Biden administration limits commercial spyware use in federal government
President Joe Biden signed an executive order Monday that bans federal agencies from using commercial spyware that could pose security risks to the U.S. or already has been misused by foreign actors.
The executive order, which has been in development for months, seeks to address a growing number of incidents of spyware abuse abroad as well as reports of it being used improperly to target U.S. officials, government systems and ordinary citizens.
The directive is the first in a series of actions by the White House to deal with the proliferation of virtual spyware in recent years. The industry has grown as more companies develop ways to quietly infiltrate people’s devices and market those tools to governments around the globe.
“We believe this executive order will … help spur reform in a largely unregulated and insufficiently controlled industry, including by outlining responsible use and remedial factors that are intended to prevent misuse and reduce risks to U.S. national security,” a senior administration official told reporters.
“Misuse of the powerful surveillance tools have not been limited to authoritarian regimes,” the official added. “Democratic governments also have confronted revelations that actors within their own system use commercial spyware to target their own citizens without proper legal authorization, safeguards in oversight.”
The official noted that Director of National Intelligence Avril Haines — in response to recently proposed legislation — last week issued a binding directive placing new statutory restrictions on former intelligence agency workers from seeking employment with foreign governments or companies, including foreign commercial cyber entities.
Biden’s order creates a list of factors to indicate if spyware technology is being abused, including if a foreign government or person attempts to gain access to the electronic device of a U.S. citizen without their permission or monitors the person without proper legal authorization.
The administration official said that in working on the order, the White House had identified 50 instances where U.S. personnel in at least 10 different countries had been targeted — far more than had been previously known — and officials are still working to uncover any additional instances.
The new directive also cites if a foreign actor deploys the technology against “activists, dissidents, or other actors to intimidate; to curb dissent or political opposition; to otherwise limit freedoms of expression, peaceful assembly or association; or to enable other forms of human rights abuses or suppression of civil liberties,” according to a White House fact sheet.
In addition, if the commercial spyware is “furnished to governments for which there are credible reports that they engage in systematic acts of political repression, including arbitrary arrest or detention, torture, extrajudicial or politically motivated killing, or other gross violations of human rights,” the document adds.
The directive identifies steps that commercial spyware vendors can take to prevent them from being identified as a potential risk, such as canceling relevant licensing agreements or contracts.
However, the administration said the order does not mandate the creation of a list of entities that run afoul of the guardrails as each instance will “need to be determined on a case-by-case basis.” Nor does the order require the public to be notified when a violation occurs.
The directive’s announcement coincides with the second Summit for Democracy that is slated to begin on Tuesday. At the event, which is organized by the U.S. and a number of other countries, the administration will release a set of guiding principles for governmental use of surveillance technology — something that was promised during last year’s summit.
The administration official stressed the order is “partly us getting ahead of a challenge” posed by spyware, as there have been “no concrete, consistent standards across the U.S. government.”
The directive will allow the U.S. to “lead by example,” according to the official.
Martin Matishak is a senior cybersecurity reporter for The Record. He spent the last five years at Politico, where he covered Congress, the Pentagon and the U.S. intelligence community and was a driving force behind the publication's cybersecurity newsletter.