On Monday, President Joe Biden of the United States issued an executive order restricting federal agencies’ use of commercial spyware. According to the order, the spyware ecosystem “poses serious security or counterintelligence threats to the United States Government or significant risks of inappropriate use by a foreign government or foreign person.”
In the document, the utilization of these tools by the government must also be compatible with paying cognizance of the rule of law and democratic norms and principles. To that purpose, the directive outlines the numerous standards that can prevent commercial spyware from being used by U.S. government agencies. They consist of the following:
- A foreign government or individual purchasing commercial malware with the intent to target the United States government.
- A commercial spyware provider acts as an agent for a foreign government engaged in anti-American espionage activities and uses or publishes sensitive information gathered from the cyber surveillance instrument without authorization.
- A foreign threat actor who targets activists and dissidents with commercial spyware in an effort to curtail their freedom of expression or violate their human rights,
- A foreign threat actor who monitors a person in the United States using commercial spyware without their consent, protection, or supervision, and
- The distribution of commercial spyware to nations with a history of systematic political repression and other human rights abuses.
The White House said, “This Executive Order will also lay the groundwork for strengthening international cooperation to encourage responsible use of surveillance technology, fight the spread and abuse of such technology, and spur industry change.”
The Wall Street Journal stated that the number of senior U.S. government personnel infected or targeted by this spyware to date is greater than previously thought, with an estimated 50 spread across at least ten different nations.
Executive Order Bans Federal Agencies From Commercial Spyware
This change comes as sophisticated and intrusive surveillance techniques are increasingly used to remotely access electronic devices utilizing zero-click attacks and gather vital information about targets without their knowledge or agreement. The decision, however, stops short of an absolute ban.
The New York Times revealed last week that Greece’s national intelligence service used Predator, a spyware created by Cytrox, to wiretap and hack Artemis Seaford’s phone. Seaford was a former security policy manager at Meta.
But, the order also left open the prospect that other malware tools, such as IMSI catchers, could be employed by government organizations to gather important information.
In that context, it’s also a recognition that the spyware-for-sale market contributes significantly to intelligence collection efforts despite the fact that the technology poses a rising threat to counterintelligence and national security for government employees.
The Federal Bureau of Investigation (FBI) acknowledged earlier this month that the organization had occasionally bought the location information of American residents from data brokers in order to circumvent the standard warrant procedure. Additionally, it is claimed that the FBI purchased a license for Pegasus from the Israeli company NSO Group in 2020 and 2021, admitting that it was used for R&D.
Similarly to this, the Drug Enforcement Administration (DEA) uses Graphite, a spyware tool created by Paragon, an Israeli business, for counterdrug operations. Whether additional U.S. federal agencies now use any commercial spyware is unclear.
Conclusion
US President Joe Biden has signed an executive order that restricts the government’s use of commercial spyware software to spy on political dissidents around the globe. The Biden administration placed penalties on the Israeli spyware maker NSO Group, which has been at the forefront of international discussions about spyware abuse, more than a year prior to the action taken on Monday. Its Pegasus software has watched numerous political figures, journalists, and proponents of human rights. A statement from the White House, authoritarian regimes are not the only ones that have abused these potent monitoring capabilities.
The use of commercial spyware to target citizens without the proper legal authorization, safeguards, or oversight has been revealed to have occurred within democratic governments as well. The announcement of the order comes as the US gets ready to host a “summit for democracy” later this week. There are exceptions that allow government organizations to use spyware programs if the agency head decides the program does not present a risk to counterintelligence or national security.
Additionally, since both the National Security Agency and the Central Intelligence Agency have a history of unethical surveillance practices, the decision does not apply to spyware developed by these governmental organizations. Human rights organizations have cautioned that the increased accessibility of surveillance tools due to commercial spyware is concerning. It has been claimed that nations like Mexico, El Salvador, Saudi Arabia, and the United Arab Emirates use the software to target journalists and human rights organizations. Additionally, the White House stated on Monday without going into further detail that US government employees abroad “have been targeted by commercial spyware.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.