This week, media outlets around the world published an investigation by Paris-based media nonprofit Forbidden Stories, in cooperation with Amnesty International, that claimed that Israeli firm NSO’s Pegasus software was being used by governments to hack journalists, activists and even national leaders and royalty.

Pegasus was meant to give law enforcement and intelligence agencies access to criminals’ and terrorists’ smartphones, but the reports in 17 media outlets said they had a leaked list over 50,000 phone numbers of “people of interest” to NSO’s clients in countries with which Israel has grown closer in recent years, such as Saudi Arabia, the UAE, Bahrain, Azerbaijan, Hungary and India.

Those targets included leaders such as French President Emmanuel Macron, Pakistani Prime Minister Imran Khan and Moroccan King Mohammad VI, and 180 journalists, including one who was murdered in Mexico after reporting on government corruption, as well as countless activists and dissidents.

NSO, however, said it investigated the claims and the report is “full of wrong assumptions and uncorroborated theories.” The list on which the news stories rely is easily accessible data that have nothing to do with the NSO customer list and did not come from its servers, the company said.

In addition, NSO does not operate its system once it is sold to its clients, which are all law enforcement and intelligence agencies of governments approved by the Israeli government for the sale.

Days later, Prime Minister Naftali Bennett stood on a stage and hailed Israel’s cybersecurity industry, in which he made his fortune as the CEO of Cyota 15 years ago. Bennett announced at Cyber Week, an annual international conference at Tel Aviv University, that Israel would be launching the “Global Cybernet Shield,” a network that like-minded countries can join to warn one another against cyberattacks and threats.

The Global Cybernet Shield, which is still in development, is an international version of Cybernet, Israel’s domestic cyber defense network, led by the Israel National Cyber Directorate with over 1,500 members, including government ministries and major corporations. The National Cyber Directorate uses Cybernet to swiftly disseminate

warnings about cyberattacks and isolate online viruses so they don’t spread, as well as to explain to organizations how to prepare their systems.

Israel is the first and possibly only country to have such a network, National Cyber Directorate Executive Director of Strategy and International Cooperation Aviram Atzaba explained this week, and foreign governments’ cybersecurity units have expressed interest in joining it.

Bennett’s idea to take Cybernet global is not only a smart way of protecting Israel and its allies from cyberattacks by bad actors such as Iran, which he singled out for opprobrium in his speech. Israeli prime ministers have long used Israeli technology as a way of strengthening Israel’s diplomatic standing, bringing it closer to more countries.

But the prestige of Israeli cybersecurity prowess has taken a hit following the NSO report, which has dented Israel’s public

image at a sensitive time and could have negative reverberations in its foreign relations. The report also revealed weaknesses in how Israel regulates sales of defense technology.

PEGASUS IS not a classic cybersecurity product, in that it is not purely defensive. It is considered a “dual use” product – meaning, it can be weaponized – and as such, it needs multiple authorizations from the Defense Export Controls Agency before each sale is made.

DECA was established in 2006, after Israel tried to sell airborne early-warning systems to China, infuriating the US, which demanded greater regulation of Israeli arms deals.

Today, any security-related product must go through four stages before a sale. First, the company must register as a security exporter. Next, it needs to register each product it wants to sell; about 20% of the

products are confidential, and dealing with them requires a security clearance, ranging from protected to top secret.

Next, the company needs a marketing license for the product, which means permission to negotiate a deal with a specific country about a specific product. A new license is required for each product in each country.

The final step is for DECA to review the deal and give authorization to sell the product.

Israel’s considerations in providing licenses include its immediate security needs, such as ensuring the defense technology won’t get into Iran’s hands, as well as international relations, as in the case of the American uproar over selling Phalcon airborne early-warning systems to China, and as such the Foreign Ministry is also involved in DECA.

Dr. Lior Tabansky, head of research development for the Blavatnik Interdisciplinary

Cyber Research Center at Tel Aviv University, which organizes Cyber Week, argued on this week’s Jerusalem Post podcast that, because of the heavy government regulation, Pegasus is “definitely not exported to countries that are known abusers of international norms and liberties.

“The publication of this week is completely strange because there really is no connection between the list of phone numbers that they call evidence and NSO’s potential customers,” he said.

Tabansky also said that NSO sells to governments, which in turn decide whom to target: “That’s not something that is up to the decisions of tech providers.”

Plus, in the case of NSO, it has an internal auditing program to assess risks prior and during the contract. If someone is caught abusing its product, NSO can stop giving the government agency access to it.

However, Tehilla Shwartz Altshuler, head of the Democracy in the Information Age program at the Israel Democracy Institute, said that defense exports have “the heaviest regulation in the market,” and therefore “there is no way the State of Israel didn’t know who NSO is selling to, what it’s selling and under what conditions.”

The NSO story has been framed by much of the international media as something wrong that Israel has done, while much of the Israeli media has reported it as though NSO is a private company doing bad things, Shwartz Altshuler said, calling the Israeli framing “nonsense.”

“There is nothing they sold that wasn’t encouraged by the state,” she posited.

THE DEFENSE Ministry, Foreign Ministry, Justice Ministry, Mossad and other Israeli government agencies are now working on a task force to look into the media reports about NSO and determine if something went wrong in the regulatory process.

Defense Minister Benny Gantz warned at Cyber Week that the government approves cyber products to be sold only “to governments and only for lawful use in order to prevent crime and terrorism. Countries who purchase those systems must adhere to the conditions of use.”

The Knesset Foreign Affairs and Defense Committee also plans to review the matter, with the panel’s chairman, Ram Ben Barak of Yesh Atid saying “we certainly need to take a new look at the whole topic of licenses given by DECA.”

“Truth be told,” Ben Barak told Army Radio, “[Pegasus] has uncovered a lot of terrorist cells and crime families and helped