Ronen Bergman, a reporter for the New York Times based in Israel, and his colleague, Mark Mazzetti, have brought the Pegasus story back to the centre-stage of Indian politics because of the revelations in their story in the New York Times, published a few days ago.
The story was the result of a one-year investigation into the workings of the Israeli company NSO Group, whose flagship product is Pegasus. The spyware – which the NYT describes as the world’s deadliest cyberweapon – has been used against journalists, politicians, lawyers, human rights defenders in a range of countries including in India, as The Wire and other media organisations around the world reported last year. Bergman and Mazzetti’s reporting has filled in many of the blanks and added a lot of new information.
The big takeaways from that story are:
First, that the US, despite having recently placed NSO on a sanctions list, had actually toyed with buying Pegasus and its variants a few years ago. In fact, NSO had installed a trial version of Pegasus with the Federal Bureau of Investigation and, more significantly, the FBI had also experimented with the use of Phantom, which is a version of Pegasus that actually allows the interception of smartphones in the US – something that the Pegasus system itself is not meant to do.
Ronen Bergman. Photo: Twitter/@ronenbergman
The second big revelation concerns how the United States government actually paid the government of Djibouti, which is in the Horn of Africa and is a key US ally, to acquire and deploy Pegasus. Another interesting tidbit was how Saudi crown prince Mohammed bin Sultan (MBS) had to personally intervene with Benjamin Netanyahu (when he was still prime minister of Israel in 2020) to turn the Pegasus tap back on after the Jamal Khashoggi assassination scandal.
In its fourth major revelation – and the biggest from India’s point of view – the New York Times states for the first time in a concrete fashion by any media that Pegasus was sold to India in 2017 as part of a $2 billion arms deal between Israel and the Indian government.
The following is a full transcript of Siddharth Varadarajan’s interview with Ronen Bergman, edited slightly for style and clarity.
§
Siddharth Varadarajan: It’s rare for one journalist to interview another but I think you guys had a great story and there’s enormous interest in India so let me begin by trying to get some more details on the big ticket revelation in your story as far as india is concerned – which is the deal between India and Israel. You mentioned a figure of $2 billion as being the overall value of a deal in which presumably Pegasus was embedded. Do you have any idea what the specific value of the Pegasus contract between Israel and India, or NSO and India might have been?
Ronen Bergman: Yeah, but first, thank you for all the words, for the invitation. This is the first interview. We have received numerous requests from India and you are the first and maybe the only [one] that we will do. Indeed, our story – featuring on the cover of the New York Times magazine of next week and which was early-posted online on Friday – created worldwide comments and follow-ups and I think because of the spread, the proliferation of Pegasus to so many places, each country has its own issues or interests, whatever you call them, with Pegasus.
So the Americans were very interested to learn that Pegasus was installed in New Jersey, the Israelis were very interested to learn that MBS was placing a phone call to Netanyahu to renew the license. Of course India, [there is] the relationship, a close personal relationship between the leaders of India and Israel that gave birth to, I would say, a new generation of military expenditure as well as a new Indian stand, including international public steps towards Israel.
Some of the details that are specified, this comes from a very sensitive, a long-time dealing with sources, and therefore I’ll be a little bit cagey in some of the details, but as you said, we have been working for a year in 12 different countries, speaking with intelligence officials, with leaders of law enforcement agencies, politicians, leaders, cyber experts, human rights activists, etc. and I think we got as close as possible to the full picture – if not the whole picture.
Now per your questions, I would say, without – I need to check with uh how sensitive is the actual number, but I would say it’s a few dozens of millions… of the $2 billion, the [cost of purchasing] Pegasus in terms of [the] real number is not the majority whatsoever, this is, they were like missiles that are far, far more expensive.
Varadarajan: Exactly.
Bergman: But from the point of view, as far as I understand, the point of view of India, this system being so unique, being so extraordinary, being a cyber weapon system that India cannot buy from anyone else – not just because no one else was ready to sell it to India but because no one else has the system. Even in the ideal world from the point of view of the Indian leadership, still, there’s no one else to buy it from. And therefore there was a specific interest and specific emphasis from the Indian leadership to the Israeli leadership to obtain that specific license.
Varadarajan: Would you be able to shed some light on the level at which this might have been negotiated? We know, for example, that in the spring of 2017, before Prime Minister Narendra Modi makes his historic and landmark visit to Israel, the Indian national security adviser, Ajit Doval, visits Israel and has high level discussions with his counterparts and that happens, I think in February, early March, and that’s followed by Modi’s visit in July. Of course in April, news is released about this $2 billion missile deal – which was described at the time by Israeli defence sources as the largest ever, single export contract in the history of the Israeli arms export business. So obviously relations were on the up and up. But the Pegasus part of it, would you have any sense as to the level at which this might have been negotiated?
Bergman: Yes, but again I need to be a little bit cagey here and I’m sorry for that because this, the content of those talks, or the disclosure of those – the content of those talks – can jeopardise or potentially risk sources. I can just say that in order for an intelligence agency to buy and then install Pegasus and have an online activation of the system, it needs to be handled by the top authorities in Israel. So the top authorities of the Ministry of Defence are to sign the license, and it can be done only with permission, without exercising [the] veto of the foreign ministry, and it’s usually done with the direct involvement of the Israeli prime minister and the national security advisor.
Narendra Modi and Benjamin Netanyahu on the beach at Haifa in July 2017. Photo: Kobi Gideon/Israeli government office handout via Reuters
Afterwards, when, and we’re talking about the private company, afterwards, when the system is delivered, it has to be delivered – it’s not a software to be given with you know some kind of dropbox or a discord key, a flash drive. The NSO engineers need to be physically present on-site to install the system, test it, and then from time to time come and do the maintenance. And it needs to be, I would say in sensitive cases –while the ongoing technical maintenance is done by NSO vis-a-vis, in this case, Indian intelligence service, which was the entity that purchased the Pegasus – the overall connection is also with the involvement of the agency in Israel that is in charge of running secret intelligence and political relationships, which is the Mossad.
So this is a long comment to your question but basically saying that all the different components of [the] Israeli defence establishment and the Indian highest authority, the Indian intelligence service – have to be involved in the process.
Varadarajan: And if we consider that Doval visited Israel in February-March, then that would certainly point in his direction. Did you encounter in your reporting any inkling or any knowledge about the identity of the purchasing agency in India? I’m asking this because in our own reporting, when we examined, at The Wire, the various numbers that were on the leaked database to try and see a pattern of who these likely targets were, we found a number of foreign diplomats and numbers in Pakistan, on the one hand, and a whole bunch of domestic targets – including politicians, journalists, human rights defenders and so on. And when we map that together with what Citizen Lab had said in one of its reports – that through examining the servers used by NSO they were able to figure out that there are two customers in India, one that mainly spies on domestic targets and the other that spies on domestic and foreign targets – and we, of course, narrowed that down then to the Intelligence Bureau and the Research and Analysis Wing. But in your reporting, did you come across any identification of the entities in India that might have signed this contract or got access to Pegasus thanks to this deal?
Bergman: The answer is yes but again, I [am] well, maybe not prepared to [give] those detailed answers! I didn’t discuss the possibility of disclosing them because, as you see, the details as specified in our report were going through a very rigorous screening process of fact checking, on one hand, and sources’ security, on the other, so I need to check those details.
Let me just say that in general, there were countries like for example the UAE or Mexico who were not satisfied with one machine because of their field security and sometimes ego clashes between different organisations and authority clashes, they bought a few machines that were completely separate
from one another. So I would not take from consideration that your findings were correct, that there were different machines sold to different entities and that they were indeed looking at different targets.
Varadarajan: Right.
Bergman: Let me just say that the way the pricing of the machine that was sold to India works, it has a certain capacity, it has a bandwidth, that is determined in advance.
Varadarajan: And that’s what you pay for.
Bergman: Yes, and this is called a license. It’s not [a] license given by the ministry of defence. The MOD is giving a license to sell Pegasus according to some kind of a breakdown of details and capabilities. But
besides that, in the commercial negotiation between NSO and Indian entities or Indian agencies, it’s
very important to, and this has a significant impact on the pricing, different kinds of capabilities of the
Pegasus, one of them – and most important per bandwidth capability, power and price – is how many licenses are sold. License is the ability to monitor one phone at the concurrent time. And this is … as far as I know, those [which] were sold to India, were I think between – I don’t remember what was the exact number – but it’s between 10 and 50. So each one can, it depends on what was decided, can monitor between 10 phones up to 50 phones.
Varadarajan: Simultaneously.
Bergman: Simultaneously. But this is not a billing done in retrospect. So this is like a license that was given in advance, paid in advance for one year contract and then once you go above the quota, then the operator needs to stop monitoring another phone then, so to be within the quota.
Varadarajan: Or they charge more? Or does the license not have that flexibility?
Bergman: As far as I understand, this is can’t be changed. It’s something that is paid in advance and not built in after the contract is done.
Varadarajan: And so perhaps a hardware limitation, once the equipment is installed.
Bergman: Yes
Varadarajan: You said a one-year contract. As per your understanding and what your sources have shared with you, the deal signed in 2017 I presume was for a multi-year contract or was it to be renewed every year?
Bergman: I think it was [a multi-year contract], but again I need – this is something those details I need to check – I think it was for multi-year with some kind of a renewal option every year and cancellation option.
The most important part of a contract is the ability of the NSO mothership – the headquarters – to renew the techniques, vulnerabilities, zero days that the system is using. Pegasus – all those surveillance machines – [is] not a code that was installed into them and it stayed as is, because the dynamic of the market – the engineers of the different instant messaging companies and mobile phone companies are always finding patches to seal and block the vulnerabilities that NSO is using and NSO is using new ones so this is a very, it’s a dynamic process, and I think this is the secret that made NSO by far the most successful and the long-living and the most effective company in the market – the ability to maintain a huge team of what they call vulnerability researchers, which is a sort of a laundered euphemism for hackers, but very, very trained and sophisticated hackers, to have redundancy on the zero days vulnerabilities that they can use if one of them is is patched.
Illustration of hardware deployed for the Pegasus spyware system. Photo: undated NSO Group brochure, ‘Pegasus – Product Description’
Varadarajan: In your reporting with Mark Mazzetti, you talk about the Mexican example, that Mexico and NSO were already in talks when NSO then turned to the Israeli government and got its approval, if my understanding is correct. And I guess some contracts work that way, where the company reaches out to potential customer governments and negotiates a deal and then goes to the MOD for permission. But in the case of India, is that also how things worked or is this something that India came up with…
Bergman: No, here… I can elaborate a little bit more. When the negotiation with Mexico started, Israel’s MOD had no policy on export of cyberweapons because this was a new market, because NSO was almost the first, if not the first – in Israel for sure but worldwide, the first company – offering such a such product, worldwide. Most countries never admitted even handling – as a state, as a state actor – such weapons, not to say give them to private companies or allow private companies to market them. So NSO did something extraordinary and on the face of it even damaging to the company.
NSO came to the Ministry of Defence back then with a chairman of the board called Major General Avigdor Ben-Gal, who was hired as a heroic figure from the October 73 war… A veteran of the Israeli military was hired to bring the company that its founders and managers and engineers who were very, very young and, you know, didn’t give the impression of being very serious, and suddenly they are the ones who offering intelligence services worldwide a solution that nobody else can offer them – so he gave the legitimacy and the sort of honourable appearance. So he came to the MOD and said we are willing to put ourselves under the defence export regime of Israel even though we don’t have to, and afterwards, because he knew that they are going to put this up on NSO shortly, so afterwards the Ministry of Defence, in 2013 indeed the license to Mexico was done retrospectively after they already negotiated. But after that, all negotiations, including with India, had to go through two maybe even three different licensing [processes].
One is to give NSO a general license to sell its product overseas. Second, a specific marketing license that is not just aimed per the country but is aimed at the specific agency, so if for example, NSO desires to show – not to sell but to show, to pitch – Pegasus to the Indian Bureau of Intelligence, it needs to get a specific license from the Ministry of Defence to market and on not just that but what exactly NSO is going to show them – the specific vulnerability, the specific zero day – and after that, if the potential client shows a desire to buy, then it needs to go back to the Ministry of Defence and get a selling license, again very, very specific.
The selling license is also termed that the end-user would sign an end-user certificate that says that the end user takes upon himself – this is between the Israeli ministry of defence and the end-user, so, for example, the Indian Bureau of Intelligence – saying that the Bureau of Intelligence has taken upon itself three main commitments, one is to use it only by itself and if giving it to a third party to get prior written permission from the Israeli ministry of defence, second to use it only against terrorism and organised crime. And when all of that’s signed, only then the license is executed and NSO can sell.
Varadarajan: And the end-user agreement is signed with the MOD, not with NSO, right? If I understood you correctly?
Bergman: Yes, it’s signed with the MOD, but technically what is usually happening, not necessarily but
usually, it’s taken by the NSO representative, it’s given to the end-user, the head of the relevant intelligence agency, signed and then given back to NSO. Now in the license, in the license itself between MOD and NSO, there are many other terms, so for example that Pegasus cannot hit or attack Israeli numbers and American numbers, that, there are many others, this is by far more specific. The end-user agreement is only one page, you know easy and very simple to understand and was even modified recently, has a little bit more terms but it’s saved in the safe of DECA [Defence Exports Control Agency] – this is the agency of the Israeli ministry of defence that is in charge of export defence expert licenses.
Varadarajan: Now DECA and DECA’s officials would presumably have been following the reporting that The Wire and others did as part of the Pegasus Project, and we found through our analysis and investigation something like 13 or 14 individuals in India – journalists politicians human rights defenders, lawyers – who had proven Pegasus infections on their phones, either proven infections or in a handful of cases, clear attempts at loading Pegasus. Would DECA not consider the presence of Pegasus on the phones of journalists and opposition politicians and human rights defenders a violation of the end-user agreement with India? Do you have any insight into how DECA views the fact that Pegasus was clearly used against journalists, for example?
Bergman: Well, I assume no, I know that even people of DECA read the papers and have read your findings and the many other reports, and I can also assume that they are not nonchalant towards those.
And, of course, I have asked many times the spokesperson for the Ministry of Defence, speaking on behalf of DECA, what is your response. Mark Mazzetti – my colleague and myself – back in July [2021] published a long report at the news pages of the New York Times about Saudi Arabia, that received the first license – NSO received the first license to sell to Saudi Arabia – in 2017. And then the license was terminated after the Khashoggi murder. But even before the Khashoggi murder, Saudi Arabia had a known record of abuses of human rights. There was no question [about] what Saudi Arabia is. The license was terminated after the Khashoggi murder but renewed under Israeli and some say American pressure shortly afterwards. It was terminated by the Ministry of Defence in October 2020 just to be renewed after Benjamin Netanyahu received an angry phone call from MBS – as you quoted in the beginning – and ordered the ministry of defence, with the approval of the foreign ministry, I must say. I must add here, which was led by the Blue and White party at that time, meaning, it’s not, what I’m trying to say, it’s not just about Netanyahu and his will, it’s more than that, it’s more severe than that, and I said a few times that to give Pegasus to a country like Saudi Arabia or the CIA managed, coordinated and paid for Pegasus to be given to Djibouti… and being shocked afterwards that this Pegasus … was used indeed to violate human rights. It is like a zookeeper who let the hungry lion out and then when the lion ate someone, he said, “Oh it’s his fault, it’s the lion’s fault.” Because what do you expect?
Benjamin Netanyahu in 2019. Photo: Reuters/Ariel Schalit
Varadarajan: This brings me to my last question. In your story as well as in other statements that we’ve seen from NSO in the aftermath of our reporting last year, there is an indication – although NSO denies having complete knowledge of how its clients use Pegasus – but there is an acknowledgement of NSO’s ability post-facto to examine whether the spyware was used as per the license terms. To what extent – how powerful is this power to review records? Do you have any sense of what kind of data NSO retains from its clients? Is it just metadata or is there more than metadata?
Bergman: Some journalists belong to the consortium and then the Pegasus Project have tried and believed, and I think still believing – what was later not published because no one was able to prove it and I believe because as sexy and as appealing and as, even, you know, as reasonable as it is – I don’t believe it. I have no proof and no reporting. On the contrary, I have contradicting numerous reporting and sources to indicate that the so-called myth that NSO has a backdoor to its clients, seeing, having an online
transparency into everything the clients are doing – I even heard some testimonies as if there’s like a
huge war room in Herzliya where, you know, NSO is able to see what every Pegasus is doing worldwide and that the Mossad has a back door to the back door, so Israeli intelligence has oversight of everything that NSO is doing. Now, it makes sense, and you know, I can only understand people believing in that but as far as I – and I am you know, I’m covering NSO this is a year-long investigation but I have been covering NSO since it was founded and in fact, I even met its founder, Shalev Hulio, when he just started the startup back in a renovated hen house in 2007. So I know this group for a very long time and I have nothing to support this claim.
And I would say, even more, the NSO group, the last thing they would want is to know what their clients are doing, meaning it may be good for the product to improve it, but I assume that they would at least have some kind of prediction that some of those Pegasus are going to be used for wrong causes, so the last thing – from their point of view – would like to know about that. But in any case, whatever they thought or didn’t think, it’s not my business, it’s only what we have in our reporting and our reporting suggests the following — that they do not have any kind of transparency into what the client is doing. However, each Pegasus has a log, recording all the phone numbers that are being attacked, whether the attack was successful or not…
Varadarajan: So a kind of metadata.
Bergman: Metadata that is stored but not just about a successful but also about an unsuccessful success, yes. This is stored on the machine itself. If NSO is receiving a complaint, or to investigate something, and this is like the private safe that you hire, that you rent in a bank, it needs to have two keys, the client cannot access it without NSO and NSO cannot access it without the client. If the client agrees, then it can open
a channel for NSO or physical access if NSO engineers need to come because some of the clients do not allow, fearing some backdoors or some kind of Israeli intelligence intrusion, they do not allow any kind of online connection between Tel Aviv or between the Herzliya mothership to the Pegasus where
it’s in store. So NSO can access the log and can see the numbers that were attacked or attempted.
Varadarajan: A dual key system?
Bergman: Yes. OK, but if the client does not agree, right, or if the client – like in the case that we described in Panama [of] taking the machine and dumping it in the ocean there’s no resurrection, there’s
no backup for the log.
Varadarajan: Where do you go from here now? I know you have tons of unanswered questions in your mind. Where does the Pegasus story go now at your end?
Bergman: I think that we answered most of the questions we want. The problem now is with the ability to flesh all of them out with sources sensitivities. I am curious to see what would happen in the US, which is the centre of the happenings, the developments in the story, but it’s not just about NSO, this story is not just about NSO because let’s say tomorrow NSO is, you know, bankrupt and it’s closing down, there would still be hundreds of potential clients that are keen if not hungry to have a Pegasus or Pegasus a like [weapon]. And some of them are bad actors with bad intentions and some of them are good actors like police forces and law enforcement agencies in western Europe, that would say, “What can we do now in order to get some more transparency into the communication of criminals and terrorists?” and I would assume that the next thing would be a wave of rage and protest from those agencies towards the cell phone companies and the instant messaging companies in America for not allowing any kind of transparency of good actors into their channel of communication, a channel of communication that is a safe haven for you know journalists like us, for human rights activists, for lawyers, but also for criminals.
This is the problem that NSO was quick to take advantage of and make billions but when NSO is gone – and NSO, I would say is on the verge of extinction now – the problem would not go. With it, one problem would go, which is the exploitation of NSO products by human rights abusers, but the other problem – the channel, the military-grade encrypted channels of communication, it’s still with us.
An aerial view shows the logo of Israeli cyber firm NSO Group at one of its branches in the Arava Desert, southern Israel, July 22, 2021. Photo: Reuters/Amir Cohen
Varadarajan: I think you’re right, I think you’ve highlighted a key problem with the use of this kind of technology. A lot of it of course stems from I would also say the lack of transparency on the part of governments that are trying to use this kind of technology. After all, if they had been willing to play by the rules and be transparent and have some kind of a review process by which dangerous surveillance technology could be used in a proper way, perhaps none of this scandal would have erupted
Well, thank you very much Ronen Bergman, you’ve been very generous with your time. Once again, a great story by you and Mark Mazzetti, and I wish you all the luck in getting more information out and, at least at the India end, Pegasus promises to be with us in the headlines for some time to come …
Bergman: Maybe, let me ask you a question. What do you think would be the next phase, the next stage in India now?
Varadarajan: Well, things are happening at two levels. At the political level, the opposition is fighting with the government and trying to have a discussion in parliament. They’re trying to move a privilege motion alleging that the government lied to parliament when they said, when they tried to deny having used Pegasus. But more seriously, at the judicial level, the Supreme Court last year had appointed a technical committee and the committee is going through the motions of trying to answer a set of questions that the chief justice of India asked – including, ‘Did the government of India ever buy Pegasus?’, ‘Did it use Pegasus?’, ‘What were the laws and under what authorisation was it used?’, ‘Who all were targeted?’ etc.
I myself, as you know, was among those whose phones showed Pegasus and I will be speaking before the technical committee on February 2. So we hope that this committee will be able to do its work expeditiously and with the full cooperation of all concerned, so that we get to the truth of this matter. Because the way in which Pegasus has been used in India – against journalists, against opposition politicians – really undermines the foundation of –
Bergman: Civil society
Varadarajan: Democracy and society, exactly, and so it’s not something that any democratic country can take lightly, which is why there’s enormous interest not just among those whose phones were tapped or among journalists but actually at a much wider level, because people connect the Pegasus scandal with the fact that democracy itself as we know it may well be imperilled. So that’s where things stand.
