The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

How the Biden administration wants to tackle foreign commercial spyware

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Welcome to The Cybersecurity 202! It’s the season finale of “Andor” tomorrow. I finally got hooked for good with Episode 10.

Below: A U.S.-funded news agency says it was hacked, and a cybersecurity start-up gave product trials to spyware firms. First:

An executive order and more is in store for spyware fight

The Biden administration is preparing to roll out policy initiatives to combat commercial foreign spyware, including an executive order to limit whether and how the federal government can use it.

In a letter to Rep. Jim Himes (D-Conn.) and other House Intelligence Committee members last week, Biden officials said the executive order would “prohibit U.S. Government operational use of commercial spyware that poses counterintelligence or security risks to the United States or risks of being used improperly.” The order could come as soon as early next year – and at a time when NSO Group’s Pegasus spyware is at the center of investigations by reporters and researchers, drawing calls for action from the United States.

Plans for that order have previously been reported, but there have been questions about what it might look like. A senior administration official, speaking on the condition of anonymity to discuss plans still under deliberation, provided me with more details about the administration’s intentions.

The executive order is a response to reports on spyware providers’ attempts to sell to the federal government and spyware abuse abroad, the official said. And there was a “recognition that there was no regulation within the U.S. federal government on how to address these tools,” they said.

  • “That raised for us the need to impose certain restrictions and certain guidelines for the federal government,” the official said.
  • The office acknowledged two risks. Spyware tools could be misused to target U.S. government personnel, U.S. government systems and information. But they could also be misused abroad. “That would undercut the U.S. government’s national security interests, would be reputationally damaging were the United States to be associated with that type of tools,” the official said.
  • House-passed legislation would authorize Director of National Intelligence Avril Haines to ban contracts with such firms, but that ban would only apply to intelligence agencies. But Himes said last week that the legislation has run into trouble over congressional turf disputes, leaving its fate unknown. The official told me that the Biden administration’s executive order would pertain to the entire federal government.

A key question is whether there are any spyware vendors that don’t pose “counterintelligence or security risks to the United States,” which the letter said the ban would apply to. “We would have to see in its application,” the official said. “Right now, the companies that are most well-known in public are the ones that have taken steps that would be contrary to these parts of the executive order.”

More than just an order

Last week’s letter — written by Susie Feliz, assistant secretary for legislative and intergovernmental affairs at the Department of Commerce, and Naz Durakoglu, assistant secretary for legislative affairs at the Department of State — came in  response to a request by Himes and fellow House Intelligence Committee members for the administration to take additional measures in response to the spyware threat.

Himes has noted that the letter’s caveats could leave the door open to spyware use.

  • “What I read there is, ‘Generally speaking we want to come down hard on this stuff, but we want to leave the door open for something and somebody,’” he said at an event last week hosted by the Center for a New American Security think tank, shortly after receiving the letter. “What they’re very clearly not saying is there should be an operational ban on the part of the U.S. government with respect to any of this technology.”

That letter, in turn, followed a rare public hearing on how foreign governments have used spyware to snoop on dissidents and even U.S. diplomats. Lawmakers also were inspired to hold the hearing after reports on the FBI’s exploration of a contract with NSO Group, the most well-known spyware maker. The New York Times’s Mark Mazzetti and Ronen Bergman expanded on that reporting last week.

Separately on Monday, the Justice Department said the Supreme Court should not grant a request from NSO Group that it be given immunity in a suit brought by WhatsApp and parent Meta over allegations that the company targeted its users. Here’s David Kaye, a law professor at the University of California at Irvine who previously served as U.N. special rapporteur and examined the growing surveillance industry:

In his letter, Himes also called on the administration to withhold U.S. tax dollars from nations that have used foreign commercial spyware to eavesdrop on U.S. citizens and residents, to publicly detail any instances of spyware being used against U.S. diplomats and to “reach an understanding to ban the use of foreign commercial spyware” at its forthcoming Summit for Democracy.

The administration is working to identify such spying on U.S. diplomats, and the State Department plans to present “Guiding Principles on Government Use of Surveillance Technologies and Subsequent Data Generation, Management, and Use” at the 2023 summit, the response letter states.

It’s too early to say whether the United States will forbid tax dollars from going to nations that use spyware on U.S. diplomats, or whether it will publicly detail such incidents, the senior administration official said, but they also did not rule it out.

“We’re working to understand the full extent,” the official said. “We’re going to devise a policy response based on that as we learn more.”

The time frame

The administration is targeting the first quarter of 2023 for the executive order, the official said. It’s planning a series of other actions around the same time, such as implementing congressionally ordered restrictions on former intelligence officials who seek work with foreign governments and companies, including foreign commercial spyware providers.

But it’s only a goal, one that requires working through the interagency vetting process and other steps that are “important for due diligence reasons,” the official said.

That being said, it looks like everyone is on the same page, the official said. “I don’t want to speak too soon. I’m sure there will be efforts around the edges to address particular concerns by particular agencies,” the official said. Referring to the response to Himes and his fellow committee members, “This letter can’t be sent out without approval by various departments and agencies.”

The keys

U.S.-funded Asia news agency discloses hack

Nearly 3,800 people were affected by the cyberattack, which may have included social security, driver's license and passport numbers, as well as  addresses, medical and insurance information, and “limited financial information,” Radio Free Asia (RFA) disclosed to Maine’s attorney general in an incident that hasn’t previously been reported. It said it detected the cyberattack in June, around 11 days after it occurred. 

RFA, which said in a letter that it has found “no evidence Information has been misused,” reports on Asia news. RFA is funded by the U.S. government through the U.S. Agency for Global Media (USAGM) but is private and independent. Its reporters have written about important stories like China’s repression and imprisonment of Uyghurs

A “service provider’s vulnerability, unknown by RFA at the time of the compromise,” was exploited by a hacker, RFA said in the letter. RFA opened an investigation after it “became aware of the Incident within our email system which indicated unauthorized access to a limited number of servers.” It is working with law enforcement, changed passwords and moved to a “new cloud-based email environment,” it said in the letter. 

RFA spokesperson Rohit Mahajan said in a statement that the news agency “has not received any communication from the unauthorized actors.” He also said the agency notified law enforcement and government agencies including USAGM, the Cybersecurity and Infrastructure Security Agency and Congress. Mahajan declined to provide technical information about the breach, citing the news agency’s “ongoing efforts to protect our environment.”

Cybersecurity start-up Corellium gave product trials to surveillance firms

Corellium sells software that lets its clients find vulnerabilities in iPhone software. A document apparently prepared by Apple for use in a lawsuit against the company said the firm “offered or sold its tools to controversial government spyware and hacking-tool makers in Israel, the United Arab Emirates, and Russia, and to a cybersecurity firm with potential ties to the Chinese government,” Wired’s Lorenzo Franceschi-Bicchierai writes. The document includes emails between Corellium staff and employees from NSO Group and DarkMatter. The emails with NSO appear to show Corellium offering the firm an invitation to try the software; DarkMatter asked for a quote in its emails, Franceschi-Bicchierai reports.

Apple, which apparently prepared the document obtained by Motherboard, settled a copyright case against Corellium last year. But Apple has appealed another part of the case.

Corellium told Wired that NSO and DarkMatter got access to “a limited time/limited functionality trial version of Corellium's software” but were denied requests to purchase the technology after being vetted.

  • Corellium chief executive Amanda Gorton said in a statement on the company’s website that it vets potential clients and it has “had opportunities to profit from these bad actors and have chosen not to.” Gorton said firms like NSO and DarkMatter “received automated invites for trial accounts” in 2019, but they didn’t become Corellium customers. Gorton also touted the court’s dismissal of part of the Apple court case.

Global cyberspace

US, Estonian authorities arrest two over $575 million cryptocurrency fraud (The Record)

Cyber insecurity

The long, lonely wait to recover a hacked Facebook account (Tatum Hunter)

Hackers steal $300,000 in DraftKings credential stuffing attack (Bleeping Computer)

Government scan

CISA seeks information for potential cyberthreat intelligence platform (NextGov)

IG dings State Department's information security program in annual report (FCW)

Secure log off

Thanks for reading. See you tomorrow.