U.S. Executive Order Bans Government Use of Commercial Spyware
U.S. President Joe Biden signed an executive order Monday that bans U.S. government agencies from “operational use of commercial spyware that poses significant counterintelligence or security risks to the United States Government or significant risks of improper use by a foreign government or foreign person.”
The spywares addressed are sophisticated and expensive programs that in general are purchased by nation-states with the intended primary use of uncovering and mitigating terrorist plots and other criminal activity that threatens the public. However, the technology is also being used by governments to spy on journalists and those deemed enemies of the state, as well as a tool to enable domestic violence.
John Scott-Railton is a senior researcher at the University of Toronto’s The Citizen Lab. He broke down how the executive order was intended to have a chilling effect on spyware companies in a long Twitter thread.
“The [order] is the first comprehensive action by any government on spyware,” he tweeted. “It was clearly drafted to pump the breaks on proliferation [and] is written with a good understanding [of] the slippery nature of the industry. It closes many loopholes. …The [order] is one of the most consequential actions to blunt proliferation that I’ve seen a government take.”
BREAKING: Biden White House issues executive order on commercial spyware.
— John Scott-Railton (@jsrailton) March 27, 2023
Also confirms over 50+ USG personnel suspected targeted w/#Pegasus
Huge deal, let me break the new #SpywareEO down. 1/ pic.twitter.com/jOcYxnVMnd
The order does have some careful wording. For example, use of the word “operational” indicates that U.S. agencies can purchase spyware technology to study it rather than to deploy it. It also carves out a limited exemption, saying that if no alternative is available and if an agency can demonstrate a technology is of immediate, critical importance, the agency can deploy it with permissions for up to one year at a time. It also specifically bans the use of commercial spyware. Spyware that is developed internally by agencies, including the National Security Agency, the CIA, or the FBI, is not part of the order.
In a related announcement, administration officials said that an ongoing security review discovered at least 50 U.S. government personnel who have been the victims of the commercial spyware at the heart of the order.
“We were astounded by the number,” a senior administration official said, as reported by The Washington Post. “We had a hunch early on, when we started this process that [such spyware] could pose counterintelligence and security risks. … We realized increasingly that the counterintelligence and security risks were profound.”
Security Management asked IT Security Community Steering Committee Member David Morgan about the risks and dangers of the spyware targeted by the order. One big danger is how the spyware is deployed.
“We’ve been trained not to click on unfamiliar links in emails or text messages,” Morgan says. What makes spyware so dangerous is that “it can be sent directly to a device via a phone number, and it doesn’t require the user to click any links or anything else. They’ve figured out how to exploit vulnerabilities on devices without requiring any user interaction.”
Once on a phone, spyware “can do everything,” he says. “Even five years ago there was technology that can turn your microphone on—even when the phone is shutdown if the battery is in and has a charge. It can steal information from applications—so as the applications are transmitting that data, it can steal it in transit. I’ve read reports it can steal WiFi passwords of networks the device is connected to, and with problems like password re-use, a user’s other accounts could be exposed.”
He also described the software as “extremely stealthy” and that it takes advanced cybersecurity technicians to even detect whether or not a device has been compromised. “If you do think a device has been compromised, you’re better off just destroying the device and getting a new phone number.”
He does note that, in general, most people do not need to be concerned about this type of intrusion on their personal devices. He says these are mostly attacks against specific people that spyware users believe are high-value targets. In addition to dissidents, journalists, and government officials, CEOs and other senior executives of major corporations fall into this category. The best defense, he says, is to ensure mobile devices download and install security updates as soon as they become available.
Overall, it appears one of the intended affects of the executive order is to put pressure on for-profit companies who develop and market spyware, with the Israeli NSO Group, and its Pegasus software, probably the most prominent example.
“The NSO is one of a couple dozen companies that create spyware like this,” Morgan says. “The NSO just happens to be the most significant. …I think the order is timely given a lot of the events we’re seeing in the news, not just related to Pegasus, but other types of software that’s prevalent in our society today that could be used to spy on people and it’s really sounding that alarm. But at the same time, the order is acknowledging that we don’t know everything about it yet, and we have a long road ahead of us to understand how deep this problem is.”
By issuing the order, Morgan adds that the U.S. government is putting the world on notice that it will not tolerate spyware being used for human rights violations.
“At the end of the day, the software has legitimate purposes. Any spyware like this is meant to track criminal and terrorist activities,” Morgan says. “But what we have seen over the past decade is that a lot of countries are using it in order to spy on their citizens or citizens of their adversaries. So will the order have an effect? Yes, I think it will because it’s an executive order from the United States saying we’re not going to tolerate this anymore and neither should you. And I think a lot of other countries will take notice of it.”
