On March 27, President Biden signed an Executive Order on Prohibition on Use by the United States Government of Commercial Spyware that Poses Risks to National Security. The order minces no words as to the rationale behind the E.O.
“The growing exploitation of Americans’ sensitive data and improper use of surveillance technology, including commercial spyware, threatens the development of this ecosystem. Foreign governments and persons have deployed commercial spyware against United States Government institutions, personnel, information, and information systems, presenting significant counterintelligence and security risks to the United States Government. Foreign governments and persons have also used commercial spyware for improper purposes, such as to target and intimidate perceived opponents; curb dissent; limit freedoms of expression, peaceful assembly, or association; enable other human rights abuses or suppression of civil liberties; and track or target United States persons without proper legal authorization, safeguards, or oversight.”
Commerce Can Approve for Hacking Tools
The White House notes that the E.O. is expected to be a cornerstone to the upcoming Summit for Democracy (March 29-30 ) and further the President’s National Security Strategy. The Administration emphasized that the United States has both a leadership role and commitment in advancing technology for democracy which is reinforced with this E.O., and should “serve as a foundation to deepen international cooperation to promote responsible use of surveillance technology, counter the proliferation and misuse of such technology, and spur industry reform.”
The material affect for government agencies is they are prohibited from acquiring these commercial hacking tools unless they have obtained a license from the Commerce Department. It is expected to also have a deleterious effect on foreign government’s ability to acquire these tools downstream, but that should be filed in the “wait and see” column.
Two apps, both which originate from Israel were found to be the primary avenue of compromise, those being Pegasus developed by NSO Group and Candiru believed to have been developed by Saito Tech.
Pegasus Lurks and Spies
Pegasus can be installed on target’s phones without their knowledge or consent and then once installed can access all of the data on the phone, including messages, photos, and contacts. It can also track the phone’s location and record conversations.
The Pegasus app has previously been called out by Amnesty International, Human Rights Watch, and the United Nations. These organizations have accused Pegasus of being used by governments to spy on journalists, human rights activists, and other dissidents.
Candiru Infects and Spies
While Candiru is designed to infect websites, from which the app will go on to install spyware on any visitor’s computer. Candiru can then access all of the data on the computer, including files, passwords, and browsing history. The app has been reported to have been used by the Israeli government to spy on journalists and human rights activists.
The compromise of government employee’s devices, either personal or official devices, by these commercial apps, presumably being used by a foreign government to target U.S. interests is expected to continue and FSO’s should brief their personnel accordingly.