Cybersecurity: Crime and Espionage

Biden’s Spyware Order: A Needed First Step

By Steven Feldstein, Allie Funk
Friday, April 28, 2023, 8:16 AM

Investigative reports show that the Mexican government has become the most prolific user of spyware in the world, illegally deploying intrusion technologies from Israel-based NSO Group to spy on prominent human rights defenders, journalists, and government critics. Meanwhile, researchers disclosed that another commercial spyware tool—dubbed Reign and produced by Israel’s QuaDream—was used against multiple civil society targets around the world, including political opposition figures, reporters, and a worker with a nongovernmental organization.

Both of these reports were made public in April of this year. They are just the latest in a series of similar cases documented by human rights groups, technical researchers, and media outlets in recent years.

The list of perpetrators goes well beyond the usual suspects, such as Egypt, Russia, or Saudi Arabia: Alarmingly, at least 74 governments from across the globe—both democracies and autocracies—have acquired commercial spyware or data extraction technology from private vendors, allowing them to flout the rule of law, monitor private communications at their discretion, and harass individuals within and beyond their borders.

As spyware proliferates and government personnel themselves become targets, however, many democracies are finally crafting responses. In March, during the second Summit for Democracy, U.S. President Joe Biden signed an executive order limiting federal agencies’ use of commercial spyware. The order marks an essential step to rein in a shadowy industry that seems unwilling or unable to control how and by whom its products are used. But the ultimate impact will depend on whether the White House can galvanize similar action in Congress, at the local level, and among like-minded governments abroad.

Building Political Will for an Executive Order

The recent executive order is not the Biden administration’s first attempt to curb the global spread of spyware. Recognizing the ways in which the technology abets human rights violations, undermines law enforcement activities, and presents counterintelligence risks, the White House established an interagency policy process in 2021 to drive a concerted response.

In October of that year, the Commerce Department announced a new rule intended to bring U.S. policy in line with other members of the Wassenaar Arrangement, whose 42 governments coordinate export restrictions for dual-use technologies, or tools that can be deployed for both civilian and military purposes. The rule specifically limits the export of malicious software to authoritarian countries, banning sales to China and Russia without a license from the department. It also set the stage for the Biden administration to add four companies, including NSO Group, to the Commerce Department Entity List a few weeks later for abuses linked to their surveillance products. Companies placed on the list can no longer receive products from U.S. firms, such as Microsoft’s Windows operating system or Apple iPhones, without U.S. government approval.

While symbolically important, and certainly devastating to the four named firms, the Entity List designation left the rest of the spyware industry largely unscathed. Spyware abuses have continued to emerge, and subsequent reports revealed that commercial operators have hacked the mobile devices of at least 50 U.S. government employees in 10 countries. It stands to reason that such evidence of very real counterintelligence vulnerabilities helped convince more hesitant members of Biden’s team to take further action against the industry.

Amid these unabated abuses, the March executive order represents the United States’ tightest rules to date. It prohibits federal agencies from the “operational” use of commercial spyware that poses a threat to national security or counterintelligence, or that could be employed by foreign governments to violate human rights or target Americans. Any agency interested in acquiring spyware technology must first conduct an individual assessment to determine whether the transaction passes the executive order’s conditions. Separately, the executive order instructs the director of national intelligence (DNI) to compile a semiannual classified assessment listing any commercial spyware firms prohibited by the order. Only after the agency has completed its review—and has confirmed that the spyware vendor is not on the DNI list—can it then seek approval from the White House to proceed. The likelihood that a federal agency will successfully pass the executive order’s conditions to procure commercial spyware is minimal, given the high procedural hurdles in place.

The executive order does, however, leave some gaps. It applies only to commercially available spyware, leaving out similar intrusion tools developed by governments themselves. There is also a waiver for use in “extraordinary circumstances,” although this high threshold for federal agencies may effectively serve as a ban for commercial tools.

Incentivizing Additional Action at Home

Since the new rule comes in the form of an executive order rather than a law, there is a risk that a future president could reverse it. To prevent such an outcome and ensure that controls on spyware receive durable bipartisan support, the White House could work with Congress to codify the order’s provisions through complementary legislation. One possible path could be expanding the restriction on the use of foreign commercial spyware by U.S. intelligence agencies that Congress included in the most recent National Defense Authorization Act.

As a directive to the federal government, the executive order does not apply to state and local government bodies. This leaves untouched the vast majority of law enforcement agencies in the U.S., many of which have a history of using invasive surveillance with little oversight. The spyware industry itself has shown a growing interest in tapping into this market. Motherboard, Vice’s tech column, reported that NSO Group, for example, has provided demonstrations of its products to police departments in New York City, Los Angeles, and San Diego.

 The White House could encourage state and local governments to adopt similar rules to those it announced for the federal government. After all, the administration has already laid the groundwork for such an effort. Another executive order, signed in May 2022, includes a provision calling on federal authorities to assess and report to the president on whether “Federal, State, Tribal, local, and territorial” law enforcement bodies have used or have access to commercial spyware. The Department of Justice and other relevant agencies could consider conditioning certain federal funding on state and local compliance with the new executive order based on their findings. Additional funding for education and training programs about the security, intelligence, and civil rights risks of spyware would also encourage appropriate action from these law enforcement agencies.

More broadly, despite bipartisan congressional and strong public support, the U.S. still lacks a comprehensive federal privacy law, and many agencies have wide surveillance authorities that are open to abuse. Stronger overall privacy protections, along with investigations of and restrictions on the disproportionate use of various surveillance tools, would help fill this gap. For instance, there remains little public information about how the Drug Enforcement Administration purchased and has deployed Graphite, spyware from Israeli firm Paragon. More than 2,000 state and local law enforcement agencies and nearly every federal cabinet department have purchased tools from Israel-based Cellebrite that physically connect to a mobile device or computer and extract all personal data for analysis. There remains little oversight and clarity about Cellebrite’s use in the U.S. And agencies at both the federal and local levels are known to use “big data” systems that monitor and extrapolate information from social media, including to target First Amendment-protected activities.

Rallying Foreign Partners for a Coordinated Response 

The executive order’s impact on the global spyware trade depends on subsequent policy action from other governments. If the White House wants to guarantee effective international cooperation on spyware, it will need to use its diplomatic and economic leverage to strengthen that cooperation and encourage like-minded governments to implement common standards. 

These efforts are already underway. A new joint statement by the U.S. and 10 other countries outlines their commitment to limiting the use of spyware at home, strengthening information-sharing with industry and civil society, and pressing nonsignatories to follow suit. The Export Controls and Human Rights Initiative, launched during the first Summit for Democracy last year, developed a code of conduct detailing how subscribing states can better incorporate human rights considerations into export controls. And the governments of France and the United Kingdom have agreed to bolster efforts to tackle commercial spyware through the U.K.-France Cyber Dialogue.

Some governments have gone further. Last year, Costa Rica became the first country to call for a global moratorium on commercial spyware. Early this April, the government of the Catalonia region in Spain approved a moratorium on the “export, sale, transfer, and use” of tools like NSO Group’s Pegasus until the government can verify that these firms are complying with human rights.

Still, Europe lacks sufficient legal protections against the misuse of spyware. Certain member states in the European Union—including Spain, Cyprus, Hungary, Greece, and Bulgaria—remain hotbeds for spyware firms, due in part to the respective state authorities ignoring these companies’ activities. Despite revelations that law enforcement agencies, intelligence services, or unidentified perpetrators have targeted politicians and journalists in several of these countries, the political will to regulate the industry remains inadequate. For example, a member of the European Parliament who participated in a fact-finding trip to examine the Spanish government’s use of spyware against Catalan politicians came away discouraged: “It turns out it’s incredibly difficult to establish the facts because we get little to no official information [from Spanish authorities].”

Israel remains another major challenge. Israeli companies are leading global exporters of cybersurveillance technologies. The governments of at least 56 countries have procured spyware from firms that are either based in or connected to Israel, including NSO Group, Cellebrite, Cytrox, and QuaDream. Israel has an export licensing regime in place, overseen by the Ministry of Defense, but officials pay scant attention to democracy or human rights concerns, instead solely prioritizing geopolitical and national security interests. For instance, an investigative report from Haaretz documents how Israeli authorities denied approval of spyware exports to Bangladesh due to concerns that the technology could make its way to Pakistan, a potentially more hostile power, rather than qualms about Bangladesh’s abhorrent human rights record. While governments have an interest in securing their geopolitical goals, Israel’s disregard for human rights considerations is deeply troubling. A change in the government’s approach to its export regime would have an outsized impact on the market, shrinking the supply of tools from which offending governments can choose.

Nonetheless, the spyware market is stubbornly resilient, with established firms rebranding or reincorporating in different countries to bypass export controls, and smaller suppliers popping up in response to growing demand. QuaDream has reportedly shut down in the wake of the recent University of Toronto Citizen Lab report about misuse of its products, but its technology and employees could easily reconstitute under a newly incorporated firm (similar to Italian spyware firm Hacking Team’s attempt to reconstitute as Memento Labs). The adoption of compatible and reinforcing export regimes by more governments can help reduce the number of jurisdictions in which spyware companies can set up shop. Working closely with civil society can help ensure that democracies’ lists of prohibited companies are swiftly and appropriately updated as the industry evolves. The Freedom Online Coalition, a 37-member state body chaired by the U.S. this year, as well as the U.S.-EU Trade and Technology Council, are potential forums in which to push for and solidify further action. 

Channeling Momentum for Broader Reform

Commercial spyware is one element of a much larger surveillance problem that has plagued human rights in the digital age. And democracies’ own track records of excessive surveillance undermine the credibility of their commitments. It would be a missed opportunity if the current push to regulate spyware products failed to generate global norms for the broader ecosystem of surveillance technology, including digital forensics, social media monitoring, network interception, and biometrics.

The U.S. has rightfully exercised its legal and economic power to address the excesses of the commercial spyware industry. The risks to human rights and national security are simply too grave to do otherwise. But without further action to reduce both demand for and supply of these technologies, the industry will continue to evade restrictions and pursue its harmful trade.