... The United States has added NSO to a blacklist prohibiting it from receiving U.S. technologies after finding its tools have indeed helped foreign governments “maliciously target” officials, activists, academics and journalists... The practical, legal implications are relatively straightforward: NSO Group and the other three entities included in the designation effectively can no longer do business with any U.S. firm, which could prove challenging since products and services from Amazon, Microsoft, Dell and other U.S. companies have been essential to NSO in disseminating its spyware. The reputational effect may be even more significant, a potential deterrent to customers and investors alike. NSO had hoped to make an initial public offering at a multibillion-dollar valuation.

Now what about the rest of this sprawling and shadowy industry? Spyware has proved a threat to civil society around the globe. The de facto shunning of a particularly skilled purveyor is progress, but what’s really needed are hard and fast rules to check the proliferation of a technology ostensibly designed to catch criminals but all too commonly exploited to quash opposition. These rules are essential not only here but in all nations with a stated commitment to democracy. Ideally, governments would pledge not to procure spyware from any company or country that doesn’t do due diligence on its clients. They would also create export-control regimes mandating independent, public, human rights assessments for the development and sale of these tools, including investigations into the rule of law in the end user’s country. NSO Group has adopted a human rights policy, but the enforcement mechanism has been little more than “trust us.”

... [A] global challenge needs a global response... [T]he United States must lead the way... ensuring that companies no longer can get away with selling a dangerous product merely by refusing to acknowledge that the danger exists.