President Biden has today signed an Executive Order that prohibits, for the first time, operational use by the United States Government of commercial spyware that poses risks to national security or has been misused by foreign actors to enable human rights abuses around the world.
Commercial spyware – sophisticated and invasive cyber surveillance tools sold by vendors to access electronic devices remotely, extract their content, and manipulate their components, all without the knowledge or consent of the devices’ users – has proliferated in recent years with few controls and high risk of abuse.
The proliferation of commercial spyware poses distinct and growing counterintelligence and security risks to the United States, including to the safety and security of U.S. Government personnel and their families. U.S. Government personnel overseas have been targeted by commercial spyware, and untrustworthy commercial vendors and tools can present significant risks to the security and integrity of U.S. Government information and information systems.
A growing number of foreign governments around the world, moreover, have deployed this technology to facilitate repression and enable human rights abuses, including to intimidate political opponents and curb dissent, limit freedom of expression, and monitor and target activists and journalists. Misuse of these powerful surveillance tools has not been limited to authoritarian regimes. Democratic governments also have confronted revelations that actors within their systems have used commercial spyware to target their citizens without proper legal authorization, safeguards, and oversight.
In response, the Biden-Harris Administration has mobilized a government-wide effort to counter the risks posed by commercial spyware. Today’s Executive Order builds on these initiatives, and complementary bipartisan congressional action, to establish robust protections against misuse of such tools.
The Executive Order:
- Applies to U.S. federal government departments and agencies, including those engaged in law enforcement, defense, or intelligence activities, and encompasses spyware tools furnished by foreign or domestic commercial entities.
- Prohibits departments and agencies across the federal government from operationally using commercial spyware tools that pose significant counterintelligence or security risks to the U.S. Government or significant risks of improper use by a foreign government or foreign person, including to target Americans or enable human rights abuses.
- Establishes key counterintelligence, security, and improper use factors that indicate such risks, including if:
- a foreign government or foreign person has used or acquired the commercial spyware to gain or attempt to gain access to U.S. Government electronic devices, or those of U.S. Government personnel, without authorization from the U.S. Government;
- the commercial spyware was or is furnished by an entity that (1) maintains, transfers, or uses data obtained from the commercial spyware without authorization from the licensed end-user or the U.S. Government; (2) has disclosed or intends to disclose non-public information about the U.S. Government or its activities without authorization from the U.S. Government; or (3) is under the direct or effective control of a foreign government or foreign person engaged in intelligence activities directed against the United States;
- a foreign actor uses the commercial spyware against activists, dissidents, or other actors to intimidate; to curb dissent or political opposition; to otherwise limit freedoms of expression, peaceful assembly or association; or to enable other forms of human rights abuses or suppression of civil liberties;
- a foreign actor uses the commercial spyware to monitor a United States person, without consent, in order to track or target them without proper legal authorization, safeguards, and oversight; and
- the commercial spyware is furnished to governments for which there are credible reports that they engage in systematic acts of political repression, including arbitrary arrest or detention, torture, extrajudicial or politically motivated killing, or other gross violations of human rights. This ensures application of the Executive Order in situations when foreign actors may not yet have committed specific abuses through the use of commercial spyware, but have engaged in other serious abuses and violations of human rights.
- Identifies concrete remedial steps that commercial spyware vendors can take to reduce identified risks, such as canceling relevant licensing agreements or contracts that present such risks.
- Directs important new reporting and information-sharing requirements within the Executive Branch to ensure departments and agencies can make informed and consistent determinations based on up-to-date all-source information, including a semi-annual comprehensive intelligence assessment.
Ultimately, the Executive Order seeks to ensure that any U.S. Government use of commercial spyware aligns with the United States’ core national security and foreign policy interests in upholding and advancing democratic processes and institutions, and respect for human rights; does not contribute, directly or indirectly, to the proliferation and misuse of commercial spyware; and helps protect U.S. Government personnel and U.S. Government information systems and intelligence and law enforcement activities against significant counterintelligence or security risks.