President Biden’s recent executive order targeting the use of commercial spyware poses a serious threat to the digital surveillance industry, experts say, as some companies weigh the impact that the decision will have on their businesses.
The order, which was released last month, prohibits all U.S. federal agencies from using or buying commercial spyware that could pose a national security risk or target U.S. personnel.
It specifically bans the use of commercial spyware that a foreign government or foreign person used to try to access government electronic devices.
It also bans spyware that uses data obtained without authorization from the government, intends to disclose nonpublic information about the government and activities, or is under effective control by a foreign government.
James Lewis, a senior vice president and director with the strategic technologies program at the Center for Strategic and International Studies, said the order is “upsetting the market” as some spyware makers have voiced their concerns about the impact of Biden’s action on the industry.
“Some of them have told me that they’re not sure they’re going to be able to stay in business,” Lewis said.
The order has ‘enormous global implications for the market’
The order essentially closes the market to certain spyware vendors and limits their access to the U.S.
“The U.S. is one of the largest and most sought-out after-markets on technology,” said Michael De Dora, U.S. senior campaigner at Access Now, a nonprofit digital rights advocacy group.
“And so spyware companies now have less purchasing power if one of the largest markets for their technologies is essentially closed off,” he said. “It has enormous global implications for the market on spyware.”
Ron Deibert, director of Citizen Lab, a digital security research group based at the University of Toronto, said the order is a “very big deal” because spyware firms have for a long time seen the U.S. market as “very lucrative” and also one that could legitimize their business around the world.
“It opens up a lot of doors and gives them a stamp of approval,” Deibert said.
He added that the spyware industry is starting to realize that “business as usual is over” because prior to the order “it was really the wild west [where] there were no [meaningful] consequences other than bad publicity of selling it to some of the world’s worst autocrats.”
How big is the spyware industry?
The spyware industry is estimated to be worth $12 billion; its largest vendor, NSO Group, an Israeli firm that manufactures and sells spyware known as Pegasus, is believed to be valued at more than $1 billion, The New Yorker reported last year.
Pegasus has been heavily criticized for its role in multiple high-profile surveillance and international relations cases that have made headlines in recent years.
The Hill was unable to independently verify the $12 billion worth or get an estimate of the number of spyware firms worldwide as the industry often operates in secrecy to evade transparency and accountability, experts said.
“Spyware companies are constantly changing names, creating new affiliates, morphing into something with a new name,” De Dora said, explaining why it’s hard to track them down.
He said, however, that his organization, Access Now, has been able to identify at least 17 different spyware firms, most of which are subsidiaries or affiliates of other companies.
According to the Carnegie Endowment for International Peace, between 2011 and 2023, at least 74 governments entered into contracts with commercial companies, most of which are based in Israel, to obtain spyware or digital forensics tools.
Of those 74 governments, 44 have been identified as autocracies and 30 were found to be liberal democracies, the foreign policy think tank reported.
In a statement to The Hill, an NSO Group spokesperson said that the firm’s “technologies are only sold to allies of the U.S. and Israel, particularly in Western Europe, and are aligned with the interests of U.S. national security and governmental law enforcement agencies around the world.”
The spokesperson added that the company “has repeatedly called for an international regulatory framework to prevent government misuse of commercial spyware.”
Over the past few years, NSO Group has been under intense scrutiny from the U.S. government and its closest allies over the sale of its invasive spyware tools to governments that abuse them and illegally use them to spy on people, including government officials, journalists, human rights activists and dissidents.
Congress takes a strong stance against spyware misuse
Congress has also taken a strong stance against the misuse of spyware.
Last year, the House Intelligence Committee passed the Intelligence Authorization Act, which included a provision authorizing the director of National Intelligence to prohibit the U.S. intelligence community from buying and using foreign spyware.
The bill would also allow the president to impose sanctions on foreign government officials and firms that target U.S. officials with spyware.
Rep. Adam Schiff (D-Calif.), who chaired the committee last year, said during a hearing that spyware “could be used against every member of this committee, every employee of the executive branch, every journalist or political activist.”
Following the harsh criticism, particularly coming from the U.S., NSO Group announced last year that it was restructuring.
The firm said it was replacing its CEO and cutting 13 percent of its workforce, a decision likely tied to the Department of Commerce’s decision to blacklist the company when it added it to its entities list in 2021.
“Being put on the entities list was killing the company,” Lewis said at the time.
The Hill also reached out to a number of other spyware firms for comment on how the order may affect their business and the industry, but they have yet to respond.
When spyware becomes a national security concern
Administration officials said that the executive order is also intended to protect U.S. government personnel from security risks following reports that at least 50 government officials were targeted by commercial spyware in at least 10 countries.
“I think the tipping point was when they found out that spyware was being used against 50 Americans,” Lewis said.
De Dora, who said he shared the same views as Lewis, said this was the first time the U.S. government publicly confirmed U.S. government officials overseas had been targets of spyware, which he thinks played “a big part in getting the U.S. to act.”
“It is one thing, even though it’s wrong, for the U.S. government to see that spyware is being used against people around the world who are journalists, dissidents, etc.,” he said.
“It’s quite another when U.S. government staff are being targeted as well because it changes the calculation from one of simply U.S. foreign policy and human rights to one of U.S. national security,” he added.
Spyware faces new scrutiny at state and local levels
Although experts saw the executive order as a major step forward and one that sends a clear message to the industry, they highlighted a few areas that the administration should address moving forward.
First, they said the administration should find a way to also involve state and local governments, which were not included in the order, so they too can take precautions and be careful with whom they do business.
“One of the weaknesses of this executive order is that it does nothing to shape the sub-federal demand in terms of state and localities,” said Jason Blessing, a research fellow at the American Enterprise Institute.
He added that because state and local governments don’t have the same legal obligations as federal agencies under the order, they could technically use spyware that poses national security risks.
“Unfortunately, [the order] doesn’t do much to regulate below the federal level, so that’s one issue that will have to be addressed,” he added.
Lewis added that the order should also go a step further and go after the buyers of spyware — including foreign governments, with possible sanctions.
“The executive order is great when it comes to [targeting] suppliers … but you also have to look at customers,” he said.
De Dora said Congress should also consider passing legislation similar to this order in case a future administration decides to remove it.
“If Congress encoded the executive order into a law, it would prevent future administrations from so easily scraping the executive order from the books,” he said.
De Dora also said that his organization, Access Now, and other civil societies have urged countries to call for a moratorium on the sale and use of spyware technology until governments can establish guardrails on the use of spyware, so they can’t be abused.
“We think that governments need to adopt a moratorium in order to put in place, at the very least, a system that would ensure that spyware and surveillance technology are used correctly,” De Dora said.
He added that other organizations have also called for a complete ban on certain types of spyware tools because they are so invasive “that they would be incompatible with human rights,” something with which he said he agrees.
“I think there are certain forms of spyware technology that are naturally incompatible with human rights because they’re so invasive and so powerful that there’s no way they could ever be used in a proportionate way in accordance with law and international human rights,” he said.
While there are other types of spyware that are less invasive and that could be used in a way that doesn’t infringe on human rights, most buyers are likely not going to settle for the least capable tool, De Dora said.
“If you’re a law enforcement agency, you want the most powerful spyware technology that’s out there on the market,” he said.