- Business Insider is taking you behind the scenes of our best stories with our new series "The Inside Story."
- We'll provide readers with an in-depth look of how these stories came together and a peek inside the reporter's notebook.
- This week, BI deputy editor Olivia Oran spoke to technology deals reporter Becky Peterson who took readers inside the secretive Israeli spyware startup scene, where the notorious NSO Group has spawned a web of companies that hack into devices.
- Peterson shares the challenges of reporting on spyware companies and how it made her re-think her own digital privacy.
- Read her story on NSO Group here.
Olivia Oran: NSO Group is known for being super secretive and closed off to journalists. What first piqued your interest about reporting on the company?
Becky Peterson: My editors first asked me to look into NSO Group around the time of the Jeff Bezos sexting scandal, when his personal security consultant accused Saudi Arabia of hacking Bezos's phone. NSO Group had been linked to Saudi Arabia through earlier reporting on the murder of Jamal Khashoggi, and there were a lot of questions about whether the two situations were linked.
I had just gotten back from a work trip to Tel Aviv, and had been thinking a lot about the startup environment in Israel. I actually spent a day in Herzliya, a town north of Tel Aviv where a lot of the tech companies, including NSO Group, are based. It had a lot in common with Palo Alto. There was even a Columbia store, where you could buy a puffy vest, on the bottom level of one of the more bustling high rises.
So I started asking people in the space what they knew about NSO Group and its competitors, and pretty soon it was clear that the story was much bigger than just one rogue company selling spyware.
Oran: How did you get interested in reporting on cybersecurity?
Peterson: My first role at Business Insider was covering enterprise technology out of our San Francisco bureau. It was 2017, and a lot of startups in cybersecurity were raising funding. So a lot of my early reporting was just about following the money.
But I started thinking about cybersecurity and digital privacy before that. In both my undergrad and master's programs, I spent a lot of time thinking about how our online lives could be used against us by the government, corporations or just other people online. When you're a journalist, you learn pretty quickly how easy it is to find out details of people's lives from their public social media trails. Just imagine what someone with technical expertise could find out.
Oran: Tell me about your reporting process. How long did this story take to come together? Without getting too specific, who are the types of people that you relied on as sources?
Peterson: I've been working on this story for around four months. I was still living in the Bay Area at the time, and my editor called me to talk about the story while I was in the waiting room at the eye doctor. I thought I had a contact lens stuck in my eye.
When I first started reporting, it wasn't clear what I was looking for. I had a sense that Silicon Valley VC firms might be investing in these companies, and that they weren't being upfront about their participation. That turned out to be partially true. I spoke to a number of venture capitalists who said in no uncertain terms that they would never invest in an offensive cybersecurity company.
But they also knew that the VC firm Andreessen Horowitz had. I also reached out to a number of people who were offensive cyber experts themselves, or who had worked with NSO Group at one time or another. For a story like this, most people don't email you back. But the ones that do always have something compelling to share.
Oran: What was the hardest part of reporting out this story?
Peterson: Confirming the details about the startups in the space was a bit of a challenge. Everyone knows about one another's work but no one wanted to throw their tech friends under the bus by sharing information that wasn't public. In a few cases, after sharing a short list of companies I was trying to track down, sources would tell me that there were more I hadn't uncovered, but wouldn't tell me what they were! It's possible there are a few more startups that didn't make it into the story.
A security researcher I spoke to told me that a lot of people in the space are also worried about being followed in person. Anytime a stranger started talking to me about cybersecurity or NSO Group unprompted, I started to wonder if they were sent there to find out what I was working on.
Oran: Any crazy stories you can share?
Peterson: For a while I was looking into this American company called Endgame, which started out in the offensive security space but pivoted into the more commercially viable defensive cyber world. When the company raised its first VC funding nearly a decade ago, it demoed an insane product to investors, where it could zoom in on a map of the globe and identify hackable devices inside of a specific building. In the example I heard, it identified a bunch of exploitable devices in Pakistan's parliament building.
When it comes to a lot of these Israeli startups, the craziest part may be that most of the people are pretty normal startup people, just trying to make their millions using a rather unique skillset they picked up in the Israeli Defense Forces.
Oran: Why do you think it's so important for our readers to understand what's going on at NSO Group and the broader Israeli cyber scene?
Peterson: One of the biggest concerns of opponents to the offensive cyber industry is that all of the secrecy around its products makes it easier for the technology to be abused. And while I am not here to make a claim about whether or not these companies are good or bad, or whether the technology is ethical, I am partial to the journalistic proverb that sunlight is the best disinfectant. This is especially true when it comes to funding these startups. Investors and companies in the tech world talk a lot of talk about "environmental, social and corporate governance," which is a popular way of measuring the ethics of a business. It's up to these backers to make the case for why investments in offensive cyber fit in ESG.
I also think we're on the cusp of a lot of international legislation being set around this issue of cross-border hacking, where corporations and governments are working together.
One reason I thought it was important to discuss how NSO Group's technology actually works is that where the servers and data lives could have a big impact on how laws are written and who is held accountable for abuse of this technology.