from services like WhatsApp and Signal had created a black hole for traditional wiretapping. Law enforcement and intelligence agencies worldwide were, in their view, 'going dark.' NSO Group didn't create this demand; it simply offered an elegant, if terrifying, solution. Misreading the story meant underestimating the desperation of sovereign states to reclaim a power they felt they had lost to Silicon Valley.
The 'For Terrorists Only' Clause Was Marketing
NSO Group's public defense was always the same: Pegasus is sold only to vetted governments for the sole purpose of fighting serious crime and terrorism. This was presented as a functional constraint, a built-in safeguard. It was, in reality, a marketing pitch and a legal shield. Anyone with a passing knowledge of history or power knows that capabilities acquired for 'external enemies' inevitably get turned inward. The 'terrorist' you're fighting today becomes the 'dissident' tomorrow, the 'political opponent' the day after, and the 'annoying journalist' the day after that. Believing that authoritarian (and even some democratic) regimes would show restraint was a profound miscalculation. The tool was too powerful, the definition of 'threat' too flexible, and the lack of oversight too convenient for it to end any other way.
