The Biden administration’s executive order to restrict government use of commercial spyware put the spyware industry on notice, but experts say global collaboration will be needed to truly limit the spread of these invasive toolkits.
From Indonesia and Serbia to Mexico and Madagascar, commercial spyware vendors are selling tools used by repressive regimes to gather information from the phones of their political adversaries, including journalists, attorneys and human rights defenders. The proliferation of these invasive tools has finally spurred the White House — and its foreign allies — to attempt to rein in the spyware industry.
Nearly two months after President Biden issued an unprecedented executive order (EO) severely restricting the federal government’s use of commercial spyware, experts say the industry is on its back foot. However, they also tell README that more work is needed to establish a global agreement to reduce the incentives of these companies and weaken demand among their customers.
Biden EO is a shot across the bow
As evidence of spyware’s insidious effects has mounted over the past five years, governments have taken baby steps to limit its growing reach, with the U.S. leading the way. The U.S. Commerce Department first addressed the spyware problem in November 2021 when it placed two leading Israeli spyware companies, NSO Group and Candiru, on what’s known as the Entity List for “malicious cyber activities” that are “contrary to the national security or foreign policy interests of the United States.”
That list doesn’t strictly prohibit U.S. citizens or companies from doing business with affected businesses. Instead, it requires them to obtain a license from the federal government, which means deals are subject to greater scrutiny than they would be otherwise. Without access to American technology, the ban clouded NSO’s future and likely scared off some of the company’s prospective clients.
Recent actions by the Biden administration are already having a more significant impact on the current crop of spyware providers. On March 27, the administration released the EO intended to severely restrict the government’s use of foreign spyware that “poses significant counterintelligence or security risks to the United States Government.”
Steve Feldstein, Senior Fellow of the Democracy, Conflict and Government Program at the Carnegie Endowment for International Peace, told README he thinks the EO is a real game changer. “I think the US EO will have a substantive effect on the industry and will start to change practice in some of the worst abusers,” he said.
But the executive order has loopholes. First, it doesn’t address the use of spyware by state and local governments. (There is evidence that some local police departments in the U.S. might be interested in buying spyware.) Moreover, government agencies may obtain a waiver in “extraordinary circumstances” not to exceed one year if no “feasible alternative” is available. Finally, the order does not apply to domestic intelligence organizations like the NSA or CIA.
These gaps aside, the EO conveys a stern message to spyware makers. Jim Lewis, SVP, Pritzker Chair and Director of the Strategic Technologies Program at the Center for Strategic and International Studies, told README the EO has already chilled the spyware business. “This is long overdue,” he said. “The question is if they go far enough. Because the problem with this industry is that they’ll look for workarounds to get around this clamp down. But at least one of the companies told me they thought this might put them out of business. So it is, in the near term, very effective.”
Other experts are also uncertain about the long-term impacts of the order. Kentaro Toyama, W.K. Kellogg Professor of Community Information at the University of Michigan and an expert in the international dynamics of digital technology, told README, “I’m somewhat skeptical that this will have a huge impact on the international spyware market,” Toyama said. “Cybersecurity is a cat-and-mouse game where both sides are constantly ratcheting up the technology. And so, there’s no such thing as getting rid of one [technology] forever.”
A robust international effort is needed
The Biden administration also recently issued a Joint Statement on Efforts to Counter the Proliferation and Misuse of Commercial Spyware on March 30. That proclamation— also adopted by Australia, Canada, Costa Rica, Denmark, France, New Zealand, Norway, Sweden, Switzerland and the U.K. — said the countries “have a fundamental national security and foreign policy interest in countering and preventing the proliferation of commercial spyware.”
The nations signing on to the statement agree they will work to counter the misuse of commercial spyware by trying to build guardrails against it; prevent the export of software, technology and equipment to end-users who are likely to use them for malicious cyber activity; share information on spyware proliferation; and take other measures to counter the spread of this pernicious malware.
The joint statement is a tentative step toward what experts say will be vital to containing this threat: an international forum that establishes a global agreement that commercial spyware is a scourge that must be eliminated. “One of the challenges right now with the international order is there is really no existing platform in which the world as a whole gets together and tries to decide policy around digital technology, except for things like internet standards or things like that,” Toyama said.
To that end, a European Parliament special committee investigating the use of NSO Group’s infamous Pegasus toolkit and equivalent surveillance tools, known as the PEGA committee, recently issued a report condemning the use of spyware in Poland, Hungary, Greece and Spain and calling on its member countries to ban the use of spyware until the EU can come up with common standards.
Spyware firms have taken a hit
The spyware industry is feeling the pain in the face of the Biden administration’s actions, along with measures by some European nations and Israel; lawsuits from private companies, including Apple and Facebook-owned WhatsApp; and widespread press exposure. However, even before the Biden administration enacted its strict commercial spyware restrictions, NSO Group was suffering from the drumbeat of bad press reports.
In August 2022, longtime NSO Group CEO and co-founder Shalev Hulio resigned as the company became mired in endless controversy. Then, in November 2022, following the collapse of a potential deal to sell itself to American military contractor L3Harris Technologies, NSO slashed staff and raised prices to cope with around $400 million in debt.
Another Israeli spyware vendor, QuaDream, shuttered its operations after an April 2023 research report from Microsoft and Citizen Lab revealed that its spyware was used against journalists, opposition figures and advocacy organizations across at least ten countries. Although QuaDream had been on the rocks for months before this revelation, anonymous sources told Calcalist the negative press following the revelations was “the nail in the coffin” for the firm.
Other Israeli spyware firms have also collapsed over the past two years, including Nemesis, Insight and Ace Labs, while still others have changed their business models to exit the controversial arena. But, spyware experts from these firms face opportunities in other countries and may be able to set up shop elsewhere. For example, Tal Dilian, a veteran of the Israel Defense Forces, initially set up his spyware shop in Cyprus but decamped to Greece to form spyware giant Intellexa after he showcased a surveillance van that could hack any nearby phone, sparking an uproar in the island nation.
The demand problem remains
Despite signs that the commercial spyware industry is in crisis, some experts believe putting the spyware cat back into the bag will not be easy. Feldstein wrote in March, “Even if most top-tier firms were put out of business (an unlikely outcome), this would still not shut down the market. Rather, it would hasten decentralization and increase opportunities for boutique firms and informal hacker-for-hire operations to fill in the gap” because the demand for spyware by “repressive leaders, unscrupulous law enforcement agencies, and disreputable private companies” remains strong.
“As long as global demand persists for these products, the industry will find a way to survive and keep selling their malware,” Feldstein told README. “This will continue to be an area of struggle for a long time.”
Feldstein, Toyama and Lewis all agree that given the appetite for spyware among authoritarian governments and law enforcement, trying to diminish it will be a problem. “NSO Group told me the Belgian police used their product to find those European Parliament members who were taking money for the World Cup,” Lewis told README.
Fundamentally, “It’s the customer demand that will be the problem,” Lewis said. “People are still going to want it. So, you’ll need to have some constraints for legitimate sales, but you need agreement on what a legitimate sale is and who a legitimate customer is.”
Regarding whether it’s realistic to get a broad enough swath of the international community to forego using spyware, “I don’t know if we could get the Chinese on board, but you could probably get the Israelis, you could get the Indians, you could get some of the other people who do this,” Lewis said. “But over time, as it gets accepted, it has an effect. So that’s why the Biden thing was good. It was a great start. We now need to keep going.”
