Washington’s Pegasus Spyware Problem

I grew up on Long Island in the years after September 11, 2001, when being Muslim meant living under quiet scrutiny. The New York Police Department’s “Demographics Unit,” built with help from the CIA, reportedly sent plain-clothes officers and informants to mosques, cafés, student groups and grocery stores across the region. They mapped Muslim communities, tracking daily life without evidence of crime. Years later, internal reviews showed that the program produced no terrorism leads. What it did produce was fear and the notion that proximity to faith was enough to justify surveillance.

That era taught many of us that once technology and suspicion are linked, they rarely separate. Two decades later, the same logic has been exported globally through tools like Pegasus, the zero-click spyware developed by Israel’s NSO Group. Pegasus has been used by governments across the globe to monitor activists, journalists and political dissidents. This fall, in a quiet transaction worth tens of millions of dollars, a private group of American investors acquired NSO.

At first glance, the sale appears to be just another niche transaction in the cybersecurity sector. But NSO does not sell ordinary software; it sells extreme access. The group develops spyware capable of remotely infiltrating a phone and installing software that grants complete access to the target's messages, camera and microphone.

In 2021, six prominent Palestinian human rights defenders — including staff from Al-Haq, Addameer and Defense for Children International-Palestine — are suspected to have had their phones infected with Pegasus, according to an analysis by the Front Line Defenders NGO. These organizations documented alleged war crimes and advocated for accountability under international law. Within months of the suspected surveillance being discovered, Israel designated all six organizations as terrorist groups, a move widely condemned by human rights organizations and rejected by European governments as politically motivated. The surveillance came first; the legal pretext followed.

Similar patterns have emerged in Saudi Arabia, where journalists critical of the government were targeted, and in Morocco, where activists faced imprisonment after being monitored. For years, Washington condemned Pegasus as a symbol of unrestrained digital surveillance. Now, American investors own it.

The immediate question is why. Pegasus remains one of the most controversial tools ever built, effectively banned from United States government use and listed by the Commerce Department as a national security threat. Proponents might argue that American ownership prevents misuse by adversaries and keeps cutting-edge cyber capabilities within the Western sphere. Better for Washington to oversee the technology than let it circulate unchecked, right? But this reasoning collapses under scrutiny.

NSO's business model depends on selling to foreign governments, many of which use the technology for domestic repression. If US investors maintain that client base, the country becomes complicit in those abuses, turning a blind eye to authoritarian surveillance while losing moral authority to condemn it.

Moreover, the acquisition imports foreign policy priorities directly into US sovereignty. NSO was developed with intelligence cooperation from its home country, and its client list has historically served diplomatic objectives, including licensing deals granted to Gulf states, Eastern European governments and allies in Asia. Under US ownership, those entanglements transfer. The US now inherits a surveillance apparatus in its backyard designed to advance strategic interests that may not align with American values.

Without binding restrictions on NSO's operations and clients, American ownership risks creating a hybrid entity: nominally private, functionally strategic and accountable to no one. Existing oversight mechanisms, both domestic and international, are ill-equipped for this reality. The Wassenaar Arrangement, which governs international trade in dual-use technologies, treats surveillance software like any other export and is non-binding. Enforcement is uneven and easily circumvented through shell companies or licensing deals. Inside the US, regulation is even thinner. The Commerce Department’s 2021 decision to blacklist NSO was largely symbolic — it restricted federal procurement but left private investment largely untouched.

The newfound ownership by US investors provides the company with legal and political cover that insulates it from the pressure campaigns that nearly collapsed NSO under its previous structure. What was once a controversial Israeli export becomes an American-backed technology, legitimized by proximity to US capital and harder to challenge or restrict.

The US now sits at the center of a Western surveillance ecosystem that stretches from Tel Aviv to Silicon Valley, an alignment that offers both strategic reach and potential liability. Strategically, it may align Pegasus and similar technologies with American defense interests. Yet it also exposes the absence of rules for how those tools are managed, audited or repurposed once inside the US.

The US presidency and Congress wield the power to establish robust oversight and regulation of an industry which is, in many ways, akin to defense. Advocacy on the part of technologists and action on the part of US politicians is warranted. There is no technical barrier preventing Pegasus from targeting American phones, and existing legal protections are limited.

A Biden executive order sought to bar federal agencies from using commercial spyware, but it did not prevent foreign governments, private actors or even state and local agencies from deploying such tools. Once the infrastructure exists under American ownership, the gap between authorized foreign surveillance and domestic misuse narrows to a policy choice, one that could shift with each administration.

Congress should establish an interagency framework to manage this domain — something akin to the Committee on Foreign Investment in the United States (CFIUS), but focused specifically on offensive cyber technology. Such a body could review acquisitions, license exports and ensure visibility into codebases and clients. While CFIUS does oversee transactions that may give foreign entities control of American businesses, it does not oversee US acquisitions of foreign companies. And yet despite this, the NSO Group has made it clear that it plans to continue being based and operated out of a foreign country and regulated by the relevant foreign authorities. Internationally, Washington should lead a modernization of export regimes like Wassenaar to reflect the realities of digital power, where control over data access can matter as much as control over weapons stockpiles.

The sale of NSO Group is not only a business transaction but a reminder of memory. Two decades ago, surveillance justified in the name of security mapped my own community. Not because of what we had done, but because of who we were. If the US now inherits the world’s most powerful spyware without Washington building the guardrails to contain it, that same logic will return on a larger scale. In the past, the NSO Group has attempted to enter the US in an effort to sell their product to police departments in American cities. This newfound shift in ownership poses a risk to not just American national security, but the constitutional rights of citizens.

America once promised to learn from the excesses of the post-September 11 years. Building a real oversight framework for cyber weapons would be a start.