Threat Management, Compliance Management, Privacy

Biden order puts new guardrails around government purchase, use of commercial spyware

NSO Group logo

The Biden administration issued a new executive order Monday that would ban U.S. government agencies from purchasing or using certain commercial spyware programs.

According to the order, federal agencies would be barred from “operational” use of such spyware “when they determine, based on credible information, that such use poses significant counterintelligence or security risks to the United States government” or could be compromised or leveraged by a foreign actor.

The order appears to leave room for agencies to continue buying or using such tools. For any purchase and use of a spyware program (that is not related to an ongoing investigation of criminal use or sale of the software), agencies must consult with the Office of the Director of National Intelligence for relevant information about foreign exploitation, consider whether the seller has implemented “reasonable due diligence” to ensure the tool isn’t being sold to or used by other actors to create U.S. counterintelligence or security risks to the U.S. and submit a review to the National Security Advisor.

Among the factors agencies will be required to consider when evaluating a certain vendor are: if the tool has been used against the United States or government employees and whether they have sold spyware to foreign countries with documented records of systemic oppression against its citizens or political dissidents.

It also requires agencies to report within six months of a purchase on how they are implementing the executive order and annual reports on operational use.

The White House also echoed broader arguments that the spread and use of such tools ultimately threatens the privacy of everyone, including government officials. It also comes as the Washington Post and other outlets reported that up to 50 U.S. government employees in 10 separate countries have been targeted by such commercial spyware.

“The proliferation of commercial spyware poses distinct and growing counterintelligence and security risks to the United States, including to the safety and security of U.S. Government personnel and their families,” a fact sheet from the administration states. “U.S. Government personnel overseas have been targeted by commercial spyware, and untrustworthy commercial vendors and tools can present significant risks to the security and integrity of U.S. Government information and information systems.”

There is an exception built into the order for agencies that use the spyware for testing, research, analysis, cybersecurity or to develop countermeasures for counterintelligence or security risks. Additionally, agencies can waive the rules for up to a year if officials “that such waiver is necessary due to extraordinary circumstances and that no feasible alternative is available to address such circumstances.”

Biden order "pumps the brakes" on spyware proliferation

John Scott-Railton, a senior researcher at non-profit Citizen Lab who has done extensive research on spyware tools like NSO's Pegasus, called the administration's executive order "one of the most consequential actions to blunt proliferation that I've seen a government take."

"It was clearly drafted to pump the breaks on proliferation [and] is written with a good understanding the slippery nature of the industry. It closes many loopholes," Scott-Railton said on Twitter.

The order defines commercial spyware as “any end-to-end software suite” sold commercially that either directly or indirectly provides users the ability to gain remote access to a computer without consent of the user or administrator to access, collect, exploit, extract, intercept, retrieve or transmit content, record audio or video calls, or track location of the user.  

The order was released ahead of the administration’s second Summit on Democracy, scheduled to take place March 29 and 30, with government representatives from Costa Rica, The Netherlands, South Korea and Zambia.

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.