Biden administration bans federal agencies from using commercial spyware

The order is likely to affect known government spyware makers like NSO Group.

Nir Elias / reuters
  • Oops!
    Something went wrong.
    Please try again later.

In an executive order signed Monday, President Biden barred federal agencies from using commercial spyware that threatens US national security or carries a risk of improper use by foreign governments and individuals. The order applies to all departments, including those involved in law enforcement, defense and intelligence. It also prohibits the use of spyware that in the past was used to disclose non-public information about the US government.

The executive order the Biden administration published on the White House website doesn’t include a list of affected spyware vendors. Per TechCrunch, government officials declined to name specific firms when asked by reporters. However, the administration said the order includes US and foreign-made spyware. Judging from the criteria laid out in the order, known government spyware makers like Isreal’s NSO Group and Macedonia’s Cytrox are likely affected.

As TechCrunch notes, security researchers have long warned of the dangers posed by commercial spyware. Such programs frequently target previously undisclosed vulnerabilities that make entire software ecosystems unsafe. In the case of NSO Group’s infamous Pegasus spyware, the firm exploited a CoreGraphics vulnerability in iOS that allowed the program to infect an iPhone without the victim needing to tap anything. Moreover, while many governments claim to use spyware sparingly to investigate serious crimes, that hasn’t stopped some from using the software for domestic surveillance and to target political dissidents.

“We are very concerned about the threat of digital authoritarianism and practices around the world but we are also very cognizant that the misuse of technology can occur in any state,” a White House official told The Hill. “So, we are taking steps to make sure that the way that we would like technology to be used is aligned with human rights and democratic principles all around the world.”

On Monday, the Biden administration said at least 50 US federal employees in 10 countries are either suspected or confirmed of having had their devices compromised by spyware. In one recent example, an unknown assailant used the Pegasus spyware to infect iPhones belonging to at least nine US State Department officials stationed in Uganda or whose work involved the East African country. The order follows questions about the US government’s alleged use of commercial spyware. Last fall, The New York Times reported that the FBI had considered using Pegasus in criminal investigations. Between late 2020 and early 2021, agency officials were reportedly in the “advanced” stages of developing plans to brief FBI leadership on the software.