On March 27th, the White House released an Executive Order on Prohibition on Use by the United States Government of Commercial Spyware that Poses Risks to National Security, “which has been in development for months, seeks to address a growing number of incidents of spyware abuse abroad as well as reports of it being used improperly to target U.S. officials, government systems and ordinary citizens.
Biden’s order creates a list of factors to indicate if spyware technology is being abused, including if a foreign government or person attempts to gain access to the electronic device of a U.S. citizen without their permission or monitors the person without proper legal authorization.
The administration official said that in working on the order, the White House had identified 50 instances where U.S. personnel in at least 10 different countries had been targeted — far more than had been previously known — and officials are still working to uncover any additional instances.
The directive’s announcement coincides with the second Summit for Democracy that is slated to begin on Tuesday. At the event, which is organized by the U.S. and a number of other countries, the administration will release a set of guiding principles for governmental use of surveillance technology — something that was promised during last year’s summit.
The administration official stressed the order is “partly us getting ahead of a challenge” posed by spyware, as there have been “no concrete, consistent standards across the U.S. government.” The directive will allow the U.S. to “lead by example,” according to the official.” (1)
Also of interest is the binding directive issued by the Director of National Intelligence, Avril Haines — placing restrictions on former IC employees from working with foreign governments or companies, including foreign commercial cyber organizations – details of which can be found below.
Details of the Prohibition on Use by the United States Government of Commercial Spyware
In particular, the Executive Order signed by President Biden:
- Applies to U.S. federal government departments and agencies, including those engaged in law enforcement, defense, or intelligence activities, and encompasses spyware tools furnished by foreign or domestic commercial entities.
- Prohibits departments and agencies across the federal government from operationally using commercial spyware tools that pose significant counterintelligence or security risks to the U.S. Government or significant risks of improper use by a foreign government or foreign person, including targeting Americans or enabling human rights abuses.
- Establishes key counterintelligence, security, and improper use factors that indicate such risks, including if:
- a foreign government or foreign person has used or acquired the commercial spyware to gain or attempt to gain access to U.S. Government electronic devices, or those of U.S. Government personnel, without authorization from the U.S. Government;
- the commercial spyware was or is furnished by an entity that (1) maintains, transfers, or uses data obtained from the commercial spyware without authorization from the licensed end-user or the U.S. Government; (2) has disclosed or intends to disclose non-public information about the U.S. Government or its activities without authorization from the U.S. Government; or (3) is under the direct or effective control of a foreign government or foreign person engaged in intelligence activities directed against the United States;
- a foreign actor uses commercial spyware against activists, dissidents, or other actors to intimidate; to curb dissent or political opposition; to otherwise limit freedoms of expression, peaceful assembly, or association; or to enable other forms of human rights abuses or suppression of civil liberties;
- a foreign actor uses the commercial spyware to monitor a United States person, without consent, in order to track or target them without proper legal authorization, safeguards, and oversight; and
- the commercial spyware is furnished to governments for which there are credible reports that they engage in systematic acts of political repression, including arbitrary arrest or detention, torture, extrajudicial or politically motivated killing, or other gross violations of human rights. This ensures the application of the Executive Order in situations when foreign actors may not yet have committed specific abuses through the use of commercial spyware, but have engaged in other serious abuses and violations of human rights.
- Identifies concrete remedial steps that commercial spyware vendors can take to reduce identified risks, such as canceling relevant licensing agreements or contracts that present such risks.
- Directs important new reporting and information-sharing requirements within the Executive Branch to ensure departments and agencies can make informed and consistent determinations based on up-to-date all-source information, including a semi-annual comprehensive intelligence assessment.
The Executive Order, therefore, seeks to ensure that any U.S. Government use of commercial spyware aligns with the United States’ core national security and foreign policy interests in upholding and advancing democratic processes and institutions, and respect for human rights; does not contribute, directly or indirectly, to the proliferation and misuse of commercial spyware; and helps protect U.S. Government personnel and U.S. Government information systems and intelligence and law enforcement activities against significant counterintelligence or security risks. (2)
Previous Commercial Spyware Mandates Leading up to this Executive Order
The Executive Order complements concrete actions the Biden-Harris Administration and Congress have taken to confront the threat posed by the proliferation and misuse of commercial spyware:
- Congress enacted new statutory authorities and requirements related to commercial spyware in the Intelligence Authorization Acts for Fiscal Years 2022 and 2023, including new restrictions and reporting requirements for Intelligence Community (IC) employees’ post-service employment with foreign governments or companies, to include foreign commercial spyware entities. Last week, the Director of National Intelligence issued binding guidance to the U.S. Intelligence Community to implement these statutory requirements, which set an international standard that we hope will be followed by other countries.
- The Department of Commerce’s Bureau of Industry and Security (BIS) has placed foreign entities on the Entity List to address foreign policy concerns related to surveillance technologies. In November 2021, BIS added four commercial entities to the Entity List for engaging in the proliferation and misuse of cyber intrusion tools contrary to the national security or foreign policy interests of the United States.
- The Department of Commerce has implemented technology-based controls to address digital surveillance tools. In October 2021, the Department implemented multilateral Wassenaar Arrangement export controls on certain cybersecurity items that could be used for surveillance, espionage or other actions that disrupt, deny, or degrade a network or devices on the network. The final rule has been in effect since May 2022.
- In January 2022, the Department of State and the Office of the Director of National Intelligence’s National Counterintelligence and Security Center issued an advisory for the broader public on how to protect oneself from commercial surveillance tools.
- At the direction of Congress, the Department of State, in consultation with the Office of the Director of National Intelligence, has submitted to appropriate oversight committees a classified report on contractors that have knowingly assisted or facilitated certain cyberattacks or conducted surveillance activities on behalf of relevant foreign governments against the United States or for the purposes of suppressing dissent or intimidating critics.
- In June 2021, Secretary Blinken announced that the Department of State, on behalf of the Biden-Harris Administration, will update the United States’ National Action Plan on Responsible Business Conduct. This builds on prior U.S. government guidance, including the U.S. Department of State guidance on implementing business and human rights principles for “Transactions Linked to Foreign Government End-Users for Products or Services with Surveillance Capabilities.”
- In parallel, the Biden-Harris Administration continues to undertake a concerted effort to assess the extent to which commercial spyware has been directed against U.S. Government personnel serving overseas and mitigate the counterintelligence and security risks posed by these tools.
Taken together, these efforts aim to reduce the improper use of new technological tools to facilitate repression and human rights abuses, mitigate the counterintelligence threats these tools can pose to the U.S. Government, ensure that U.S. companies and former U.S. Government personnel are not facilitating authoritarian or repressive practices abroad, and provide tools to Americans and civil society to better protect themselves.
Issuance of Intelligence Community Directive 712: Requirements for Certain Employment Activities by Former Intelligence Community Employees
“Director of National Intelligence Avril Haines — in response to recently proposed legislation — last week issued a binding directive placing new statutory restrictions on former intelligence agency workers from seeking employment with foreign governments or companies, including foreign commercial cyber entities.”
This Directive provides guidance on:
- Implementing the requirements in 50 U.S.C. Sec. 3073a regarding post-service employment activities of former Intelligence Community (IC) employees when those activities involve foreign governments and associated entities.
- Types of service [that] may threaten U.S. national security by providing foreign governments with access to the experience and expertise of former U.S. intelligence employees that can be used for purposes that are inconsistent with U.S. values and interests; and
- This policy, and its subsequent implementation by the IC, [responding] to those concerns. (3)