Background Press Call on the President’s Executive Order on Commercial Spyware
Via Teleconference
9:07 A.M. EDT
MODERATOR: Thank you, everyone, for joining us on this Monday morning very early.
As a brief reminder to the ground rules of this call, it’s being held on background, attributable to “senior administration officials,” and embargoed until 12:00 p.m. Eastern today.
For your awareness but not for your attribution, the two speakers on our call today are [senior administration official] and [senior administration official].
We’ll turn it over to our two speakers in a moment for opening remarks, and then we’ll open it up for Q&A.
Senior administration official one, over to you.
SENIOR ADMINISTRATION OFFICIAL: Thank you. And hello, everybody.
We wanted to let you know that President Biden will issue today a groundbreaking executive order that prohibits, for the first time, operational use by departments and agencies of the U.S. government of commercial spyware that poses risks to the national security and foreign policy interests of the United States, including commercial spyware that has been used to target U.S. personnel or enable human rights abuses around the world.
This executive order will serve as a concrete demonstration of U.S. leadership and commitment to countering the misuse of commercial spyware and other surveillance technology, as the President co-hosts the second Summit for Democracy this week.
As I will explain, this executive order is also part of a multifaceted response to a multifaceted challenge posed by the proliferation and misuse of commercial spyware.
What I’m going to do today is I’m going to explain first why the administration decided to issue this executive order; second, the objectives of the executive order, which reflect the fact that we’ve used proliferation and misuse of commercial spyware as a hard national security and counterintelligence threat, as well as a threat to human rights globally; and third, the executive order structure, which sets out novel factors for evaluating the risk posed by commercial spyware.
Finally, we’re also going to turn to the Summit for Democracy that starts this week and how this executive order is both the U.S. leading by example but also, we hope, will be a foundation for broader international action.
So, beginning in the late summer/early fall of 2021, the National Security Council staff here at the White House initiated a new government-wide policy process to assess the threat posed by the misuse of commercial spyware and begin implementing policy measures to counter the proliferation and misuse of these powerful surveillance tools.
We focused purposefully on the most advanced and invasive tools: the end-to-end software suites that allow a user to remotely access an electronic device like a cellular phone, extract a device’s contents, and manipulate its components, all without the knowledge or consent of the device’s users.
As we undertook this effort, and as many of you on the call know well, we identified, as has been widely reported, a growing number of foreign governments around the world that have deployed this technology to facilitate repression; enable human rights abuses, including to intimidate political opponents and curb dissent; and target activists as well as journalists around the world.
Misuse of these powerful surveillance tools have not been limited to authoritarian regimes, however. Democratic governments also have confronted revelations that actors within their own systems have used commercial spyware to target their own citizens without proper legal authorization, safeguards, and oversight.
Now, as we dug into this effort, we also recognized quickly that proliferation of commercial spyware poses distinct and growing counterintelligence and security risks to the United States, including to the safety and security of U.S. personnel and their families. For one, untrustworthy commercial vendors and tools can present significant risks to the security and integrity of U.S. government devices and U.S. government information. We also confirmed that U.S. personnel overseas have been targeted by commercial spyware.
So we moved quickly to implement a range of actions on commercial spyware, including we passed — we issued new export controls on spyware-related intrusion software, and we added a number of foreign spyware companies to the Commerce Department’s entities list.
But as part of this process, we also identified another significant gap: that U.S. departments and agencies did not have clear and consistent direction on whether they could use these spyware tools, even if the very same tools were being used to target U.S. diplomats or being misused extensively abroad to facilitate human rights abuses.
At the same time, commercial spyware vendors — some commercial spyware vendors were aggressively marketing to and seeking to make inroads across the U.S.’s many law enforcement, defense, and intelligence components, sometimes by obfuscating the business ties and practices.
So, as a result, we announced almost a year ago that we would work to institute such a prohibition. Helpfully, Congress also acted thereafter on a bipartisan basis on two fronts: to give the Director of National Intelligence new authorities within the intelligence community on commercial spyware and also to impose new restrictions on the ability of IC personnel to work for foreign entities, which was a direct result of the controversies around the company named DarkMatter.
Now, importantly, just last Thursday, the Director of National Intelligence issued binding guidance to the U.S. intelligence community to implement these new statutory restrictions on former intelligence community officials seeking employment with foreign governments or companies, including former — sorry, foreign commercial spyware entities.
Now, let me turn to the executive order. The executive order is the consensus product of all the key U.S. departments and agencies, including our law enforcement, defense, and intelligence components. It prohibits departments and agencies across the federal government from operationally using commercial spyware tools that pose significant counterintelligence or security risks to the U.S. government, or significant risks of improper use by a foreign government or foreign person, including to target Americans or enable human rights abuses. And it encompasses spyware tools that are furnished by foreign or domestic commercial entities.
This is important to ensure that we don’t create an incentive structure for U.S. companies or for vendors to relocate to the U.S. to bypass restrictions.
Now, the primary objectives of the executive order are:
First, to ensure that any U.S. government use of commercial spyware aligns with the U.S.’s core national security and foreign policy interests in upholding and advancing democracy, the rule of law, and respect for human rights.
Second, that the U.S. does not contribute directly or indirectly to the proliferation and misuse of commercial spyware.
Third, to better protect U.S. government personnel and U.S. government information systems, and intelligence and law enforcement activities against significant counterintelligence or security risks.
And fourth, to serve as a foundation for greater international cooperation to counter the global proliferation and misuse of commercial spyware by the U.S. leading by example.
And finally, we believe this executive order will also help spur reform in a largely unregulated and insufficiently controlled industry, including by outlining responsible use and remedial factors that are intended to prevent misuse and reduce risks to U.S. national security.
Let me highlight just a few elements from the executive order structure.
So the executive order establishes novel counterintelligence, security, and improper use factors that indicate the risks that I described above. These include: if a foreign government or foreign person has used or acquired the commercial spyware to gain or attempt to gain access to U.S. government electronic devices or the devices of U.S. government personnel without authorization from the U.S. government. This is directly tied to the use of these tools against U.S. government personnel.
Second, there are a number of counterintelligence and security factors that have to do with whether or not a vendor or the software is trustworthy or untrustworthy. For instance, if a commercial spyware (inaudible) is furnished by an entity that maintains transfers or uses data obtained from the commercial spyware without authorization from the licensed end user or the U.S. — for example, such as through a back door; whether the company has disclosed or intends to disclose nonpublic information about the U.S. government or its activities; or if it is under the direct or effective control of a foreign government or foreign person engaged in intelligence activities directed against the United States.
In addition, the executive order identifies a number of human rights-related factors. One is that if a foreign actor uses the commercial spyware itself against activists, dissidents, or other actors like journalists to intimidate, curb dissent or political opposition, otherwise to limit freedoms of expression, peaceful assembly, or association, or to enable other forms of human rights abuses or suppression of civil liberties.
We also wanted to make sure that the executive order can capture circumstances in which commercial spyware is used to track or target U.S. persons without proper legal authorization, safeguards, and oversight, and without the consent of the American.
Finally, to be able to ensure that this executive order can apply to a broader set of circumstances in the future, the commercial spyware is — the executive order also includes a factor in a circumstance where the commercial spyware has furnished the government to which there are credible reports that they engage in systematic acts of political repression, including arbitrary arrest or detention, torture, extrajudicial or politically motivated killing, or other gross violations of human rights.
This is intended to ensure application of the executive order in situations when foreign actors may not yet have committed specific abuses through the use of commercial spyware, but have engaged in other serious abuses and violations of human rights.
Finally, the executive order does seek to strike a balance. And, here, the executive order identifies concrete remedial steps that commercial spyware vendors can take to remove identified risks, such as canceling relevant licensing agreements or contracts that can present such risks.
And then I would end on this part, with regard to the executive order, to say that the executive order directs important new reporting and information-sharing requirements within the executive branch, building on pre-existing requirements outlined by Congress to ensure that departments and agencies can make informed and consistent determinations based on up-to-date, all-source information. And it directs the development of a semiannual comprehensive intelligence assessment.
I’m going to turn, in a moment, to my colleague here to discuss how this fits into the Summit for Democracy. But what I would just reinforce is the fact that this executive order is one of a series of actions to deal with a multifaceted challenge and threat posed by the proliferation and misuse of commercial spyware.
That includes circumstances in which entities may try to recruit U.S. personnel to develop these tools in the first place, which is why Congress acted and the intelligence community just issued guidance last week to restrict the ability to work for these sorts of entities.
This includes another means by which we’ve addressed this — is through our export controls, including placing entities on the Department of Commerce Entity List.
And then, with regard to the EO, it is the U.S. leading by example as we enter the Summit for Democracy by establishing robust guardrails, among other things, to protect against counterintelligence and security risks, to spur industry reform — but also, hopefully, to start working in partnering with likeminded partners, globally.
On that note, let me turn to my colleague.
SENIOR ADMINISTRATION OFFICIAL: Thank you, [senior administration official]. Thank you all for joining this morning.
As [senior administration official] mentioned, we are issuing the executive order just before the start of the second Summit for Democracy, which will provide a unique opportunity and momentum to address both our affirmative vision for technology but also how we can take individual and collective measures to counter the spread and misuse of technology, including with respect to commercial spyware.
The executive order is, in our view, a cornerstone deliverable at the summit and a demonstration of U.S. leadership and commitment in this area. We hope it provides a foundation for us to partner with like-minded governments in the weeks and months to come.
Let me briefly provide you with a quick overview of the summit later this week, which we are delighted to co-host with the governments of Costa Rica, the Netherlands, the Republic of Korea, and the Republic of Zambia, officially from March 29th and 30th, preceded by a day of high-level (inaudible) events starting tomorrow, Tuesday, March 28, hosted by Cabinet members and other senior officials
Altogether, we’ve invited 121 foreign partners, and our expectation is that this summit will spur additional efforts to strengthen democratic governance globally and demonstrate to global audiences how the U.S. and other democracies are delivering for their citizens and organizing to address the world’s most pressing challenges.
On the — on day zero, we will have nine Cabinet- and sub-Cabinet-level events, followed by, on the first day, by President Biden together with his counterparts and the co-host nations, to officially kick off the second summit by a joint opening address.
Day two is the day when we will have co-host events around the world, which will convene in person, including in the United States at the Washington Convention Center. For the U.S. event, we’ve decided to dedicate our event to advancing technology for democracy.
The events will be divided into three sessions: the first one advancing democracy and Internet freedom in a digital age; the second is dedicated to countering the misuse of technology and the rise of digital authoritarianism, which this EO falls into; and third, focusing on shaping emerging technologies to ensure respect for human rights and promi- — promotes democratic principles.
This reflects the administration’s view that democracies must know what they stand for, which we argue is an affirmative, cogent, values-driven, and rights-respecting vision for how modern technology should support democratic norms and institutions.
At the same time, we must be clear about what we stand against: the misuse of technology to repress, control, divide, and disenfranchise. This includes the need of regulation of the tech sector to promote accountability and transparency as the President has emphasized, and third, the imperative to look ahead and to shape emerging technologies.
We’re delighted that four members of the Biden-Harris Cabinet will participate in the event on March 30th. In addition to the announcement today with the executive order, we plan to release an additional set of announcements focusing on technology, including with respect to countering the misuse thereof.
MODERATOR: Great. Thank you both so much. With that, [Operator], we’ll turn it over to you to moderate Q&A.
Q Hey, guys, thanks for doing this call. I just want to clarify here: Is it the case that this EO does not ban federal use of all spyware — it’s the ones that kind of fall into this particular criteria of abuse? And if that’s the case, how do we know which ones will be — is there going to be like a formal blacklist? Will that be publicly accessible? Like, we will know NSO is not kosher? How is that going to play out? Thanks.
SENIOR ADMINISTRATION OFFICIAL: Yeah, so as we announced about a year ago — this was in April of 2022 — we were pursuing a prohibition on the use of commercial spyware that poses, on the one hand, counterintelligence or security risks to the U.S. or, on the other hand, risks of misuse abroad. And so, in that respect, this executive order follows that guidance.
It builds on legislation that was passed as part of the FY23 NDAA, which provided discretionary authority to the DNI, the Director of National Intelligence, with regard to commercial spyware but only in circumstances that had to do with counterintelligence risks. This goes beyond that.
In addition, it goes — it applies across the federal government. So it’s not just to the intelligence agencies. The executive order builds out essentially an information-sharing process to ensure that departments and agencies are able to make — evaluate and make determinations based on the best information available about whether or not there is derogatory information that would meet the criteria listed.
It’s intended to be a high bar but also includes remedial steps that can be taken — concrete, verifiable remedial steps — in a circumstance in which a company may argue that their tool has not been misused.
In addition, the determinations can only be made by a specified enumerated heads of agencies and departments, and it’s a limited set. And that authority is not delegable. But it ensures accountability both to the President but also to Congress, since these are Senate-confirmed heads of agencies and departments that would have to make those determinations.
Q Right. And will the list of — will this be a public list?
SENIOR ADMINISTRATION OFFICIAL: The executive order does not mandate the creation of a list. And that was very purposeful. It is intended to establish factors that would need to be determined on a case-by-case basis.
Q I mean, I guess, can you clarify: Would the public be made aware whenever a spyware vendor is banned in this way?
SENIOR ADMINISTRATION OFFICIAL: Not through this executive order? No.
Q Hi. Thanks for doing the call. Appreciate it. It’s a little difficult to frame this for readers without a little more clear accounting of when federal agencies, law enforcement, or intelligence agencies have actually used commercial spyware that might fall under this category of being verboten. So, can you speak at all to whether this has happened before and how rampant it’s been? Because we get glimpses here and there in media reports, but there hasn’t really been much transparency at all in terms of when these tools are being used by the U.S. government.
SENIOR ADMINISTRATION OFFICIAL: Yes. So this executive order — which, again, we announced that we will be pursuing this sort of ban about a year ago as part of this policy process I mentioned — was purposely initiated to get ahead of a challenge that we were seeing, which was that there was an effort by commercial spyware vendors, like in other countries, to try to make inroads across the U.S. federal government and to market and to sell their tools across the federal government.
So we purposely announced publicly that we would be pursuing this sort of ban. And we started an interagency process with all the key elements of the departments and agencies to develop the executive order that we’re — that’s going to be issued today on purpose.
But as part of that process, it allowed us to get ahead of the challenge and to ensure that we set these guardrails early, before reports of widespread use emerged.
And as I mentioned, you know, the process that we initiated initially was in the late summer/early fall of 2021. That’s when we started to move with a new export control rule on cyber surveillance tools, and then placing certain companies on the Department of Commerce Entity List in November of ‘21. And then we kind of proceeded methodically through that process.
So this is partly us getting ahead of a challenge, foreseeing the fact that there was no standards — no concrete and consistent standards across the U.S. government — and also, as a result, allowing us to lead by example with other partners around the world.
Q So, have you found any examples of law enforcement or intelligence agencies using spyware — U.S. agencies, that is, using spyware operationally that would be banned by this executive order?
SENIOR ADMINISTRATION OFFICIAL: So, unfortunately, I can’t go into additional details. But I would point to the fact that the few instances in the record have been addressed, I think, with Congress as well.
Q Yeah, hi. Thanks for holding this call. I’m just wondering if you could give any further details. I know right at the end of the briefing, you mentioned there’s going to be an additional set of announcements around some technology issues announced as part of the Summit on Democracy. Can you give any further details of what those announcements will be? Thanks.
SENIOR ADMINISTRATION OFFICIAL: Yeah, happy to.
So, looking at the three things that we outlined, we plan to make an announcement in each of the three buckets that reflect how we hope to advance our affirmative vision for technology.
For the purpose of this call and to focus on countering the misuse of technology and the rise of digital authoritarianism, the announcements we plan to make fall into those buckets.
And the sequence of the terms matter here because we’re very concerned about the spread of digital authoritarianism and practices around the world, but we are also very cognizant that the misuse of technology can occur in any state.
So, we are taking steps to make sure that the way that we would like technology to be used is aligned with human rights and democratic principles all around the world.
And two specific examples of follow-up announcements building on what we initiated at the first Summit for Democracy 15 months ago are the export controls and human rights initiatives, where we’ve done work since the first summit that we will now unveil at the March 30th event. And then, second, we announced at the first summit that we would develop a set of guiding principles for governments’ use of surveillance technology.
There are a few other initiatives that we are also preparing and hope to share with you later this week. But those are some additional components to this particular — issues that, as it relates to the countering — the misuse of technology and the spread of digital authoritarianism.
Q So are you saying that there’s going to be a set of guiding principles rolled out, just to clarify? Because I know you promised at the first summit.
SENIOR ADMINISTRATION OFFICIAL: Yes.
Q Thank you.
Q Hey, guys. Two questions. First, on the — like, what kind of, sort of, teeth does the executive order have to deal with, for instance, the recent reporting of an American citizen in Greece, a Facebook employee getting hacked by a tool called Predator? What would be the sort of ways the EO could deal with that instance? Would it be to put the company that makes that on the Entity List? That’s the first question.
The second question is back to what was originally asked about the determination about what companies might be okay versus what might not be. For instance, there’s the documented use of the DEA using a tool called Graphite made by a company called Paragon. Is that something that you just monitor, and then if Paragon looks like those tools have been abused, then you take action? How does that sort of mechanism work? Thank you.
SENIOR ADMINISTRATION OFFICIAL: Thanks. So, on your first question, the executive order is focused on regulating the U.S. government’s operational use of commercial spyware. Again, establishing robust guardrails which have not existed today on the U.S. government’s use. But the U.S. government has other tools at its disposal, which we have used to address misuse of commercial spyware elsewhere abroad.
So there are a range of export control measures, but also diplomatic engagement, et cetera. So, we are — again, as I mentioned, at the beginning, we view the threats and the challenge of the proliferation and misuse of commercial spyware as a multifaceted one where we have been seeking to take steps to address from different angles this challenge.
One of them, as I mentioned earlier, was the recruitment of U.S. intelligence professionals, for example, to work for these sorts of entities. There is now, thanks to Congress, a guidance implemented just on Thursday by the Director of National Intelligence. There is now strict guidance that is implemented across the intelligence community.
We have used our export control authorities, and that is another tool that would get at your first question. And then we are establishing, internal to the U.S. government — and thereby leading by example globally — guardrails on potential use of these tools.
On your — can you remind me of your second question?
Q Right. The second question is just — it sort of — it goes back to the first question that was asked about sort of how you make determinations about, you know, which spyware tools are okay for use by U.S. government versus those that are not. And, like, there’s the DEA case of another Israeli company called Paragon, and they’re using a tool called Graphite. Is that something that, you know, you just sort of monitor and then if there’s instances where that tool might be abused elsewhere, then that’s something that then goes on to some kind of banned list for U.S. government use?
SENIOR ADMINISTRATION OFFICIAL: Yeah, so I’d point you to — when the executive order is issued, it’ll have a very detailed, robust section to require the heads of agencies to review any activity that might be relevant in this case, make a determination and certify whether or not the use of that commercial spyware poses either significant counterintelligence or security risks to the U.S. or significant risks of improper use. But then it also requires that any — at any time after procuring commercial spyware for operational use, if there is — if the agency obtains relevant information with respect to the factors I laid out and they determine that there is that risk, that they shall terminate the operational use.
Q Okay, thank you.
Q Hi, it’s Tonya Riley with CyberScoop, but they — they did their best.
I had a question about the targeting of U.S. personnel and if you can comment on how pervasive it was, just in terms of how much you were seeing, where — just any more details you can give. Thanks.
SENIOR ADMINISTRATION OFFICIAL: Yes, sure. So, as I mentioned at the beginning of the call, we’ve confirmed that U.S. personnel overseas have been targeted by commercial spyware. And as you may be familiar, public reports to date have identified less than a dozen U.S. diplomats who have been targeted by commercial spyware.
Now, we undertook an extensive effort to better understand the extent to which U.S. personnel have been targeted. And to date — and this is a snapshot, because this is part of an ongoing effort to identify — the U.S. government has identified devices associated with 50 — that’s five-zero — U.S. government personnel overseas in at least 10 countries on multiple continents that are confirmed or suspected to have been targeted by commercial spyware.
Now, as I mentioned, our efforts to identify additional targeted personnel continue, and we obviously cannot rule out even more instances. And this goes to the first factor I outlined when I was walking through the structure of the executive order and why we have identified targeting of U.S. personnel as a key factor that needs to be considered.
MODERATOR: Great. Thank you, everyone. That is all the time for questions we have today. We really appreciate everyone taking the time to join us on this Monday morning. And thank you to our two senior administration officials for taking the time to walk everyone through it.
As a reminder of the ground rules, this call was held on background, attributable to “senior administration officials,” and embargoed until 12:00 p.m. Eastern today.
Thank you all for joining today. And we also sent out a factsheet via email under embargo. If anyone did not get it, please send me an email and let me know. Thank you.
9:39 A.M. EDT