Late last month, the Biden administration issued an executive order prohibiting the government use of commercial spyware—powerful software for covertly collecting mobile phone data—that could jeopardize U.S. national security. The short-term goal of the move is to provide federal agencies and departments with guidance on how to safely buy private sector spy tools. But in the long run, the administration looks to wield American economic might against a market where private firms and international allies actively distribute and misuse invasive surveillance technologies.
It’s obvious why we should be concerned aboutour adversaries acquiring and abusing private sector surveillance capabilities America’s rivals have targeted more than 50 U.S. government employees with commercial spyware. But the best way to thwart efforts by foes to access critical information is to bring our partners in line. America’s democratic allies have been buying and selling spy tools with little discretion. Firms have been happy to oblige our rivals in exchange for lucrative contracts. Despite President Biden’s penchant for inaction, the White House now has an opportunity to turn the tide on spyware threats.
U.S. government agencies are by far the largest and most profitable market for spyware vendors. Better late than never, Biden’s executive order seeks to leverage federal buying power to reshape the global surveillance-for-hire market. By instituting new guidelines on the acquisition and use of commercial surveillance tools, the administration sends a clear message to companies: If your products have targeted U.S. citizens or repressed human rights abroad, America won’t be doing business with you.
U.S. allies have so far been loath to regulate their spyware firms. Europe in particular has been a hub for circulating digital surveillance capabilities. From 2008 to 2014, Italy allowed the Milan-based firm Hacking Team to export its Galileo spyware with virtually no limitations. Similarly, the Anglo-German Gamma Group sold its Finfisher package to both authoritarians and democracies with little governmental oversight. Greece has allegedly approved the sale of spyware to regimes like Madagascar with a history of repression. And more recently, researchers have found hacking tools from Variston—a newly discovered Spanish company—targeting individuals in Indonesia, Belarus, the United Arab Emirates, and Italy.
But the epicenter of the global surveillance-for-hire market is Israel. The country hosts the world’s most controversial and prolific spyware firms, including the NSO Group, Candiru, Circles, Ability Inc., and Cyberbit. The NSO Group’s sophisticated Pegasus software—known for its ability to infect phones with malware without any user interaction—alone has been used to target more than 450 unique devices. Along with Candiru, the NSO Group has gained notoriety for enabling digital repression and the subsequent blacklisting by the U.S. government. Make no mistake; Tel Aviv knows this is happening. Export approvals come directly from the Israeli Defense Forces, and the government has reaped economic and diplomatic benefits from domestic companies that aggressively push their tools abroad.
And democratic partners aren’t just selling spyware: They are buying and using these tools. For instance, the demand for spyware across Europe has been shockingly high. Two reports from the European Union confirm at least 11 EU members acquired or pursued digital surveillance wares. National security concerns may account for some purchases, but many countries are acquiring software to spy on their own citizens. Hungary, Poland, Greece, and Spain have all taken up undemocratic surveillance of domestic political opposition, journalists, and activists. This is hardly surprising in Hungary and Poland, where leaders have gradually dismantled checks and balances. But recent domestic spying scandals in Greece and Spain show that more robust democracies possess authoritarian appetites for surveillance software.
The executive order and leveraging U.S. buying power can help in that regard. But it won’t solve the whole problem. Another step the Biden administration can take is to advance common export controls to reduce the spread of digital surveillance tools while simultaneously coordinating spyware acquisition standards across partner governments. But instead of taking the challenge head-on, the Biden administration seems content to pursue low-hanging fruit.
The White House has managed to corral 10 partners—Australia, Canada, Costa Rica, Denmark, France, New Zealand, Norway, Sweden, Switzerland, and the United Kingdom—into a joint initiative to combat spyware. While a good start, this diplomatic effort risks becoming purely symbolic if Biden and his brain trust do not engage key players like Israel and NATO allies Spain and Greece. If the administration fails to address America’s most problematic partners, it will handcuff its ability to fight spyware proliferation.
Biden’s executive order on spyware is a win for national security and American democracy. But it’s only a first step. Existing frameworks for stemming the flow of weapons—like the Cold War-era Wassenaar Arrangement for controlling arms exports—are outdated and toothless against surveillance software proliferation. Tackling the spyware challenge will require utilizing multiple tools of statecraft in creative and persistent ways.