President Biden signed an executive order today that prohibits Federal agencies from using – on an operational basis – commercial spyware technology if the use of that technology would pose risks to U.S. national security, or if the technology “has been misused by foreign actors to enable human rights abuses around the world.”
According to the text of the order, Federal government executive departments and agencies “shall not make operational use of commercial spyware where they determine, based on credible information, that such use poses significant counterintelligence or security risks to the United States Government or that the commercial spyware poses significant risks of improper use by a foreign government or foreign person.”
The order appears to be directed at least in part to protect U.S. government personnel and government information systems, and to bolster U.S. policy going into this week’s Summit for Democracy that President Biden is cohosting with leaders from Costa Rica, the Netherlands, South Korea, and Zambia.
The White House said the order “demonstrates the United States’ leadership in, and commitment to, advancing technology for democracy, including by countering the misuse of commercial spyware and other surveillance technology.” The order “will also serve as a foundation to deepen international cooperation to promote responsible use of surveillance technology, counter the proliferation and misuse of such technology, and spur industry reform,” it said.
“Commercial spyware – sophisticated and invasive cyber surveillance tools sold by vendors to access electronic devices remotely, extract their content, and manipulate their components, all without the knowledge or consent of the devices’ users – has proliferated in recent years with few controls and high risk of abuse,” the White House said in a fact sheet accompanying the order.
“The proliferation of commercial spyware poses distinct and growing counterintelligence and security risks to the United States, including to the safety and security of U.S. Government personnel and their families,” the White House said. “U.S. Government personnel overseas have been targeted by commercial spyware, and untrustworthy commercial vendors and tools can present significant risks to the security and integrity of U.S. Government information and information systems.”
“A growing number of foreign governments around the world, moreover, have deployed this technology to facilitate repression and enable human rights abuses, including to intimidate political opponents and curb dissent, limit freedom of expression, and monitor and target activists and journalists,” the White House said. “Misuse of these powerful surveillance tools has not been limited to authoritarian regimes. Democratic governments also have confronted revelations that actors within their systems have used commercial spyware to target their citizens without proper legal authorization, safeguards, and oversight.”
Key Definitions – Spyware
The order defines commercial spyware as “any end-to-end software suite that is furnished for commercial purposes, either directly or indirectly through a third party or subsidiary, that provides the user of the software suite the capability to gain remote access to a computer, without the consent of the user, administrator, or owner of the computer, in order to”:
- Access, collect, exploit, extract, intercept, retrieve, or transmit content, including information stored on or transmitted through a computer connected to the internet;
- Record the computer’s audio calls or video calls or use the computer to record audio or video; or
- Track the location of the computer.
Key Definitions – Security Risks
The order says that commercial spyware may pose counterintelligence or security risks to the U.S. government when:
- A foreign government or person has “acquired the commercial spyware to gain or attempt to gain access to United States Government computers or the computers of United States Government personnel without authorization from the United States Government; or
- The commercial spyware is furnished by an entity that uses data obtained from the spyware without authorization of end-users of the U.S. government, or intends to disclose that data;
- Is under the control of a foreign government “engaged in intelligence activities, including surveillance or espionage, directed against the United States.”
It goes on to say that commercial spyware may pose risks of improper use by foreign entities when the spyware has been used:
- to collect information on activists, academics, journalists, dissidents, political figures, or members of non-governmental organizations or marginalized communities in order to intimidate such persons; curb dissent or political opposition; otherwise limit freedoms of expression, peaceful assembly, or association; or enable other forms of human rights abuses or suppression of civil liberties; or
- to monitor a U.S. person, without such person’s consent, in order to facilitate the tracking or targeting of the person without proper legal authorization, safeguards, and oversight; or
- the spyware is produced by an entity that “provides commercial spyware to governments for which there are credible reports in the annual country reports on human rights practices of the Department of State that they engage in systematic acts of political repression, including arbitrary arrest or detention, torture, extrajudicial or politically motivated killing, or other gross violations of human rights.”
Next Steps for Feds
According to the order, the director of national intelligence (DNI) has 90 days to issue a classified intelligence assessment on foreign commercial spyware or foreign government or foreign person’s use of commercial spyware relevant to the executive order.
Following that, the assistant to the president for national security affairs (APNSA) will convene Federal agencies to discuss the intelligence assessment, as well as any other information about commercial spyware relevant to the order.
Within 90 days after the DNI provides that assessment, Federal agencies will “review all existing operational uses of commercial spyware and discontinue, as soon as the head of the agency determines is reasonably possible without compromising ongoing operations, operational use of any commercial spyware that the agency determines poses significant counterintelligence or security risks to the United States Government or significant risks of improper use by a foreign government or foreign person.”
Within 180 days, agencies “that may make operational use of commercial spyware shall develop appropriate internal controls and oversight procedures for conducting determinations” as to whether that use is prohibited by the executive order.
If an agency decides to make operational use of commercial spyware, it will have to inform the APNSA of that decision.
The order says that the Federal Acquisition Security Council shall consider the DNI intelligence assessment in evaluating whether commercial spyware poses a supply chain risk.
Finally, the order says that prohibitions in the order “shall not apply to the use of commercial spyware for purposes of testing, research, analysis, cybersecurity, or the development of countermeasures for counterintelligence or security risks, or for purposes of a criminal investigation arising out of the criminal sale or use of the spyware.”