Finland, Germany, Ireland, Japan, Poland, South Korea added to US-led spyware agreement

Six new countries have joined an international effort to counter the proliferation and misuse of commercial spyware.

Finland, Germany, Ireland, Japan, Poland and South Korea were added to a previously released joint statement from the U.S. and 10 other countries about the need for regulation and guardrails on spyware. 

The signees agree to establish “robust guardrails and procedures" around spyware, prevent the export of technology that will be used for malicious cyber activity, share information on spyware proliferation and work to raise awareness globally. 

The announcement came at the third Summit for Democracy, held this week in Seoul, South Korea. 

“As authoritarian and repressive regimes deploy technologies to undermine democracy and human rights, we need to ensure that technology sustains and supports democratic values and norms,” Secretary of State Antony Blinken said Monday at the summit.

On Tuesday, the second day of the summit, representatives for the countries will meet in person for the first time to “share best practices and lessons learned, and identify opportunities to most effectively counter the misuse of commercial spyware,” the joint statement said.

During a press call, a senior Biden administration official said some of the new countries were notable — particularly Ireland — because of their role in the spyware industry. Ireland is listed as the home of Intellexa Limited and Thalestris Limited, two companies sanctioned by the U.S. on March 5 for their involvement in distributing spyware. 

Several spyware vendors “have sought to use Ireland essentially as a financial pass-through for some of their activities,” the official said. Intellexa reportedly has had a presence in Ireland since 2019. 

 “So I think what we're trying to do is very deliberately build out a group of like-minded countries, including some in Western Europe, but also beyond that,” the official said.

The inclusion of South Korea and Japan was part of an effort to expand the agreement into Asia, the official said.

The White House has cranked up the number of actions related to spyware this year, announcing a new visa restriction policy in February and then using that tool in the March 5 sanctions. 

On Sunday, CNN reported that part of the reason for the recent upswing in spyware actions was because the U.S. continues to discover government officials across the world being targeted with the malicious software. 

The U.S. initially said last year that it had identified 50 instances where U.S. personnel in at least 10 different countries had been targeted — far more than had been previously known.

The administration official declined to quantify on Monday how many new cases had been discovered when asked about the new numbers by The Record, only warning that U.S. officials are “intensely focused on better understanding the extent to which U.S. government personnel and their family members may be targeted.”

“Governments that acquire this sort of sophisticated surveillance technology more likely than not will first use it against their own populations, but secondarily may use it against diplomats and others from the United States or other governments,” the official said. “Either be quick to surveil them, but also to understand who from their own societies are talking with these diplomats in the country.”

The U.K.’s National Cyber Security Centre said more than 80 countries have purchased spyware over the past decade. Google released a report last month highlighting its outrage at the evolution of the spyware industry, noting that it is tracking at least 40 companies involved in the creation of spyware and other hacking tools that are sold to governments and deployed against “high risk” users, including journalists, human rights defenders and dissidents.

“As threat actors, [commercial surveillance vendors] pose a threat to Google users, as half of known 0-day exploits used against Google products, as well as Android ecosystem devices, can be attributed to [commercial surveillance vendors],” Google officials explained. 

U.S. President Joe Biden signed an executive order last year banning federal agencies from using commercial spyware that could pose security risks to the U.S. or has already been misused by foreign actors. A review done by government officials found multiple U.S. agencies using various forms of spyware. 

Despite the renewed interest in stopping malicious spyware use, several other close U.S. partners, including India, United Arab Emirates and Mexico, have recently been accused of using spyware to target political opponents and journalists.