On March 27, 2023, reports surfaced that 50 U.S. government employees had been targeted by phone spyware overseas. On the day of that report, President Joe Biden signed an executive order to restrict federal agencies’ use of commercial spyware. The timing of the order was linked to this specific phone-targeting exploit. But spyware infiltration of government officials — and by government officials — has been a recurring problem globally.
Commercial spyware has long been entwined with statecraft and spycraft, both in autocracies and democracies. Will the executive order damage or even deter the firms who create it or how governments use it? Will it close off the lucrative U.S. market for some makers? The definitive answer is… maybe.
A complicated problem
The White House fact sheet notes the order prohibits “operational use by the United States Government of commercial spyware that poses risks to national security or has been misused by foreign actors to enable human rights abuses around the world.” And yet, less than a week later on April 2, 2023, a report surfaced of a U.S. government agency already violating the spyware executive order.
The order notes that foreign governments use spyware to repress and abuse people, quash dissent and surreptitiously monitor activists, journalists and dissidents. The directive is not a blanket ban on spyware. Instead, it prohibits tools known to have been used against U.S. citizens, that use data without authorization, that have disclosed private information about the U.S. government or its activities, that are controlled by a foreign government and have been or are used to repress human rights.
The order provides a workaround for agencies, allowing use for security research, criminal investigations and the creation of countermeasures. The specific target of this order is commercial spyware. It does not place limits on the creation or deployment of spyware created by intelligence agencies.
Decades of spyware use and abuse
The history of governments using commercial spyware may be longer than you would imagine. From 2011 to 2023, at least 74 governments entered contracts for commercial spyware, according to this data set of commercial spyware and digital forensics collected by the Carnegie Endowment for International Peace. Carnegie also notes that autocratic regimes are more likely to purchase commercial spyware and that Israel is a leading exporter of these tools. Of the 74 governments listed in the data set, 56 of them purchased their spyware from Israeli firms. Those firms include NSO Group, Cellebrite, Cytrox and Candiru. They also note that a secondary market for spyware boutique firms has emerged. Those smaller firms operate without the scrutiny that some of the larger firms experience.
American federal employees and diplomats around the world have been popular targets of spyware exploits. In December 2021, Reuters first reported the Apple iPhones of 11 State Department employees were hacked using Pegasus spyware developed by NSO Group. Pegasus allows clients of NSO Group to eavesdrop on conversations, steal files and track the movements of targets. All those attacked were either based in or worked on matters associated with Uganda.
Incidents like these have attracted the attention of U.S. lawmakers. They worry these tools could be turned on American citizens by their own government. In December 2022, lawmakers inquired into the U.S. government’s use of foreign spyware, like Pegasus and a similar hacking tool, Graphite, produced by Israeli company Paragon. The House Intelligence Committee asked the Drug Enforcement Administration for detailed information on the tool’s use. The DEA replied that its use was legal and used only outside the U.S., but did not answer questions on whether American citizens could be targeted by the tool.
Some creators of the spyware will be financially harmed. But smaller, less noticed groups that fly under the radar and, in all likelihood, contract with more autocratic regimes and teetering democracies will probably continue to find a market for their goods. It’s also likely that larger and better-funded governments will rely more on non-commercial military and intelligence spyware. That’s especially true if they can deliver the same results as commercial operators.
The misuse of spyware
The NSO Group’s fate may serve as an object lesson for commercial spyware creators. Its Pegasus zero-click software, which infiltrates cell phones without detection, has been a central player in well-publicized spyware abuses. Some of the more infamous of these occurred in Saudi Arabia. Notably, the software was on the phones of associates of Saudi-American journalist Jamal Khashoggi murdered by the Saudis. The software also aided the capture, imprisonment and torture of Saudi women’s rights activist Loujain al-Hathloul.
Abuses of spyware sparked the Pegasus Project in 2020, an investigation by 80 journalists from 17 global media organizations. The project began with the leaking of 50,000 phone numbers of opposition politicians, activists, journalists, lawyers and political dissidents. In November 2021, NSO Group was added to the U.S. Entity List for being “involved in activities that are contrary to the national security or foreign policy interests of the United States.” This blacklist maintained by the U.S. Department of Commerce prohibits listed organizations from receiving American technologies. Since the blacklisting by the U.S. government, the notoriety brought by the Pegasus Project coverage, and lawsuits (such as the Meta lawsuit brought against NSO for WhatsApp malware), NSO Group has struggled with the spyware maker going nearly broke. The company remains in the spyware business but has struggled through the financial and reputational hits of recent years.
Pandora’s box is already open
All this history brings us back to the present day and the current executive order. The order notes that U.S. security requires the promotion of democracy and democratic values around the world. One purpose of the order is to ensure “that the United States Government does not contribute, directly or indirectly, to the proliferation of commercial spyware that has been misused by foreign governments or facilitate such misuse.” That’s a laudable goal, but Pandora’s box of commercial spyware has already been opened.
As the Carnegie Endowment for International Peace notes in a March 2023 paper on why the spyware industry thrives: “Ongoing high demand for intrusion technology contributes to the resilience of the commercial spyware and digital forensics market. Even if one supplier is sanctioned, there is sufficient financial motivation for other suppliers to fill in the gap.”