President Biden on Monday issued an executive order to prohibit the use of commercial spyware across the U.S. federal government that poses a risk to national security or targets U.S. personnel.
The order will apply to all departments and agencies and bans use of commercial spyware that a foreign government or foreign person used to attempt to gain access to government electronic devices. It also bans spyware that uses data obtained without authorization from the government, intends to disclose non-public information about the government and activities, or is under effective control by a foreign government.
It is intended to protect U.S. government personnel from security risks and to help the U.S. identify circumstances when spyware is used to track and target an American without proper legal authorization and without consent.
“We’ve confirmed that U.S. personnel overseas have been targeted by commercial spyware,” a senior administration official said, adding to that that government undertook an extensive review to better understand the extent to which personnel are targeted.
To date, the U.S. government has identified devices associated with 50 U.S. government personnel overseas in at least 10 countries, on multiple continents “that are confirmed or suspected to have been targeted by commercial spyware,” the official said.
The order won’t mandate the creation of a list of banned spyware and the public will not be made aware when a spyware vendor is banned. The announcement comes ahead of the second Summit for Democracy, which is set to start on Wednesday. Biden will co-host the summit with leaders from Costa Rica, the Netherlands, the Republic of Korea, and the Republic of Zambia.
Biden’s move on Monday is intended to ensure that the U.S. does not contribute directly or indirectly to the proliferation and misuse of virtual spyware, a senior administration official said.
“We are very concerned about the threat of digital authoritarianism and practices around the world but we are also very cognizant that the misuse of technology can occur in any state. So, we are taking steps to make sure that the way that we would like technology to be used is aligned with human rights and democratic principles all around the world,” an official said.
The official said that more similar initiatives will be announced at the summit later this week.
Though the order does not name any particular firms, Israel’s NSO Group has come under growing scrutiny in recent years for it Pegasus spyware, which can hack phones to steal information, turn on cameras, record calls, and other activities, often without the user knowing.
The NSO Group was among four organizations linked to cyber surveillance operations that were added to the Commerce Department’s “entity list” in 2021, effectively blacklisting them.