Biden signs executive order to clamp down on commercial spyware
President Joe Biden signed an executive order on Monday that clamps down on the US government’s use of commercial spyware, citing the risks the surveillance gear poses to national security and potential abuse by foreign actors.
“The proliferation of commercial spyware poses distinct and growing counterintelligence and security risks to the United States,” the White House said in a statement.
“This executive order seeks to ensure that any US government use of commercial spyware aligns with the United States core national security and foreign policy interests in upholding and advancing democratic processes and institutions, and respect for human rights,” it added.
Alexandra Seymour, an associate fellow for the technology and national security programme at the Center for a New American Security (CNAS), told Middle East Eye that the executive order demonstrated Washington’s recognition of the emerging threat posed by commercial spyware.
There is a robust appetite for technology that allows users to secretly invade mobile phones, accessing their private data or converting them into tracking and recording devices to spy on their owners.
“The trade in this technology has not only flourished with authoritarian regimes but increasingly in democratic countries and key US allies,” Seymour said.
Israel ranks as the top origin country for spyware, according to an industry data set maintained by the Carnegie Endowment for International Peace in Washington.
The executive order comes as the Biden administration prepares for the launch of its second annual Democracy Summit where the US will host an event on the misuse of technology, with Secretary of State Anthony Blinken and national security director Avril Haines set to speak.
The administration has faced calls to take a more active role on the issue from Congress.
“This was deliberate timing before the summit,” a senior congressional aid told MEE on condition of anonymity. “The administration understands there is broad bipartisan concern about the unchecked growth of commercial spyware and risks to US citizens.”
The 2023 Intelligence Authorization Act included a provision that requires former intelligence agency employees to report their work with commercial spyware companies.
'We are seeing a ‘substitution effect’ where firms like Intellexa enter in the wake of problems for NSO group'
- Steven Feldstein, Carnegie Endowment for International Peace
Lawmakers also broadened the parameters under which the president can prohibit Americans from providing support to security agencies using surveillance technology against journalists, human rights defenders, and opposition politicians.
Those efforts were led by Democratic Congressman Jim Himes, ranking member of the House Intelligence Committee, who spearheaded a letter in September last year to the State and Commerce Departments asking them to take more action on foreign commercial spyware.
Hime’s office didn’t respond to MEE’s request for comment by the time of publication.
The US is a major player in the global spyware trade. Washington has sold forensic technology to Nigeria’s security services. During the Trump administration, the CIA even procured Pegasus spyware for the government of Djibouti.
The Biden administration’s executive order de facto nods at Washingtons’s use of spyware by stipulating the ban only when US national security is threatened.
'Israeli spyware nexus'
US allies are also big consumers and producers, particularly in the Middle East.
“When you look at all the different vendors of spyware, it's very clear Israel’s industry is the world’s leading,” said Steven Feldstein, an expert at the Carnegie Endowment for International Peace in Washington, DC.
Analysts and congressional aids active on spyware say the Biden administration’s executive order will be watched carefully in Israel. In 2021, the administration placed NSO group - the maker of Pegasus spyware - and another Israeli firm Candiru on the Commerce Department's blacklist.
“That singular decision essentially helped run NSO group into bankruptcy,” Feldstein told MEE.
Israeli diplomats lobbied against the ban, according to Axios.
Although Israel was not named in the 2023 Intelligence Authorization Act provisions, congressional aides tell MEE that the Israeli embassy also lobbied heavily against them.
“There clearly is a nexus between the Israeli government’s interest and the country maintaining a robust surveillance sector. They are concerned about US regulations,” Feldstein said.
Israel's embassy in Washington DC didn't respond to MEE's request for comment.
Lawmakers on the House intelligence committee are already mulling how to beef up spyware provisions in the next Intelligence Authorization Act, aids tell MEE. They are energised by the new executive order, but also Benjamin Netanyahu’s return to power in Israel, aides say.
“Israeli spyware proliferated across the globe during Netanyahu’s previous tenure. Why would this time be any different,” a congressional aid told MEE.
Israel has effectively used its spyware industry to build diplomatic bridges across the Middle East. Saudi Arabia acquired spyware from NSO group, Cellebrite, and Candiru. Morocco, which has been engulfed in its own global spyware scandal, acquired NSO technology, as did the UAE.
'Spyware is a growth market'
The new executive order sets risk factors before federal agencies and departments can purchase spyware, including whether a foreign actor has used the technology to spy on the US government or if the company has provided it to foreign governments with “credible reports” of “systemic acts of political repression”.
Another risk factor is whether a company’s spyware has been used against “a US person”.
The issue of spyware deployed against American citizens has come to the fore of an ongoing surveillance scandal in Greece after the New York Times revealed in March that a dual US-Greek national was hacked with Predator spyware, marking the first time an American citizen has been targeted in an EU country with the technology.
Greece, a Nato country and key US ally in the Eastern Mediterranean, has been jolted by revelations that its intelligence agency carried out a mass surveillance campaign against journalists, politicians and opposition figures.
The case has put a spotlight on Intellexa, a niche spyware firm run by a former Israeli general that has offices in Greece, Cyprus and Malta. Greece granted Intellexa licences to export predator spyware abroad as well, including to Madagascar, which has a history of political repression.
"Misuse of these powerful surveillance tools are not limited to authoritarian regimes," a senior Biden administration official said on Monday, announcing the executive order.
"Democratic governments also have confronted revelations that actors within their own systems have used commercial spyware to target their own citizens without proper legal authorisation, safeguards and oversight."
Feldstein, from Carnegie, said the arrival of niche firms underlines how the spyware industry is adapting to new pressures and seeking loopholes in countries with weak institutions to continue exporting their products.
“We are seeing a ‘substitution effect’ where firms like Intellexa enter in the wake of problems for NSO group and a market shift with less sophisticated vendors and fly-by-night operators fill the void.”
“Spyware is a growth market,” he added.