Biden has called on the U.S. agencies to restrict the usage of commercial hacking tools

March 27, 2023

minute read

President Joe Biden restricted the use of commercial hacking tools across the federal government after officials suspected high-powered spyware compromised the devices of 50 U.S. personnel overseas.

‍

Mr. Biden ratified an executive order that places restrictions on the purchase and use of hacking tools from companies whose goods have been connected to violations of human rights or are thought to endanger American counterintelligence or national security. Also, if instruments are supplied to foreign countries with a reputation for violating human rights, it restricts the purchase of those tools.

‍

According to senior administration officials, the action is intended to address the rapidly expanding and lucrative global market for cyber-intrusion tools that can hack into a person's phone and spy on them covertly for months or years. Often, these tools use malware that can infect a victim's device without the victim having to click on a malicious link or attachment.

‍

The directive acknowledges the potential importance of the spyware-for-sale market to government intelligence operations while also recognizing the growing counterintelligence and national security risks this technology poses to American diplomats, spies, and others.

‍

President Biden limited the use of commercial hacking tools across the federal government after officials claimed they thought highly effective spyware had corrupted at least 50 American service members stationed abroad.

‍

Yet according to officials and experts, the commercial spyware industry is more than one corporation, and banning one company or another would make it difficult to keep up with a quickly evolving market that, up until now, has multiplied with no international oversight or control.

‍

The executive order does not entirely forbid American government agencies from acquiring and using commercial malware. In essence, it establishes a matrix of criteria that will be applied on a case-by-case basis to limit the usage of a spyware vendor within the government, however, the names of those who have been banned will not be made public. The directive outlines actions businesses can take, such as terminating license deals with governments known to violate human rights, to potentially have their products removed from restriction.

‍

When deciding whether to limit the use of a vendor's technology, concerns to be taken into account include whether the spyware was intended to target U.S. government employees and whether the business is effectively controlled by a foreign government engaging in espionage operations against the U.S. Additionally, it punishes suppliers whose technologies are discovered to have been utilized by foreign actors to track Americans without adequate legal license or control, intimidate activists or others, suppress political dissent, or assist human rights abuses.

‍

Similarly, agencies may be prohibited from acquiring hacking tools, even if those tools are just supplied to a government that has been shown to be infringing on human rights and are not associated with any evil deeds.

‍

In general, the rule will keep allowing agencies to purchase the technology for non-operational tasks like cybersecurity or research testing.

‍

The executive order, according to John Scott-Railton, a senior researcher at Citizen Lab, a cyber-research organization at the University of Toronto that has tracked the usage and spread of commercial spyware software, is significant and deserves praise for its emphasis on violations of human rights.

‍

Spyware tools provide "a blinking red light national security threat, and it cuts across U.S. government operations around the world," according to Mr. Scott-Railton, who said that it was discovered that at least 50 American officials working abroad had been hacked. The order "seemed to have been drafted with an eye toward pumping the breaks on proliferation," he claimed.