White House Exec Order Bans Government Use of Most Commercial Spyware

The US government just shut the door to many spyware salespeople, courtesy of a new White House executive order(Opens in a new window) that bans federal agencies from using commercial spyware that threatens either national security or human rights. 

The Biden administration announced the order Monday(Opens in a new window), calling it a defensive imperative and a key part of its attempts to defend democratic values.

“Foreign governments and persons have deployed commercial spyware against United States government institutions, personnel, information, and information systems,” the order states. The phones of more than 50 government employees stationed overseas have been targeted by these hacking tools, an administration official tells The Washington Post(Opens in a new window).

The order further notes how undemocratic regimes go after their own citizens with these tools to “target and intimidate perceived opponents; curb dissent; limit freedoms of expression, peaceful assembly, or association,” among other abuses.

Accordingly, the order says executive-branch departments and agencies “shall not make operational use of commercial spyware” if it either “poses significant counterintelligence or security risks to the United States Government” or “poses significant risks of improper use by a foreign government or foreign person.”

The phrase “NSO Group” appears nowhere in the text, but that Israeli spyware vendor is the obvious target of this shunning strategy. NSO’s sales of its Pegasus smartphone-hacking tool to such authoritarian customers as the governments of Saudi Arabia and the United Arab Emirates—regimes that reportedly used it to target human-rights activists and journalists as well as some US allies—have made it one of the world’s most loathed software developers.

In November 2021, the US government banned technology exports to NSO and another Israeli spyware firm, Candiru, as well as Russia’s Positive Technologies and Singapore’s Computer Security Initiative Consultancy. That same month, Apple sued NSO in the US District Court for the Northern District Of California, describing that firm in its complaint (PDF(Opens in a new window)) as “amoral 21st century mercenaries” and seeking a ban on NSO using any Apple products.

In September 2019, Vice reported(Opens in a new window) that the Drug Enforcement Agency had passed on NSA’s sales pitch for Pegasus because it would cost too much. In November, the New York Times(Opens in a new window) reported that the FBI had considered using Pegasus as recently as the first half of 2021 before opting against it.

The order instructs the Director of National Intelligence to produce a classified assessment within 90 days of the threat potential of commercial spyware, then update it twice a year.  

This is not a blanket ban, though. The order permits using commercial spyware for security research, developing countermeasures and criminal investigations of illegal sale or use of spyware. It also allows the heads of the Defense, Justice, and Homeland Security departments, the DNI, and the directors of the Central Intelligence Agency and National Security Agency to grant one-year waivers of this prohibition for “extraordinary circumstances” and an absence of alternative tools. If so, they must notify the president within 72 hours. 

A security expert at one of the first groups to call out the threat posed by NSO’s Pegasus commended the executive order as an effective way to curb the market for commercial spyware. 

John Scott-Railton, senior researcher at the University of Toronto’s Citizen Lab(Opens in a new window), tweeted(Opens in a new window) that the waiver provision is “not designed to be easily circumvented,” caling the order as a whole “one of the most consequential actions to blunt proliferation that I’ve seen a government take.”