Congress is waking up to the growing threat of foreign spyware on the heels of several high-profile episodes involving the improper use of the commercial surveillance technology against diplomats and government officials abroad.
The House of Representatives is set to vote on sweeping policy legislation to crack down on and even ban firms that sell the technology from working with the government. But experts say the lucrative market for surveillance technology increasingly used around the world to track dissidents, journalists, activists and others will be difficult to curtail.
Still, spyware researchers and congressional staffers say the fact that Congress is beginning to act, on top of other moves from the Biden administration against makers of the technology, will send a message to the marketplace about doing business with spyware makers.
“Many companies like [Israeli spyware maker NSO Group] see entering the US market as the ultimate prize and what we’ve seen so far is that the US government does have the ability to chill investment interest in bad actors, and that’s really important,” said John Scott-Railton of the University of Toronto’s Citizen Lab, which has conducted extensive research on spyware.
“If we’re casting around looking for ways to sort of pump the brakes on the proliferation, I think these are very promising ways to start doing that,” said Scott-Railton, who will testify at a public House Intelligence hearing on the issue Wednesday.
The Intelligence Authorization Act, which passed the House Intelligence Committee last week with bipartisan support, includes several spyware provisions. In addition to authorizing the Office of the Director of National Intelligence to ban contracts with foreign firms making surveillance tech and allowing the president to impose sanctions on firms targeting the intelligence community (IC) with spyware, the bill also augments funding for investigations into the use of foreign commercial surveillance software.
The language on foreign commercial surveillance is not included in the Senate Intelligence Committee version of the intelligence authorization bill, but committee spokesperson Rachel Cohen said via text message that the committee “shares the concerns of the House and is in touch with their counterparts on the best way to tackle this challenge.”
Researchers have discovered spyware known as Pegasus — a product from the NSO Group — on at least 11 iPhones used by US officials working in Uganda. In 2020, Citizen Lab concluded that attackers used Pegasus to infect a device connected to the office of British Prime Minister Boris Johnson. In April, Citizen Lab published research showing the pro-independence president of the Catalan region in northeastern Spain and three of his predecessors had also been targeted with the NSO product.
The U.S. government has been increasingly focused on the threats of the spyware at home. The National Counterintelligence and Security Center issued a warning in January, cautioning the public about the risks of commercial surveillance tools that have been used to spy on journalists and political dissidents. Last November the Biden administration blacklisted the NSO Group, accusing it of selling spyware it knew would be used to “maliciously target” phones belonging to reporters, dissidents and others whom the powerful might seek to silence.
Scott-Railton said his testimony on Wednesday will cover an incident involving U.S. personnel hit with spyware in Panama a decade ago. It surfaced only because of extradition proceedings — a fact that underscores how many of these cases are likely being missed due to the difficulties of investigating them.
“The national security threat posed by mercenary spyware is extremely tangible,” Scott-Railton said.
A spokesperson for the House Intelligence Committee said members are responding to a quickly evolving counterintelligence threat to US national security and human rights.
“Foreign governments that previously had limited electronic spying capabilities can now purchase a package of tools that may allow them to access, undetected, any information stored on or transiting through a cell phone, tablet or computer connected to the internet,” the spokesperson said. “Nobody is safe from the reach of spyware, and that includes US government officials and Americans.”
In addition to Railton, the Wednesday hearing will feature a Google threat hunter and a spyware victim. The legislation and the hearing “signal our view that decisive action is needed to stem the proliferation of this pernicious technology,” the committee spokesperson said.
Going after spyware firms’ revenue is a good first step, according to Justin Sherman, a fellow at the Atlantic Council’s Cyber Statecraft Initiative and research lead at Duke’s Sanford School of Policy Data Brokerage Project. Attacking profits through contracting prohibitions and sanctions could help diminish the firms “even in a small way,” he said.
“This is especially important given that many democracies don’t seem to care to do enough to crack down on commercial spyware and related technologies sold from within their borders,” Sherman added.
However, Sherman said the bill should do more to protect American citizens from all backgrounds and not just the intelligence community.
Other experts said that the problem will be challenging to fix, especially since private companies have now overtaken nation-states as manufacturers of the technology.
“Should we be concerned about it? Yeah,” said Ronald Marks, a former CIA officer and a senior fellow at the Scowcroft Center for Strategy and Security at the Atlantic Council. “What are we going to do about it? That’s going to be a lot tougher.”