Executive order sets up guardrails for US use of commercial spyware
President Biden signed an executive order on Monday that prohibits U.S. government agencies from using commercial spyware that presents a national security risk to the United States.
The new guidelines set long-awaited guardrails on how the U.S. government uses commercial spyware and respond to the growing use of the powerful surveillance tools, which allow for buyers to remotely hack into electronic devices and extract information without the target’s knowledge. The technology has become increasingly popular with authoritarian regimes targeting dissidents, journalists and political adversaries, with numerous public accounts of abuse around the globe.
To date, the United States has identified devices associated with 50 U.S. personnel in ten countries across several continents that are confirmed or suspected of being targeted with spyware, a senior administration official told CyberScoop during a press call Monday. The official did not rule out additional instances and said that investigations are ongoing.
In examining the issue, the White House found that “commercial spyware vendors were aggressively marketing, seeking to make inroads across the U.S.’s many law enforcement and intelligence components, sometimes obfuscating their business ties and practices,” according to a senior administration official.
Monday’s guidelines seek to help agencies avoid the use of technology that has a history of being used against the United States or violating human rights. But the executive does not provide an outright ban on U.S. agencies using spyware. Rather, the order seeks to prevent the use of products deemed unacceptable by the U.S. government, while keeping the door open to the use of other commercial surveillance products.
The executive order designates a spyware company as a security risk if it demonstrates any of the following factors: a foreign government or person has used the product to spy against the U.S. government or a U.S. person without the consent of the U.S. government; the spyware has been used by foreign actors in human rights abuses, limiting freedom of expression or curb dissent; or the spyware is used by governments with a history of systematic political repression.
The executive order was issued ahead of the second Summit for Democracy, where the White House plans to release guidance for global partners on limiting spyware.
“I think it’s a great way to tell the world that if you either create dangerous products or sell them in dangerous ways you’re not going to do business with the United States,” ranking member of the House Permanent Select Committee on Intelligence Rep. Jim Himes, D-Conn., told CyberScoop.
Himes said that while the executive order is a “strong tool” there’s more work to be done in Congress. He said Congress should consider the misuse of spyware as a factor in decisions about foreign aid, pointing to the example of Rwanda, which Amnesty International reported as using Pegasus spyware against dissidents.
Himes said he hopes that countries participating in Thursday’s summit commit to following the same principles. “Our voice is much more powerful when its joined by our allies.”
While the new executive order directs information-sharing and a semi-annual intelligence assessment to help agencies make “informed and consistent determinations” about spyware products, it’s not entirely clear how beholden to the rules agencies will be. For instance, the Office of the Director of National Intelligence has the authority to ban agency use of spyware, but it also has the ability to provide waivers to the bans.
The executive order also contains a waiver but one that is narrower in scope. Agencies can only be exempted from using a banned commercial surveillance tool when “necessary due to extraordinary circumstances and that no feasible alternative is available to address such circumstances.” Waivers would be valid for one year at a time.
The exact scope of the U.S. government’s use of commercial spyware remains unclear, and Monday’s order appears to provide U.S. agencies some leeway in using such technology, as long as it is deemed to not pose a national security threat. For instance, the senior administration official declined to say if Graphite, a spyware tool that the New York Times reported was used by the Drug Enforcement Administration, would be banned under the new criteria.
The official declined to go into additional details about what spyware agencies have used that could fall under the risk categories in the executive order. They pointed to the “few instances on the record have been addressed with Congress as well.” Most notably, FBI director Christopher Wray confirmed to Congress last year that the agency has obtained a license for NSO Group’s Pegasus tool but said the agency had never used it.
The new guidelines offer remedial steps to vendors found to pose a national security threat, such as canceling contracts deemed in conflict with U.S. interests. The executive order does not require the government to produce a public list of prohibited spyware companies, the official said.
The executive order is one part of a wider White House strategy to tackle the spyware industry, according to a senior administration official. This effort dates back to 2021, when the Commerce Department added two Israeli spyware companies, NSO Group and Candiru, to its entity list.
Last week, the DNI issued updated guidance on restrictions and requirements for intelligence employees’ post-service employment with foreign governments or companies to include foreign commercial spyware entities — a move that aims to limit the ability of U.S. national security workers to work for spyware companies after leaving their U.S. government jobs.
According to the White House, the Department of State, in consultation with the Office of the Director of National Intelligence has also submitted a classified report on contractors that have knowingly offered spyware services on behalf of foreign governments against the United States or to suppress dissent or intimidating critics. Legislation passed by Congress in December requires intelligence agencies, including the FBI, CIA and NSA, to issue a report to Congress within 90 days assessing the threat spyware poses to the United States.
The executive order builds off legislation passed by Congress granting the Director of National Intelligence the authority to issue guidance on how intelligence agencies can use spyware, including the power to prohibit the intelligence community from licensing or procuring it. The bill also requires the Director of National Intelligence to issue best practices to agencies on how to prevent spyware intrusions.
While a major first for U.S. policy, it’s unclear how much of an impact the executive order will have on the broader spyware industry.
“Fundamentally, the Executive Order focuses on an easy problem in terms of the cyber mercenary space and not on the harder systemic issues,” said Winnona Desombre, a fellow at the Atlantic Council. She said that the new guidelines limit which cyber espionage resources the United States can use, but it’s not clear if other countries will jump on board with similar safeguards.
Whereas the United States is setting up guardrails for domestic use, the European Parliament has set up a special committee investigating the systematic abuse of NSO Group’s Pegasus and similar spyware.
Spyware has been a significant challenge for the tech industry. Apple, Google and Meta have in recent years devoted significant resources to researching the threat and offered new safeguards for consumers. Both Apple and Meta have sued NSO Group for violating U.S. hacking laws.
Updated, March 27, 2023: This article has been updated with comment from Rep. Jim Himes, Winnona Desombre and with additional details about the executive order’s waiver mechanism.