On March 27, 2023, reports surfaced that 50 U.S. government employees had been targeted by phone spyware overseas. On the day of that report, President Joe Biden signed an executive order to restrict federal agencies’ use of commercial spyware. The timing of the order was linked to this specific phone-targeting exploit. But spyware infiltration of government officials — and by government officials — has been a recurring problem globally.

Commercial spyware has long been entwined with statecraft and spycraft, both in autocracies and democracies. Will the executive order damage or even deter the firms who create it or how governments use it? Will it close off the lucrative U.S. market for some makers? The definitive answer is… maybe.

A complicated problem

The White House fact sheet notes the order prohibits “operational use by the United States Government of commercial spyware that poses risks to national security or has been misused by foreign actors to enable human rights abuses around the world.” And yet, less than a week later on April 2, 2023, a report surfaced of a U.S. government agency already violating the spyware executive order.

The order notes that foreign governments use spyware to repress and abuse people, quash dissent and surreptitiously monitor activists, journalists and dissidents. The directive is not a blanket ban on spyware. Instead, it prohibits tools known to have been used against U.S. citizens, that use data without authorization, that have disclosed private information about the U.S. government or its activities, that are controlled by a foreign government and have been or are used to repress human rights.

The order provides a workaround for agencies, allowing use for security research, criminal investigations and the creation of countermeasures. The specific target of this order is commercial spyware. It does not place limits on the creation or deployment of spyware created by intelligence agencies.

Decades of spyware use and abuse

The history of governments using commercial spyware may be longer than you would imagine. From 2011 to 2023, at least 74 governments entered contracts for commercial spyware, according to this data set of commercial spyware and digital forensics collected by the Carnegie Endowment for International Peace. Carnegie also notes that autocratic regimes are more likely to purchase commercial spyware and that Israel is a leading exporter of these tools. Of the 74 governments listed in the data set, 56 of them purchased their spyware from Israeli firms. Those firms include NSO Group, Cellebrite, Cytrox and Candiru. They also note that a secondary market for spyware boutique firms has emerged. Those smaller firms operate without the scrutiny that some of the larger firms experience.

American federal employees and diplomats around the world have been popular targets of spyware exploits. In December 2021, Reuters first reported the Apple iPhones of 11 State Department employees were hacked using Pegasus spyware developed by NSO Group. Pegasus allows clients of NSO Group to eavesdrop on conversations, steal files and track the movements of targets. All those attacked were either based in or worked on matters associated with Uganda.

Incidents like these have attracted the attention of U.S. lawmakers. They worry these tools could be turned on American citizens by their own government. In December 2022, lawmakers inquired into the U.S. government’s use of foreign spyware, like Pegasus and a similar hacking tool, Graphite, produced by Israeli company Paragon. The House Intelligence Committee asked the Drug Enforcement Administration for detailed information on the tool’s use. The DEA replied that its use was legal and used only outside the U.S., but did not answer questions on whether American citizens could be targeted by the tool.

Some creators of the spyware will be financially harmed. But smaller, less noticed groups that fly under the radar and, in all likelihood, contract with more autocratic regimes and teetering democracies will probably continue to find a market for their goods. It’s also likely that larger and better-funded governments will rely more on non-commercial military and intelligence spyware. That’s especially true if they can deliver the same results as commercial operators.

The misuse of spyware

The NSO Group’s fate may serve as an object lesson for commercial spyware creators. Its Pegasus zero-click software, which infiltrates cell phones without detection, has been a central player in well-publicized spyware abuses. Some of the more infamous of these occurred in Saudi Arabia. Notably, the software was on the phones of associates of Saudi-American journalist Jamal Khashoggi murdered by the Saudis. The software also aided the capture, imprisonment and torture of Saudi women’s rights activist Loujain al-Hathloul.

Abuses of spyware sparked the Pegasus Project in 2020, an investigation by 80 journalists from 17 global media organizations. The project began with the leaking of 50,000 phone numbers of opposition politicians, activists, journalists, lawyers and political dissidents. In November 2021, NSO Group was added to the U.S. Entity List for being “involved in activities that are contrary to the national security or foreign policy interests of the United States.” This blacklist maintained by the U.S. Department of Commerce prohibits listed organizations from receiving American technologies. Since the blacklisting by the U.S. government, the notoriety brought by the Pegasus Project coverage, and lawsuits (such as the Meta lawsuit brought against NSO for WhatsApp malware), NSO Group has struggled with the spyware maker going nearly broke. The company remains in the spyware business but has struggled through the financial and reputational hits of recent years.

Pandora’s box is already open

All this history brings us back to the present day and the current executive order. The order notes that U.S. security requires the promotion of democracy and democratic values around the world. One purpose of the order is to ensure “that the United States Government does not contribute, directly or indirectly, to the proliferation of commercial spyware that has been misused by foreign governments or facilitate such misuse.” That’s a laudable goal, but Pandora’s box of commercial spyware has already been opened.

As the Carnegie Endowment for International Peace notes in a March 2023 paper on why the spyware industry thrives: “Ongoing high demand for intrusion technology contributes to the resilience of the commercial spyware and digital forensics market. Even if one supplier is sanctioned, there is sufficient financial motivation for other suppliers to fill in the gap.”

More from Government

CIRCIA feedback update: Critical infrastructure providers weigh in on NPRM

3 min read - In 2022, the Cyber Incident for Reporting Critical Infrastructure Act (CIRCIA) went into effect. According to Secretary of Homeland Security Alejandro N. Mayorkas, "CIRCIA enhances our ability to spot trends, render assistance to victims of cyber incidents and quickly share information with other potential victims, driving cyber risk reduction across all critical infrastructure sectors."While the law itself is on the books, the reporting requirements for covered entities won't come into force until CISA completes its rulemaking process. As part of…

Important details about CIRCIA ransomware reporting

4 min read - In March 2022, the Biden Administration signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). This landmark legislation tasks the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments.The CIRCIA incident reports are meant to enable CISA to:Rapidly deploy resources and render assistance to victims suffering attacksAnalyze incoming reporting across sectors to spot trendsQuickly share information with network defenders to warn other…

Unpacking the NIST cybersecurity framework 2.0

4 min read - The NIST cybersecurity framework (CSF) helps organizations improve risk management using common language that focuses on business drivers to enhance cybersecurity.NIST CSF 1.0 was released in February 2014, and version 1.1 in April 2018. In February 2024, NIST released its newest CSF iteration: 2.0. The journey to CSF 2.0 began with a request for information (RFI) in February 2022. Over the next two years, NIST engaged the cybersecurity community through analysis, workshops, comments and draft revision to refine existing standards…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today