The Biden administration is welcoming six new countries to a US-led pact to crack down on phone-hacking spyware as US officials tell CNN that the administration continues to find new cases of American government personnel being targeted by a technology that is deemed a national security and counterintelligence threat.
“We are aggressively and intensively trying to identity and confirm more” cases of US government personnel whose phones have been targeted with commercially available spyware, a US National Security Council official told CNN.
A year ago, the Biden administration put the tally of US government personnel either suspected of or confirmed to have been targeted by spyware at 50. It has since grown, the NSC official said, declining to quantify the growth in cases while saying that the counterintelligence and national security risks from the technology remain high.
Spyware is malicious software that is used to break into mobile phones, turning them into a listening device and scooping up their contacts. The market for commercial spyware has exploded over the last decade as companies from Israel to North Macedonia have hawked their services and many governments have been willing buyers.
A key prong of the US strategy to combat spyware has been trying to convince its allies not to do business with spyware companies whose tools might be used against US diplomats or to surveil dissidents and journalists on US soil.
Poland and Ireland — two countries that have allegedly had a role in spyware abuse in the past — are among the new signatories of the anti-spyware pact, a move that US officials are touting as a sign of growing global momentum to curb what has been rampant abuse of the surveillance technology. Poland’s prime minister has claimed the previous government used spyware on a long list of victims. The US Treasury Department this month sanctioned an Ireland-based company for allegedly being involved in the spyware business.
The other countries joining the pledge to combat spyware are Finland, Germany, Japan, and South Korea, according to the White House. The announcement will come this week in Seoul at the Summit for Democracy, an annual gathering of democratic governments around the world.
Eleven countries, including the US and its “Five Eyes” allies, signed onto the pledge last year, which vows that “any commercial spyware use by our governments is consistent with respect for universal human rights, the rule of law, and civil rights and civil liberties.”
Alarm bells went off among senior counterintelligence and national security officials more than two years ago when they began to discover that dozens of US government personnel were targeted by invasive commercial spyware. That included a dozen State Department employees serving in Africa, whose iPhones were hacked with spyware developed by Israeli firm NSO Group, CNN has reported.
Governments using the spyware on US personnel may be trying to collect intelligence on the targeted phones or surveil people from their own countries that are meeting with US diplomats, the NSC official said. The official declined to name any governments involved.
The risk is acute: Some spyware vendors either have “very close relationships” with a foreign government or are “under the clear control” of a foreign government, the NSC official said, declining to elaborate.
At least 74 countries have contracted with private firms to obtain commercial spyware, the US intelligence agencies said this month in their annual threat assessment.
A US government-wide study of the risk of spyware to US interests was launched, including a probe of whether US intelligence and law enforcement agencies were contracting with the very spyware firms whose tools other governments were using to surveil US diplomats.
The Biden administration’s review “did not identify widespread use” in the federal government of commercial spyware, the official said in a rare interview on the subject. But US officials were alarmed by a “very aggressive effort” by spyware vendors to market their hacking tools to various US agencies, the official told CNN.
The FBI, for example, confirmed in 2022 that the bureau bought a testing license for NSO Group’s Pegasus software. The FBI has not used Pegasus in investigations, according to the bureau.
Alarmed by a lack of visibility into whether US government agencies were using commercial spyware, the White House last year issued an executive order barring agencies from using spyware that is deemed a national security threat or that is implicated in human rights abuses.
“If you think that your use of some of these tools is going to stay quiet in your own system, think twice,” the NSC official said, paraphrasing US advice to its allies. “And we are an example of that,” the official added, referring to the fact that the FBI has bought a test license for Pegasus, and that the tool has reportedly been used by other governments on US diplomats.
The Biden administration has sanctioned and restricted visas for spyware vendors and barred US companies from doing business with others. But it can only do so much on its own to dent a lucrative spyware market.
Spyware companies often hide behind opaque corporate structures and companies to stay in business, according to US officials and researchers who track those companies. White House officials this month met with US venture capital firms to warn them about the risks of their investments inadvertently fueling the growth of spyware.
“We are concerned about capital flowing in — and capital that folks may not realize is actually being used to fuel risks to Americans,” the NSC official said.