Biden Restricts Use of Commercial Hacking Tools by U.S. Agencies.

WASHINGTON—President Biden restricted the use of commercial hacking tools throughout the federal government as officials said they believed high-powered spyware had compromised devices belonging to at least 50 U.S. personnel working overseas.

Mr. Biden signed an executive order that imposes rules limiting the acquisition and deployment of hacking tools from vendors whose products have been linked to human-rights abuses or are deemed to pose counterintelligence or national security risks to the U.S. It also limits the purchasing of tools if they are sold to foreign governments considered to have poor records on human rights.

The move, senior administration officials said, is intended to grapple with the rapidly growing and lucrative international marketplace of cyber-intrusion tools that can break into someone’s phone—often with malware that doesn’t require the victim to click on a malicious link or attachment—and spy on them undetected for months or years. 

By not banning such tools outright, the order is also an acknowledgment that the spyware-for-sale industry is potentially important to government intelligence operations even as the technology poses a growing counterintelligence and national security risk to U.S. diplomats, spies and others.

“This is a foundational step to make sure we as a U.S. government have clear guardrails in place” on the use of commercial hacking tools, a senior administration official said. 

Independent security researchers and human-rights advocates have said some forms of commercial spyware can be almost impossible to defend against and have been abused by authoritarian and some democratic governments to target journalists, dissidents and political opponents.

The discovery of the extent of infiltration of devices belonging to U.S. officials was particularly alarming, senior administration officials said, adding that it reflected the national security dangers posed by unchecked proliferation of these kinds of hacking tools.

The tally of officials who have had their devices hacked is far larger than what has been reported previously. Officials declined to identify who was targeted other than to say some held senior jobs; they also declined to identify in which countries the victims had worked but said the hacking had occurred in at least 10 countries on multiple continents. The officials said victims had been made aware of the intrusions and that they anticipated more compromises would be identified.

“These are only the devices we have been able to identify,” the senior administration official said, describing them as confirmed or suspected intrusions due to the method of investigation. “We are continuing to take a concerted effort to understand the extent to which commercial spyware has been used to target U.S. personnel overseas.”

In December 2021, Apple Inc. notified 11 U.S. State Department employees in Uganda that their iPhones were hacked, and investigators linked the attack to a tool developed by NSO Group, an Israeli technology company that was previously blacklisted by the Biden administration, The Wall Street Journal and others reported.

NSO Group has long attracted the bulk of public scrutiny for its selling of a mobile-device hacking tool known as Pegasus, which reports have alleged has been used by dozens of law-enforcement and intelligence customers around the world to break into cellphones belonging to politicians, activists and journalists. NSO Group’s chief executive told the Journal in January that the firm had terminated 10 customers because of alleged misuse of its technology and said it had learned lessons from those experiences.

Israeli firm NSO Group has attracted scrutiny for its selling of a mobile-device hacking tool known as Pegasus.PHOTO: AMIR COHEN/REUTERS

But the business of commercial spyware is larger than one company, officials and experts have said, and banning one firm or another would struggle to keep up with a fast-moving marketplace that until now has proliferated with scant international oversight or regulation.

The executive order doesn’t completely prohibit the purchase and deployment of commercial spyware by U.S. agencies. It essentially creates a matrix of factors that will be used on a case-by-case basis to restrict a spyware vendor’s use within the government, though barred companies won’t be made public. The order lists steps companies can take to potentially have their wares removed from prohibition, such as canceling licensing agreements with governments known to violate human rights.

The risks considered when weighing whether to restrict the use of a vendor’s technology include whether the spyware has been targeted against U.S. government personnel and whether the company is under effective control of a foreign government engaged in intelligence activities directed against the U.S. It also penalizes vendors if their tools are found to be used by a foreign actor against activists or others for the purposes of intimidation or to curb political opposition or to enable human-rights abuses, or is used by a foreign actor to track Americans without proper legal authorization and oversight. 

Additionally, agencies can be barred from purchasing hacking tools even if they are not linked to pernicious activity but instead merely sold to a government that is determined to be violating human rights.

The order will broadly continue to allow agencies to acquire the technology for nonoperational uses, such as testing it for research or cybersecurity purposes.

John Scott-Railton, a senior researcher at Citizen Lab, a cyber-research group at the University of Toronto that has monitored the use and proliferation of commercial spyware tools, said the executive order was significant and applauded its focus on human-rights abuses.

The revelation that at least 50 U.S. officials working overseas had been compromised showed that spyware tools pose “a blinking red light national security threat, and it cuts across U.S. government activity around the world,” Mr. Scott-Railton said. He said the order “appeared to be constructed with an eye toward pumping the breaks on proliferation.”