In a significant signal to spyware vendors, the Biden administration issued an executive order (EO) prohibiting federal government agencies from using commercial spyware "that poses significant counterintelligence or security risks to the United States Government."
The spyware covered by the EO is predominately malware designed to track and collect data from mobile phones that can be easily installed by one or several clicks on specially crafted links.
At least 50 US government officials are suspected or confirmed to have been targeted by invasive commercial spyware designed to hack mobile phones, administration sources told reporters without specifying who had been targeted or where.
"The proliferation of commercial spyware poses distinct and growing counterintelligence and security risks to the United States, including to the safety and security of US Government personnel and their families," the White House said in a fact sheet.
"US Government personnel overseas have been targeted by commercial spyware, and untrustworthy commercial vendors and tools can present significant risks to the security and integrity of US Government information and information systems."
Perhaps more importantly, spyware made by a host of companies, primarily Israeli companies or those owned by former Israeli operatives including the well-known NSO group, has been used by several foreign governments to target political adversaries, human rights activists, and journalists to quell political opposition.
For example, the journalism non-profit Forbidden Stories coordinated a months-long investigation called the Pegasus Project, named after NSO's infamous mobile spyware called Pegasus. It revealed 50,000 potential victims of the spyware, encompassing journalists, human rights defenders, lawyers, politicians, academics, businesspeople, and even members of royal families and heads of state, including French President Emmanuel Macron.
"A growing number of foreign governments around the world, moreover, have deployed this technology to facilitate repression and enable human rights abuses, including to intimidate political opponents and curb dissent, limit freedom of expression, and monitor and target activists and journalists," according to the White House fact sheet.
"Misuse of these powerful surveillance tools has not been limited to authoritarian regimes. Democratic governments also have confronted revelations that actors within their systems have used commercial spyware to target their citizens without proper legal authorisation, safeguards, and oversight."
Spyware executive order not a blanket prohibition
Although the EO bans federal departments and agencies from using commercial spyware tools, the spyware must meet a series of factors that indicate it poses "significant counterintelligence or security risks to the United States."
Among the factors spelled out in the EO to qualify for the ban include whether it has been used "to gain or attempt to gain access to United States Government computers or the computers of United States Government personnel without authorisation" or has been improperly used by a foreign government.
Another factor that feeds into the ban is whether an entity that provides commercial spyware to governments has a track record of "systematic acts of political repression" consistent with any findings by the Department of State.
In addition, the government may issue an agency a waiver not to exceed one year "if such waiver is necessary due to extraordinary circumstances and that no feasible alternative is available to address such circumstances." The waivers require very high-level government officials to conduct due diligence according to the factors spelled out in the EO and report their reasons for the waivers directly to the President via the Assistant to the President for National Security Affairs (APNSA).
The order will also allow agencies to acquire commercial spyware technology for the "purposes of testing, research, analysis, cybersecurity, or the development of countermeasures for counterintelligence or security risks or for purposes of a criminal investigation arising out of the criminal sale or use of the spyware."
Finally, the order applies to only commercial spyware from foreign entities, not spyware developed domestically. It is unclear to what extent US intelligence and law enforcement agencies such as the NSA, CIA, or FBI have created versions of comparable mobile spyware.
Spyware executive order impact unclear
It is also unclear how many US government agencies already use domestic spyware banned by the EO. FBI Director Chris Wray testified that his agency bought a license for NSO's Pegasus spyware but only for research and development. However, a New York Times investigation revealed that FBI officials pushed to deploy the hacking tools in late 2020 and the first half of 2021.
In 2018, the CIA arranged and paid for the government of Djibouti to acquire Pegasus to assist the American ally in combating terrorism. Finally, the DEA deployed a spyware tool called Graphite made by the Israeli firm Paragon.
In addition, the EO does not extend to state and local law enforcement. In the past, a firm called Westbridge Technologies, billing itself as the "North American branch" of NSO, pitched NSO's Pegasus spyware to local police agencies, including the San Diego police department.
Decreasing the market for spyware
The spyware EO has received a welcomed response from human rights activists and lawmakers. John Scott-Railton, a researcher at the University of Toronto's Citizen Lab, said the US is a desired market for spyware makers, and the Biden administration is setting a "global standard" with this latest action. Representative Jim Himes, the top Democrat on the House Intelligence Committee, said the new order should be followed by other democracies taking a step against spyware.
Betsy Cooper, director of the Aspen Institute's Tech Policy Hub, tells CSO, "It is nice to see the US government putting its foot down. The US is leading by example. I think the bigger signaling is to the companies themselves that the US government may not be the easy end game that you might be hoping they were to sell your product at scale," she adds.
"So, to me, the bigger message here is to the companies themselves, not necessarily to allies that might agree with us. And if the US can lead by example in saying we're not going to purchase the stuff in the vast majority of cases, then hopefully the market for that sort of thing will decrease over time."