Comment by mjreacher
4 years ago
I really don't get this line of argument that regulation is useless. For example if you made it illegal for ex US gov workers to work at companies like these I would expect the vast majority to comply with this, so at the very minimum you would be limiting the available talent pool. The post several parents up talked about regulation for biological, nuclear, etc industries being effective, and although 'cyber' would never be treated in the same way, they're right, after all you don't see organized criminals running around with biological or radiological weapons now do you?
I don't know if it's useless. I just know it isn't going to stop NSO-type attacks by state-level actors. People on message boards have very strange ideas about what the available talent pool is; for starters, they seem strangely convinced that it's all people who are choosing between writing exploits and working at a Google office.
Of course you will never stop all attacks, however you can try limit them in amount by making them more expensive to do, whether this be by limiting where they can hire from, the kind of political consequences they will incur, etc.
On this thread, we're talking about state-level attackers targeting iMessage.
Removing NSO won't limit access to the talent pool in practice because the key assets of NSO - the vulnerabilities - does not rely on people they employ directly but rather on the global market for exploits.
Currently, some blackhat somewhere finds a vulnerability and sells it to NSO and then NSO sells it to various countries. If Israel forbids such deals, then the same "someone's" (without regard of where they're located - those deals are essentially unregulatable, you might anonymously trade knowledge/PoC for crypto) will sell the vulnerability to NSOv2 headquartered in Panama or Mozambique, and NSOv2 will sell it to the same customers.