The views expressed by contributors are their own and not the view of The Hill

Why isn’t the Biden administration trying to combat spyware abuse?

A logo adorns a wall on a branch of the Israeli NSO Group, maker of Pegasus spyware, near the southern Israeli town of Sapir on Aug. 24, 2021. The malware can be used to successfully hack phones.

In 2016, Mexican authorities covertly used powerful surveillance software to track and ultimately capture Joaquín Guzmán Loera, the infamous drug lord better known as “El Chapo.” In 2018, Saudi Arabia used the same software to monitor communications with Washington Post columnist Jamal Khashoggi prior to his gruesome murder at the hands of Saudi agents in Istanbul. In both instances, governments deployed the controversial Pegasus spyware developed by Israeli cyber intelligence firm NSO Group. Spyware such as Pegasus is a double-edged sword — a powerful national security tool but also a vital tool for authoritarians across the globe. 

Strangely, however, spyware issues were conspicuously absent from President Biden’s agenda for his recent trip to Israel, a key player in the cyber surveillance ecosystem.

Surveillance software is common in the spy-on-spy games that states play in cyberspace. But it’s also routinely used to surveil journalists, human rights activists, and political opposition and dissidents. Researchers at Citizen Lab have linked the NSO Group’s Pegasus spyware alone to numerous civil and human rights violations. For example, similar to how Saudi Arabia tracked Khashoggi, the United Arab Emirates used the Pegasus software to hack the phone of civil rights activist and government critic Ahmed Mansoor. Prior to being jailed by the regime, Mansoor had his phone and email accounts infiltrated, his location monitored, and his passport taken from him.

Democracies also have engaged in digital authoritarian practices using spyware. Democratic backsliders such as Poland and Hungary have utilized Pegasus to spy on journalists and domestic political opposition. But they’re not the only ones to use Pegasus spyware for non-democratic ends: governments in Greece, Mexico, and Panama have been suspected of using the software to surveil political opponents and members of the media. Even in Spain, a consolidated democracy, forensic researchers cannot determine whether Moroccan actors or the Spanish government itself deployed Pegasus to spy on the Basque and Catalan political figures and civil society groups.

To its credit, the Biden administration has helped prevent a dangerous precedent by pressuring defense contractor L3 Harris to abandon its acquisition of NSO group. The buyout certainly would have disrupted the market in the short term: authoritarian regimes would be unlikely to procure NSO Group tools such as Pegasus since U.S. regulations and national security interests would dictate sales. However, the acquisition also would have signaled that the indiscriminate sale of spyware to human rights abusers is a profitable business model and results in a big payday from the world’s leading democracy. Taking one company off the market does little good if you have no strategy to deal with the new firms that emerge in its place.

The White House’s current approach of blacklisting companies as the need arises and relying on U.S. tech giants to shape the market with lawsuits is neither sustainable nor strategic. It is reactive, domestically focused, and does nothing to project American values or security interests internationally. The Biden administration must be more proactive towards firms like NSO Group, DarkMatter in the United Arab Emirates, and European companies like Nexa Technologies and Trovicor, all of which distribute spyware to aspiring and established authoritarians. Russia and China are also more than happy to export digital surveillance tools to countries that cannot develop their own.

For all the administration’s talk on the centrality of human rights to its foreign policy, it has no plan for countering the digital authoritarianism endemic to the international spyware market. Worse yet, the Biden administration lacks a formal national cybersecurity strategy. An important first step for the White House will be working with other democracies to develop common export principles that restrict the flow of digital spy tools from their private sectors to autocracies. Any strategy also must find incentives for states such as Israel, which traditionally exports spyware to Arab states in exchange for diplomatic goodwill. 

But without defining ends and means for combating spyware abuse, the Biden administration will continue to let authoritarian impulses shape an important digital market at the expense of democratic values and U.S. security interests.

Jason Blessing, Ph.D., is a Jeane Kirkpatrick Visiting Research Fellow with the foreign and defense policy department at the American Enterprise Institute. His research focuses on cybersecurity as well as transatlantic relations. Follow him on twitter @JasonABlessing.