Last year, the founders of an Israeli startup that sells phone hacking technology to governments realized they had not one business, but two.
NSO Group, which was created by Omri Lavie and Shalev Hulio, sells offensive cyber capabilities that allow governments to remotely infect smartphones with spyware without leaving a trace. Soon, these clients began to worry about whether they were being targeted by the same technology.
“Anybody who sees the capability of NSO systems immediately thinks of ways to protect themselves against similar capabilities,” Avi Rosen, who partnered with the founders to begin a new startup called Kaymera, said in a phone interview. “When we saw the potential, we decided to build a company out of it.”
With the spying revelations of former NSA contractor Edward Snowden straining diplomatic ties and military-grade spyware now available for download on the Internet, governments and companies are scrambling to keep up. That’s allowing startups such as NSO and Kaymera to play opposing sides of the cyber wars, with one selling offensive spying capabilities to governments while the other peddles products that defend against that same technology.
Rosen, who became chief executive officer of Kaymera last November after it raised $3 million from private investors, is quick to point out that NSO is run separately, and his co-founders Lavie and Hulio are not involved in the day-to-day operations of Kaymera. Lavie and Hulio didn't respond to e-mailed requests for comment. The Wall Street Journal reported in August that NSO was acquired by private equity firm Francisco Partners for $110 million.
France’s Vupen Security and U.K.-based Gamma Group also offer surveillance services to governments. Endgame, based in Arlington, Virginia, provides “situational awareness” of cyber activities that can be used for offense or defense, and sells primarily to the U.S. government.
While the government market has become harder to crack in the past couple of years because of suspicion of foreign vendors and technology-sharing regulations, corporate cyber security is booming, according to David Cowan, a partner at Bessemer Venture Partners in Menlo Park, California, who invests in cybersecurity companies, including Endgame.
Rosen said that Snowden's revelations have made the “market aware of the threats that are out there and since we started, multiple players have jumped on the wagon.”
With offices in Herzliya and Geneva, Kaymera sells to both governments and companies, including many European customers. Instead of allowing employees to connect their own cell phones to a secured network, or providing phones with tightly-controlled usage restrictions, Kaymera builds a secured communication network on site for its customers, then gives them commercially-available smartphones with a proprietary version of the Android operating system. This way, Rosen said, clients can use the device like a normal smartphone, without increasing vulnerability. Kaymera is already profitable, he said.
Companies with offensive expertise, like installing spyware that can read text messages or surreptitiously record conversations, are a “very scarce resource” and will have an advantage in the cyber defense market as military-grade attacks become more common, Cowan said.
“We should expect a new generation of cyber companies built on the skills of offensive cybersecurity, and that’s why Israel is very well positioned in the market,” he said. Startups that can repel the kinds of campaigns that brought down Home Depot and JPMorgan Chase "will do very well.”