Presidential Directive Will Serve as a Cornerstone Initiative During the Second Summit for Democracy
Today, President Biden signed an Executive Order that prohibits, for the first time, operational use by the United States Government of commercial spyware that poses risks to national security or has been misused by foreign actors to enable human rights abuses around the world.
Commercial spyware – sophisticated and invasive cyber surveillance tools sold by vendors to access electronic devices remotely, extract their content, and manipulate their components, all without the knowledge or consent of the devices’ users – has proliferated in recent years with few controls and high risk of abuse.
The proliferation of commercial spyware poses distinct and growing counterintelligence and security risks to the United States, including to the safety and security of U.S. Government personnel and their families. U.S. Government personnel overseas have been targeted by commercial spyware, and untrustworthy commercial vendors and tools can present significant risks to the security and integrity of U.S. Government information and information systems.
A growing number of foreign governments around the world, moreover, have deployed this technology to facilitate repression and enable human rights abuses, including to intimidate political opponents and curb dissent, limit freedom of expression, and monitor and target activists and journalists. Misuse of these powerful surveillance tools has not been limited to authoritarian regimes. Democratic governments also have confronted revelations that actors within their systems have used commercial spyware to target their citizens without proper legal authorization, safeguards, and oversight.
In response, the Biden-Harris Administration has mobilized a government-wide effort to counter the risks posed by commercial spyware. Today’s Executive Order builds on these initiatives, and complementary bipartisan congressional action, to establish robust protections against misuse of such tools.
This Executive Order will serve as a cornerstone U.S. initiative during the second Summit for Democracy on March 29-30, 2023, which President Biden will co-host with the leaders of Costa Rica, the Netherlands, the Republic of Korea, and the Republic of Zambia. In furtherance of President Biden’s National Security Strategy, this Executive Order demonstrates the United States’ leadership in, and commitment to, advancing technology for democracy, including by countering the misuse of commercial spyware and other surveillance technology. This Executive Order will also serve as a foundation to deepen international cooperation to promote responsible use of surveillance technology, counter the proliferation and misuse of such technology, and spur industry reform.
In particular, the Executive Order signed by President Biden today:
- Applies to U.S. federal government departments and agencies, including those engaged in law enforcement, defense, or intelligence activities, and encompasses spyware tools furnished by foreign or domestic commercial entities.
- Prohibits departments and agencies across the federal government from operationally using commercial spyware tools that pose significant counterintelligence or security risks to the U.S. Government or significant risks of improper use by a foreign government or foreign person, including to target Americans or enable human rights abuses.
- Establishes key counterintelligence, security, and improper use factors that indicate such risks, including if:
- a foreign government or foreign person has used or acquired the commercial spyware to gain or attempt to gain access to U.S. Government electronic devices, or those of U.S. Government personnel, without authorization from the U.S. Government;
- the commercial spyware was or is furnished by an entity that (1) maintains, transfers, or uses data obtained from the commercial spyware without authorization from the licensed end-user or the U.S. Government; (2) has disclosed or intends to disclose non-public information about the U.S. Government or its activities without authorization from the U.S. Government; or (3) is under the direct or effective control of a foreign government or foreign person engaged in intelligence activities directed against the United States;
- a foreign actor uses the commercial spyware against activists, dissidents, or other actors to intimidate; to curb dissent or political opposition; to otherwise limit freedoms of expression, peaceful assembly or association; or to enable other forms of human rights abuses or suppression of civil liberties;
- a foreign actor uses the commercial spyware to monitor a United States person, without consent, in order to track or target them without proper legal authorization, safeguards, and oversight; and
- the commercial spyware is furnished to governments for which there are credible reports that they engage in systematic acts of political repression, including arbitrary arrest or detention, torture, extrajudicial or politically motivated killing, or other gross violations of human rights. This ensures application of the Executive Order in situations when foreign actors may not yet have committed specific abuses through the use of commercial spyware, but have engaged in other serious abuses and violations of human rights.
- Identifies concrete remedial steps that commercial spyware vendors can take to reduce identified risks, such as cancelling relevant licensing agreements or contracts that present such risks.
- Directs important new reporting and information-sharing requirements within the Executive Branch to ensure departments and agencies can make informed and consistent determinations based on up-to-date all-source information, including a semi-annual comprehensive intelligence assessment.
The Executive Order, therefore, seeks to ensure that any U.S. Government use of commercial spyware aligns with the United States’ core national security and foreign policy interests in upholding and advancing democratic processes and institutions, and respect for human rights; does not contribute, directly or indirectly, to the proliferation and misuse of commercial spyware; and helps protect U.S. Government personnel and U.S. Government information systems and intelligence and law enforcement activities against significant counterintelligence or security risks.
The Executive Order complements concrete actions the Biden-Harris Administration and Congress have taken to confront the threat posed by the proliferation and misuse of commercial spyware:
- Congress enacted new statutory authorities and requirements related to commercial spyware in the Intelligence Authorization Acts for Fiscal Years 2022 and 2023, including new restrictions and reporting requirements for Intelligence Community (IC) employees’ post-service employment with foreign governments or companies, to include foreign commercial spyware entities. Last week, the Director of National Intelligence issued binding guidance to the U.S. Intelligence Community to implement these statutory requirements, which set an international standard that we hope will be followed by other countries.
- The Department of Commerce’s Bureau of Industry and Security (BIS) has placed foreign entities on the Entity List to address foreign policy concerns related to surveillance technologies. In November 2021, BIS added four commercial entities to the Entity List for engaging in the proliferation and misuse of cyber intrusion tools contrary to the national security or foreign policy interests of the United States.
- The Department of Commerce has implemented technology-based controls to address digital surveillance tools. In October 2021, the Department implemented multilateral Wassenaar Arrangement export controls on certain cybersecurity items that could be used for surveillance, espionage or other actions that disrupt, deny, or degrade a network or devices on the network. The final rule has been in effect since May 2022.
- In January 2022, the Department of State and the Office of the Director of National Intelligence’s National Counterintelligence and Security Center issued an advisory for the broader public on how to protect oneself from commercial surveillance tools.
- At the direction of Congress, the Department of State, in consultation with the Office of the Director of National Intelligence, has submitted to appropriate oversight committees a classified report on contractors that have knowingly assisted or facilitated certain cyberattacks or conducted surveillance activities on behalf of relevant foreign governments against the United States or for the purposes of suppressing dissent or intimidating critics.
- In June 2021, Secretary Blinken announced that the Department of State, on behalf of the Biden-Harris Administration, will update the United States’ National Action Plan on Responsible Business Conduct. This builds on prior U.S. government guidance, including the U.S. Department of State guidance on implementing business and human rights principles for “Transactions Linked to Foreign Government End-Users for Products or Services with Surveillance Capabilities.”
- In parallel, the Biden-Harris Administration continues to undertake a concerted effort to assess the extent to which commercial spyware has been directed against U.S. Government personnel serving overseas and mitigate the counterintelligence and security risks posed by these tools.
Taken together, these efforts aim to reduce the improper use of new technological tools to facilitate repression and human rights abuses, mitigate the counterintelligence threats these tools can pose to the U.S. Government, ensure that U.S. companies and former U.S. Government personnel are not facilitating authoritarian or repressive practices abroad, and provide tools to Americans and civil society to better protect themselves.