Background Press Call on U.S. Efforts to Counter Misuse of Commercial Spyware and the Third Summit for Democracy
National Security Council
Via Teleconference
9:02 A.M. EDT
MODERATOR: Hello, everyone, and good morning. Thank you for joining us today. This is Jessica Kosmider with the NSC press team, and I’ll be facilitating today’s call.
As a reminder, this call is on background, attributable to senior administration officials.
Not for your reporting, but for your information, today on the line we have [senior administration official] and [senior administration official].
We’ll try to get to as many questions as we can in the time that we have available. Please keep your phones on mute unless you’re called on for a question.
With that, I’ll turn it over to senior administration official number one for any opening comments.
SENIOR ADMINISTRATION OFFICIAL: Hey, everybody. Thanks for taking the time. We’re joining extremely jetlagged here in South Korea.
But we just concluded a successful first day of the Summit for Democracy that South Korea is hosting this year. And an important focus for the United States and for many of the countries present was countering the misuse of commercial spyware.
So we wanted to just bring to your attention a few developments and a few events that we had here that I think are a powerful reflection of the shifts happening in this domain.
The first is that we announced the addition of six new countries to the joint diplomatic statement that we first unveiled a year ago at the second Summit for Democracy. This joint statement, which is the first of its kind, outlines a shared vision of the threat posed by the proliferation and misuse of commercial spyware, and outlines both individual and collective actions that governments are prepared to take.
And at the summit, in remarks that Secretary of State Antony Blinken provided, he announced that six new governments — Finland, Germany, Ireland, Japan, the Republic of Korea, and Poland — have also joined the joint statement, which now means that the coalition has grown to 17 likeminded governments that are focused on countering the proliferation and misuse of commercial spyware.
The Secretary of State also held a photo with representatives from the joint statement countries, including the new countries. And the United States also hosted a signature side event at the conference, the only one today during the ministerial portion of the Summit for Democracy, where we held a panel with four representatives from different parts of — there’s essentially four different stakeholders in this area, including a journalist who was a target of commercial spyware — his name is Ricardo Avelar from El Salvador; a reporter from Lebanon, Alia Ibrahim, who was part of the founding group of reporters around the Pegasus files from 2021; representative from the investor community, Jamil Jaffer, from Paladin Capital Group. After, they and several other investors outlined voluntary principles and commitments around the responsible use of trusted capital. And we also had Shane Huntley, the head of Google’s Threat Analysis Group.
And they all outlined work happening in their respective domains that are all converging now, a year since the last Summit for Democracy, where all of these different stakeholder groups are all rowing in the same direction in both recognizing the risks and the threats posed by the misuse of commercial spyware, but also recommending concrete actions that are aligning between all of these communities.
We also had, in a very powerful set of remarks, the Polish Deputy Minister of Foreign Affairs speak at the end of the event, explaining why Poland, since they are wrestling with the fallout of commercial spyware use within their own country, are signing on to the joint statement. And it was both moving and powerful to see the Deputy Foreign Minister outline the reasons why Poland is both committed to the principles outlined in the joint statement, but also noted that he heard echoes of what his country has gone through in what some of the panelists outlined during the preceding panel.
And finally, what we would also emphasize, as we thought today was also a powerful reflection of concrete action that the United States has taken, including recent steps, like a visa ban policy that the Secretary of State announced a few weeks ago and U.S. financial sanctions that the U.S. Treasury Department imposed on a number of commercial spyware vendors and two individuals — demonstrate that there’s growing momentum in this space but also that there’s more room for collective action. And this will be a focus of ours moving forward.
So I’ll pause there.
MODERATOR: Thank you. For anyone who would like to ask any questions, please raise your hand and I will start calling on folks in quick order here.
First up, we’ll go with Chris Bing. I am going to — you should be able to unmute yourself here.
Q Thanks for the update. And good luck on your trip to South Korea.
Yeah, I just wanted to ask, I guess, a few questions. First, what is the feedback that you’ve been receiving from other Western nations in terms of some sort of agreed-upon framework when it comes to exportation of spyware? Are countries eager to put something in paper? In the past, it’s been hard to get to a combined agreement or even framework due to how these tools are used for law enforcement purposes as well.
And then the second question I wanted to ask you was: To what degree is the NSC and the administration looking at controls or the issue of the exportation of exploit code by American developers overseas to some of these companies? This is a component of the ecosystem that isn’t talked about very much but there is still sale of exploits and zero days from American researchers abroad. Thank you.
SENIOR ADMINISTRATION OFFICIAL: Thanks, Chris. So, first, I would note that, you know, the joint statement outlines a series of steps that governments that sign on should be looking to take both individually, including with regard to export controls, as well as collectively.
You may have seen that among the countries that have signed on, Ireland also joined. And Ireland also put out a statement today, in case you haven’t seen, explaining their commitment to adhering to this. And this was done in recognition of the fact that a number of spyware vendors have sought to use Ireland as a place — essentially as a financial pass-through for some of their activities. And you may have seen that the Treasury Department actually placed two entities that were domiciled in Ireland — placed financial sanctions on them just a couple of weeks ago.
So I think what we’re trying to do is very deliberately build out a group of likeminded countries, including some in Western Europe but also beyond that. So, you know, I think notable that we have Japan and the Republic of Korea that have also joined the statement. And this is going to allow us to actually begin those conversations and to grow the number of countries.
We’re actually going to be convening all the joint statement countries tomorrow, during the second day of the summit. This will be the first in-person convening where we’re going to be talking exactly about these steps that we can take and the lessons learned to see if we can galvanize more collective action.
On the second issue regarding the exploit market, what I will say is that the United States actually joined and signed on to something called the Pall Mall Process, if you’re familiar with it, that the UK and France initiated, which is a recognition that there are a broader set of issues that we also want to begin looking at addressing.
One thing, though, that we’ve been very clear about is we want to make sure that we are able to take concrete and impactful measures. And we have been able to do so with regard to the commercial spyware vendors themselves, but we are looking at what impactful actions we might be able to take in other domains, but to do it in a collective fashion, which is why we are having those conversations with some of our partners through this Pall Mall Process.
MODERATOR: Thanks, Chris. Again, if anyone would like to ask any questions, please raise your hand and I’ll be able to unmute you. Thanks.
All right, if we don’t have any additional questions — oh, Chris Bing from Reuters. If you’d like to do a follow-up, that’s —
Q Yes, that’d be great. I’m happy to keep it going.
Two things that are interrelated. One, is there any representation — I haven’t seen the full list of representative countries, but is there any representation from the Gulf, from Israel or India? The first question.
And the second is: Have you had a chance to speak with some of the large vendors, specifically Google and Apple, while working on policy? It’s our understanding that Apple is looking at changing how it does its threat notifications, so to victims who have been targeted with spyware in the aftermath of an angry response that they received from the Indian government. And we could see changes to that notification process as soon as this week. And so I wanted to get your take on that if you’re tracking at all.
SENIOR ADMINISTRATION OFFICIAL: Sorry, can you clarify? So what are the changes that you’re noting?
Q Yeah. So, in particular, the Apple threat notification process. I’m sure you’re familiar with it. Typically, the message that one would receive after they’ve been targeted and Apple was aware, it would say that you had been a target of state-sponsored hacking. That — there will be a change in edit, which cuts out “state-sponsored,” in response, it is our understanding, to the anger that Apple faced by the Indian government following their last round of notifications.
SENIOR ADMINISTRATION OFFICIAL: Yeah, so on that note, I can’t speak, obviously, to what Apple may or may not be doing. What I can say is that, you know, we had a representative from Google on our panel who spoke very powerfully about the effort by his company and others in this space to identify and expose commercial spyware misuse. And in particular, he cited work done — published in our recent report you would likely have seen by the threat analysis group at Google.
And this was a common theme, essentially, that, you know, dogged reporting, civil society work, and tech companies are all committed and working to identify and expose commercial spyware misuse, which I think is going to be a feature moving forward. We highlighted, for example, the fact that leading philanthropies are donating — have identified money for civil society organizations to continue their work, including donations in part provided by Apple. So you may have seen the Ford Foundation announce a $4 million donation a couple of weeks ago. So that was something that was also highlighted.
And, you know, the notifications provided by Apple and others are vital, and they have informed a lot of our work and work by groups around the world. But I obviously can’t speak to any changes that may or may not be happening.
Your first question again, if you don’t mind?
Q Yeah, not a problem. I have not seen the full roster of countries that are engaged in the Democracy Summit or in some of these spyware conversations recently, and I asked if there had been representation from Gulf countries, India or Israel.
SENIOR ADMINISTRATION OFFICIAL: Yeah, so both India and Israel did have representatives at the summit.
Q Okay. Great. Thank you.
SENIOR ADMINISTRATION OFFICIAL: (Inaudible.) Sorry, in the ongoing summit. Yeah.
MODERATOR: All right. Next up, we’re going to go to Lorenzo from TechCrunch. You should be able to unmute yourself.
Q Hi, everyone. Thank you for doing this. You briefly mentioned that Paladin Group and other investor groups are involved in this process. Can you expand a little bit about that? Like, what are they committing to?
SENIOR ADMINISTRATION OFFICIAL: Sure. And obviously, I would point you to Paladin. And I think our press team might be able to connect you with their representative, Jamil Jaffer.
But Paladin and several others — investors — came to the White House a couple of weeks ago and outlined for us voluntary principles and commitments regarding trusted capital and the investment of trusted capital in a variety of technology domains that include — and a big feature of the conversation with them was on commercial spyware but also AI, cybersecurity.
So Mr. Jaffer was on the panel as well. And for us, it was an important first step in having an investor outline both the recognition that investments should not be going towards companies that are undertaking or selling products and selling to clients that could undermine free and fair societies, but also a recognition that the U.S. government is not prepared to do business with companies, through our executive order, that are engaged in selling products that could pose a counterintelligence threat on the one hand, but also can enable human rights abuses around the world and threaten the privacy of Americans.
So they have put out these voluntary principles that we can point you to.
MODERATOR: Thank you. Next up, we’ll go to Rishi from CNN. Rishi, you should be able to unmute yourself.
Q Hi. I’m actually with Foreign Policy Magazine. I don’t know —
MODERATOR: Oh, I’m so sorry, Rishi. My bad.
Q No, no, that’s fine. I used to work at CNN, so maybe there was some old — something that came in somewhere.
But anyway, thanks for taking my question. My question is: I believe you said 17 countries have signed on between, like, the 11 last year and then 6 more this year. What is your sense — what reasons have, sort of, countries given for joining this?
And can you talk a little bit more about the countries that haven’t joined and what the administration — whether the administration is doing anything to sort of pressure or convince other democracies in particular to sign on to these agreements?
SENIOR ADMINISTRATION OFFICIAL: Thanks for your question. So we’ve actually taken a very deliberate approach to engaging likeminded partners and gradually growing the number of countries that are committed to the commitments in the joint statement. And the reason is that we want to ensure the integrity of this joint statement that it is a vehicle for countries to act, both domestically and collectively, to share information.
And we’re also very conscious that we don’t want it to be, essentially, a statement that can serve to whitewash reputations by countries that may be either misusing the tools themselves or serve as hosts for vendors that enable misuse and human rights abuses.
So that’s why we had initiated deliberate engagements prior to the last Summit for Democracy that ultimately led us to join with 10 others for a total of 11 countries. And we announced it during the second Summit for Democracy. And similarly, since then, we started having careful conversations with a number of countries that ultimately led us and led these six — so, Finland, Germany, Ireland, Japan, the Republic of Korea, and Poland — to join. And each have different reasons for doing so.
I think the Republic of Ireland — sorry, for Ireland, I would point you to what they put on their website. They posted today, actually, a statement explaining their commitment.
Poland: They have been very clear that in light of the challenges they have faced within their own country, this reinforced their desire to be part of a coalition looking to counter the misuse because they have seen the effects — kind of the corrosive effects within their own society and their own political system of the misuse of spyware.
And in that, I would — you know, I’d obviously point you to the other countries, but I think there is what is an increasing shared understanding that the unregulated spread of these really sophisticated tools can have corrosive effects domestically but also can create longer-term problems if they’re not regulated within particular countries.
So I think as a result, we have this kind of shared understanding that we are now growing over time. And it is quite remarkable: If you look back two years ago, there was nothing of the sort. You know, over the past two years, we have built a coalition that, again, is very careful, very deliberate, and I think is reaffirmation that — sorry, an affirmation that we are building momentum in this space.
Q Thanks. Just a real quick follow-up.
MODERATOR: Last question we’ll have Jonathan from The Record. Jonathan, you should be able to unmute yourself.
Q Hi. CNN reported last night that there’s a new batch of U.S. government officials who have been hit with spyware. Could you talk about that? And is it more than 10? Is it a handful? And how long ago were these people targeted with spyware?
SENIOR ADMINISTRATION OFFICIAL: Hey, Jonathan. Unfortunately, I’m not able to speak to that. What I can tell you, though, is that beginning two years ago and ever since, we have been very focused on understanding the extent to which U.S. personnel and their family members may be targeted by commercial spyware. And that’s based on a recognition that governments that acquire this sort of sophisticated surveillance technology more likely than not will first use it against their own populations but, secondarily, may use it against diplomats and others from the United States or other governments, either to surveil them or also to understand who from their own societies are talking with these diplomats in their country.
So, all I can say is that we are intensely focused on better understanding the extent to which U.S. government personnel and their family members may be targeted.
MODERATOR: All right. Thanks, [senior administration official]. Everyone, this is all the time we have today. If you have any follow-up questions, don’t hesitate to ask.
As a reminder, this call was on background, attributable to senior administration officials. Thanks so much for joining us.
9:24 A.M. EDT