President Biden just took a massive step on stopping the proliferation of commercial spyware. But recent reporting on a shady government contract with one of the most notorious snooping services raises the question: How can the United States clean up the world’s act on these singularly invasive tools if, so far, it hasn’t been able to clean up its own?
Last week, the White House issued an executive order prohibiting federal agencies from using hacking tools that could be harnessed by foreign governments to abuse human rights — forcing firms to stop selling to bad actors or risk losing this country’s valuable business. The rules also block vendors whose products pose national security or counterintelligence risks — as well as whose services have already been leveraged against the U.S. government. This scenario is far from hypothetical: The administration has said that an astounding 50 personnel in at least 10 countries have been targeted. The number presumably includes the 11 State Department employees in Uganda whose iPhones were accessed via a tool developed by the NSO Group, an Israeli cybersecurity company also connected to Saudi Arabia’s efforts to break into the devices of associates of Post contributing columnist Jamal Khashoggi during the months before the journalist’s murder.
The move is immensely encouraging, and would be even more so if not for an investigation by the New York Times publishedonly days after the announcement that reveals a secret arrangement between a U.S. government front company and a domestic NSO Group affiliate. The deal gave an unnamed agency access to a geolocation tool that can covertly track cellphones: the same tool an adviser to Crown Prince Mohammed bin Salman used as part of Saudi Arabia’s dissent-crushing campaign. More troubling still, the agreement was forged only days after the Commerce Department, with much fanfare, placed NSO on a blacklist preventing U.S. firms from selling their technology to it. That action was supposed to send the signal that the United States was ready to take a stand against a company that, time and time again, has facilitated illegal investigations, intimidation and imprisonment. But within a week, one of its federal agencies had inked a contract with representatives of that same firm.
A National Security Council spokesperson told us, “We have not yet been able to validate the existence of any such contract,” and said that use of the product wouldn’t be permitted by the new order. But no one has denied that the contract does exist. The matter of who in the executive branchdid know about the arrangement remains unclear. And the lack of knowledge by the NSC is in itself alarming. There are other uncertainties: Which agency purchased the tool, and for what purpose? Has it been deployed? The administrationneeds to be aware of all procurement and use of spyware. After all, any attempt to box out unscrupulous spyware companies globally falls apart the moment the United States shakes one of their hands.
Today, firms can offer their services for despots without facing any real consequences. NSO has sold to unambiguously authoritarian nations, but its sales to democracies have done the most damage to norms involving surveillance.See, for instance, Mexico’s spying on journalists investigating military crimes. Even when these governments go through appropriate legal channels, they contribute to the lawlessness of the larger commercial spyware market simply by buying. NSO and its peers have no incentive to stop selling to the world’s worst actors even if countries that claim to cherish civil liberties continue doing business with them.
That’s the trap the United States risks walking into if it can’t get a handle on its own use of spyware. There are legitimate uses for this technology: Infiltrating terrorist networks is an obvious example; so is espionage. But democracies have to do more than just follow those rules when they employ surveillance tools. They also have to deny licenses for export of any tools developed on their soil to any destination with a violating record — or without a framework to prevent violations — and they should refuse imports from the same set of places, and from firms willing to do business with them. Importantly, they need to do all this together if they hope to put a real dent in spyware firms’ balance sheets.
The White House kicked off a much-needed collaborative regime with this month’s executive order and with the principles that 11 participating states in this year’s Summit for Democracy agreed to on the heels of its release. (Israel, notably, wasn’t among them.) Ideally, their commitments will evolve to detail what standards countries must put in place and what uses are permissible, as well as to include more types of services than the “end-to-end software suites” offered by groups such as NSO. Plenty of mercenaries in the global market are hawking less comprehensive surveillance capabilities, or merely disclosing vulnerabilities for a fee so that the purchaser may go off and exploit them. But most important, to make this sort of system work, those who sign on must be strict — with vendors, but also with themselves.