Shaping the global spyware market: Opportunities for transatlantic cooperation
The United States and its allies can do more to improve their position on spyware. Further policy action should, through greater collaboration with marketplace operators and allies and partners, work on furthering the development of norms and common understanding of what spyware can and cannot be used for.
On March 2, 2023, the Biden Administration published the US National Cybersecurity Strategy detailing its cyber priorities. Three weeks later, the United States released an Executive Order limiting United States Government (USG) procurement of spyware. The strategy and the order distinguish commercial spyware as among the most strategically difficult cyber risks to mitigate. Both documents propose that US purchasing power will be a driving factor in setting the global trajectory of the commercial spyware market and the order sets out ways to scrutinize the behavior of vendors for this spyware by calling out spyware misuses by foreign entities. However, there is a disconnect between the strategy and the order: what is the role of United States’ allies and partners?
What allies and partners can extract from the order is how the United States plans to implement its strategy regarding spyware. The order draws on key elements of the strategy, as outlined in Pillar 2: DISRUPT AND DISMANTLE THREAT ACTORS. A consistent narrative exists in both of these documents – that malicious foreign governments (threat actors) have used spyware purchased from this market for improper purposes, such as intimidation of political opponents, suppressing journalists, and other human rights and national security violations. The order also draws on the strategy’s Pillar 3, SHAPE MARKET FORCES TO DRIVE SECURITY AND RESILIENCE situating US government purchasing power as the central approach to reshaping this spyware market. The order does this by limiting the ability for US government entities to procure spyware produced by foreign vendors and creating a reporting regime for each agency.
While the ability to shape markets is a strength of the US government, the overt emphasis on purchasing power alone reduces the potential influence and impact of the order, ignoring other market driving incentives and disregarding the role of non-state actors or middlemen in shaping this market as well as the critical role of US allies, especially those in Europe, who are actively engaged on these same issues. While emphasizing foreign action as a driving force of proliferation, the order limits its actions and recommendations to the US government, ignoring ally and partner cooperation. Future guidance should pull on EU PEGA Committee findings, which have included robust member state analysis of Pegasus spyware utilization for a variety of purposes, to create more comprehensive and transatlantic policy solutions for a global commercial spyware market. Pegasus is a widely known and abused spyware sold by NSO Group that has been purchased by state and non-state actors across the globe to infect devices, without the user’s knowledge, and extract data.
Further, by focusing on restricting US persons and organizations from procuring spyware, the order implies that the driver of spyware abuse is foreign vendors. This bypasses other crucial stakeholders like brokers. The order would have been stronger if it had included parameters on how democracies can use spyware, in a responsible manner. This is a future area where the US and its allies and partners can collaborate, especially those states that signed on to the recent joint statement, which recognized the threat of commercial spyware misuses and the necessity for increased controls of the technology.
The order leaves room for interpretation and disconnects the US policy discussion from what is ongoing in Europe. This abdicates a crucial leadership role to shape this international market for spyware and limit its proliferation, especially since EU has wrapped up its PEGA Committee findings, which recommended that member states accused of abusing spyware should undergo through investigations of the European Court of Justice, European Court of Human Rights, and Europol before engaging in spyware use again, as well as other recommendations. Contributing to this missed opportunity, and inconsistency, is the order’s vague treatment of what is prohibited, what is allowed, and where grey areas are in between, in the market for spyware. The intention of the order appears to be to shape market forces to limit spyware abuses; however, the swath of exceptions for federal agencies1The Executive Order reads “The prohibitions contained in this section shall not apply to the use of commercial spyware for purposes of testing, research, analysis, cybersecurity, or the development of countermeasures for counterintelligence or security risks, or for purposes of a criminal investigation arising out of the criminal sale or use of the spyware.” The range of exceptions in broad categories like “research” and “cybersecurity” could produce a wide range of exceptions to limitations of the order. to circumvent procurement restrictions hinder enforcement here. This ambiguity leaves allies and partners looking to create similar models independently of US input.
The United States and its allies can do more to improve their position on spyware. Further policy action should, through greater collaboration with marketplace operators and allies and partners, work on furthering the development of norms and common understanding of what spyware can and cannot be used for. This will shape the definitions of spyware and the structure of the market to work towards decreasing the proliferation of commercial spyware that is a threat to human rights, national security, and other democratic interests.
This article was originally published in Italian in Formiche 191 (May 2023) and has received permission for republication in English. The article has since been revised to reflect that the European Union’s Committee of Inquiry to investigate the use of Pegasus and equivalent surveillance spyware has since released its findings.
The Atlantic Council’s Cyber Statecraft Initiative, under the Digital Forensic Research Lab (DFRLab), works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.