U.S. Rolls Out Strict Rules for Commercial Spyware Use, Amidst Rash of Hacks

U.S. Rolls Out Strict Rules for Commercial Spyware Use, Amidst Rash of Hacks

The Biden administration passed an executive order Monday that seeks to implement strict new guidelines for what kind of commercial spyware can be used by U.S. government agencies.

The new regulation allows the government to ban a particular vendor’s spyware from being used by U.S. government agencies, if the company’s product is found to have contributed to human rights violations, has been used to target U.S. citizens, or has been wielded against activists or journalists. In essence, the government is using its presence as a major consumer of defence products as a cudgel to encourage surveillance firms to behave or face blacklisting.

The announcement comes amidst revelations that more U.S. officials have been targeted by spyware than previously believed. On the same day that the executive order was announced, a senior US administration staffer told reporters that as many as 50 American officials are suspected or confirmed to have been targeted by commercial spyware in recent years. Previous reporting on this subject has focused on a handful of diplomats in foreign countries who had allegedly been targeted for surveillance. The new tally shows that, in reality, the imprint of foreign campaigns aimed at U.S. officials may be much broader.

“Commercial spyware – sophisticated and invasive cyber surveillance tools sold by vendors to access electronic devices remotely, extract their content, and manipulate their components, all without the knowledge or consent of the devices’ users – has proliferated in recent years with few controls and high risk of abuse,” the White House’s announcement reads. “The proliferation of commercial spyware poses distinct and growing counterintelligence and security risks to the United States, including to the safety and security of U.S. Government personnel and their families.”

It should be noted that the Biden administration is not banning the government use of commercial spyware outright, nor is it even promising not to use it. Instead, the focus of the executive order is on curbing commercial vendors that have been caught engaging in activity deemed troubling from a human rights perspective (*cough, cough* the NSO Group), or that don’t appear to have qualms about letting their tools target U.S. networks or officials.

The order follows on the footsteps of a number of other legislative and regulatory efforts that the White House has taken to crack down on the commercial spyware industry. These include new regulatory guidelines that set limits on how and when former U.S. government officials can go to work for foreign cyber firms, as well as efforts to shift export controls to limit the spread of certain products. The government also blacklisted the NSO Group, one of the most controversial vendors in the spyware industry.

The Biden administration is also co-hosting a “Summit for Democracy” later this week, that will involve officials from a number of different countries. The White House says its recent executive order is an example of an initiative “advancing technology for democracy,” in alignment with the summit’s values.