You are using an older browser version. Please use a supported version for the best MSN experience.

Biden’s spyware executive order gets mostly good reviews

The Washington Post 3/28/2023 Tim Starks, David DiMolfetta

Welcome to The Cybersecurity 202! This is your periodic reminder to send tips to: tim.starks@washpost.com.

Reading this online? Sign up for The Cybersecurity 202 to get scoops and sharp analysis in your inbox each morning.

Below: A U.K. publisher wants a hacking case dismissed, and a look at the internet data purchased by the FBI. First:

How experts and lawmakers are sizing up a spyware executive order

An Israeli woman uses her iPhone in front of the building housing the Israeli NSO Group in 2016 in Herzliya, near Tel Aviv. (Jack Guez/AFP/Getty Images)

The Biden administration on Monday debuted its long-awaited commercial spyware executive order, which lawmakers and experts greeted as a good — if incomplete and imperfect — answer to a technology that has been used to eavesdrop on government officials, journalists and dissidents.

It prohibits U.S. agencies from “operationally” using commercial spyware when they find that it poses a national security or counterintelligence risk to the United States. It also bars U.S. government use of spyware when there's a major risk that foreign governments use such tools to violate human rights or target Americans. (“Operational use” under the order means accessing a computer remotely without permission for purposes such as tracking locations or stealing information.)

The White House paired the release of the executive order with the news that 50 U.S. government personnel appear to be or have been confirmed to be hacked by commercial malware, as Ellen Nakashima and I reported. A senior administration official told us that they were “astounded” by that number.

The White House is stressing that foreign governments have used spyware maliciously.

“The proliferation of commercial spyware poses distinct and growing counterintelligence and security risks to the United States, including to the safety and security of U.S. Government personnel and their families,” a White House fact sheet reads. “A growing number of foreign governments around the world, moreover, have deployed this technology to facilitate repression and enable human rights abuses, including to intimidate political opponents and curb dissent, limit freedom of expression, and monitor and target activists and journalists.”

The view from the Hill

But democratic governments have also used such spyware. Spyware made by the most prominent spyware purveyor, NSO Group, was sold to 22 clients in 14 European countries, NSO representatives reportedly told the European Parliament. Two of those contracts were terminated, according to NSO.

Even in the United States, the FBI came under congressional scrutiny last year when Director Christopher A. Wray said the bureau purchased Pegasus software from NSO. Wray said the bureau only evaluated it, and did not use it.

Still, some lawmakers took issue with the Biden administration’s treatment of the spyware ecosystem.

“While the President deserves enormous credit for his efforts to address the human rights and national security risks associated with foreign abuses of spyware, the administration has a lot more work to do to ensure that Americans’ rights are not violated when U.S. government agencies use spyware,” Sen. Ron Wyden (D-Ore.) said in a statement. “I wrote to the FBI Director in December to urge more transparency around U.S. government hacking of Americans, but I've yet to hear back, or see any signs that the administration intends to address domestic uses.”

The chairmen of the Senate and House Intelligence panels hailed the executive order as building on the work of their committees, especially legislation that Congress got signed into law last year authorizing the director of national intelligence to ban contracts with spyware companies within the intelligence community.

“The federal government must continue to reinforce that targeting U.S. personnel with spyware is unacceptable and using this technology to carry out gross human rights violations and circumvent the rule of law must be addressed,” House Intelligence Chairman Michael R. Turner (R-Ohio) said in a statement.
“For too long we’ve seen Administrations from both parties advance a vision of technology that is often oblivious to its misuse by bad actors,” Senate Intelligence Chairman Mark R. Warner (D-Va.) said in a statement. “I’m glad to see the tide turning with this Administration as it works to address the widespread misuse of technology for anti-democratic ends while advancing an alternative model.”

Rep. Chris Stewart (Utah), a Republican on the House Intelligence Committee who signed a letter last year calling on the administration to take stronger action against spyware, said he was frustrated it took as long as it did to complete the executive order, even as he welcomed it.

“The executive order is a step forward,” Stewart told me. “But we will continue to ask questions about it to make sure that capability isn’t being misapplied in places that it shouldn’t because we have experience knowing that sometimes happens” in the intelligence community, he said.

And Rep. Jim Himes (Conn.), the top Democrat on the Intelligence Committee and leader of the letter Stewart co-signed, praised the executive order even as he called on the Biden administration to do more, including greater use of sanctions against “rogue” companies.

The view off the Hill

The executive order is a “mixed bag,” in the estimation of Winnona DeSombre Bernsen, a nonresident fellow at the Atlantic Council think tank.

For instance, the order defines what it wants to tackle well, and does the things it wants to do within those parameters, such as preventing the United States from accidentally financing spyware, she said.

But it doesn’t address related “cyber mercenaries,” such as hackers-for-hire or companies that sell undisclosed “zero-day” vulnerabilities, she told me. And it doesn’t note a role for the State Department, which is concerning given the international scope of the spyware market, she said. It’s also focused on a U.S. government procurement model that might be hard for other nations to replicate, she said.

The broader issue of cyber mercenaries is at the core of a set of principles that the Cyber Tech Accord, an industry coalition, released Monday. Those tenets are designed to help technology companies “curb” a growing market. Major technology and cybersecurity companies — like Cisco, Facebook parent Meta, Microsoft and its GitHub subsidiary, Trend Micro, and Google — have endorsed the document.

The executive order is “one of the most consequential actions to blunt proliferation that I've seen a government take” on spyware, John Scott-Railton, a researcher at the University of Toronto’s Citizen Lab who studies the technology, said on Twitter. But he also said more action could be taken at the state and international levels:

And in Europe, there is also a push for action. “This executive order is the correct response to the imminent threat from unimpeded proliferation of commercial spyware abuse. Two years after the Pegasus spyware scandal broke, however, Europe is still dithering and ducking, while the US is showing leadership and determination,” Sophie in 't Veld, the Dutch member of the European Parliament who is the rapporteur of its spyware investigative committee, said in a statement. “It is about time Europe teams up with the US to set common standards and rules, as I have proposed in my draft report.”

Himes told me that he expected a number of countries participating in the Biden administration’s Summit for Democracy this week to embrace the approach of the executive order.

Israel is home to some of the top spyware vendors, including NSO Group. The country’s representatives are expected to attend the democracy summit amid separate concerns about a controversial judicial overhaul plan from Prime Minister Benjamin Netanyahu, who delayed it Monday night amid protests.

“Israel was one of the 121 countries invited to the Summit for Democracy,” said National Security Council spokesman John Kirby, per my colleagues Toluse Olorunnipa and John Hudson. “I don’t have anything more with regards to participation to speak to.”

Asked about the executive order, NSO Group said that its software has been used for good and that it terminates contracts when it finds misuse.

“We have consistently called for a regulatory framework to oversee the use of cyber intelligence technologies and look forward to working with policymakers to achieve this goal,” it said in a statement that a representative said could not be attached to a name, per company policy.

The keys

Associated Newspapers asks for dismissal of celebrity hacking lawsuit

The accusers include Prince Harry, and they say that “numerous unlawful acts” were carried out by the publisher or those affiliated with its newspapers. (Dan Kitwood/Getty Images)

© Dan Kitwood/Getty Images The accusers include Prince Harry, and they say that “numerous unlawful acts” were carried out by the publisher or those affiliated with its newspapers. (Dan Kitwood/Getty Images)

Daily Mail publisher Associated Newspapers asked the London High Court on Monday to dismiss a lawsuit filed by several celebrities accusing the media giant of illegal phone hacking and information-gathering, Jane Croft reports for the Financial Times.

The accusers include Prince Harry, musician Elton John and actresses Elizabeth Hurley and Sadie Frost. They say that “numerous unlawful acts” were carried out by the publisher or those affiliated with its newspapers. The lawsuit was filed last year but allegations of the case were unveiled Monday.

“Associated Newspapers said it ‘firmly denied’ the ‘very serious claims’ made against it,” Croft writes.

The case is the first for a major U.K. publisher being involved in a legal dispute over accusations of phone hacking, the story notes.

Russia supplying Iran with digital surveillance tech as military alliance grows

It comes amid closer cooperation between the two countries during the war in Ukraine. (Yuri Kochetkov/EPA-EFE/Shutterstock)

Moscow is deepening its military ties to Tehran through the supply of advanced cyberwarfare tools, Dov Lieber, Benoit Faucon and Michael Amon report for the Wall Street Journal, citing people familiar with the matter.

The reporters said the technology gives Iran “advanced digital-surveillance capabilities” after the country provided drones, missiles and artillery rounds to Russia for use in Ukraine.

The alliance between the two nations has grown following the start of the war in Ukraine last year, and Russia has sent eavesdropping, photography and lie detector devices to Iran, the report said.

“Moscow has likely already shared with Iran more advanced software that would allow it to hack the phones and systems of dissidents and adversaries,” the story reads, citing the people familiar with the matter.

FBI spent tens of thousands on internet data purchase, documents say

The exterior of the J. Edgar Hoover Building, which is the headquarters of the FBI. The agency is looking for a new location for their headquarters.

The FBI spent tens of thousands of dollars on “net flow” internet data that was collected by a private firm, Motherboard’s Joseph Cox reports, citing internal agency documents obtained from a Freedom of Information Act request.

The data purchase was for the FBI’s Cyber Division, Cox writes. The private company selling the data, Team Cymru, obtained it from deals made with internet service providers (ISPs) in which threat intelligence was offered in exchange. Such deals “are likely conducted without the informed consent of ISPs’ users,” the story says.

“Team Cymru’s products can also include data such as URLs visited, cookies, and PCAP data, but the FBI document does not specify access to any of these data types,” Cox adds.

The FBI has purchased commercial data previously, Director Christopher Wray said in a March 8 hearing.

The FBI declined to comment to Motherboard, and Team Cymru did not respond to the outlet’s request for comment.

Daybook

DHS Secretary Alejandro Mayorkas testifies at a Senate Judiciary Committee oversight hearing today at 10 a.m.
CISA Director Jen Easterly testifies at a House Appropriations hearing on the 2024 fiscal year budget request for the Cybersecurity and Infrastructure Security Agency today at 10 a.m.