Lawmakers tee up efforts to keep spyware off troops' devices

The U.S. government’s must-pass defense policy bill includes a measure that aims to shield U.S. troops and diplomats from ensnarement by commercial spyware programs.

The provision, slotted into the $895.2 billion National Defense Authorization Act for the fiscal year that began Oct. 1, seeks to secure U.S. government-issued devices used by diplomats, armed forces personnel, and staffers in the U.S. Agency for International Development.

The compromise bill, which is expected to come before the full House and Senate within weeks, would require the establishment of cybersecurity standards, a review of past spyware compromises, and regular reporting to Capitol Hill on incidents involving spyware, including assessments of security impacts and identification of responsible foreign entities.

Spyware—that is, software surreptitiously planted on victims’ devices to, say, surveil their movements and capture private communications—has become a common tool of governments. To At least 74 nations are known or suspected to have contracted with spyware providers to surveil troops, diplomates, journalists, politicians, or dissidents.

Within 120 days of the NDAA’s enactment, the Secretary of Defense and relevant agencies must develop cybersecurity standards, guidance, and best practices to prevent device compromises. The secretary must also review instances from the past two years where spyware breaches might have disclosed sensitive information. 

The bill would require the Pentagon to send a summary—potentially classified—of these measures and past incidents to the appropriate congressional committees.

The Defense Department would also be required to notify Congress within 60 days of discovering a major compromise, including such details as the location of compromised personnel, the number of affected devices, and an assessment of national security damage resulting from data loss. The notification should also identify, where possible, the foreign governments, firms, or individuals responsible for or benefiting from the breach.

And, starting one year after the NDAA is passed, the DOD must submit an annual report to Congress for the next five years about previous incidents involving relevant devices compromised by spyware.

Spyware is stealthily installed on victims’ devices, oftentimes through exploiting software vulnerabilities or tricking users into clicking malicious links. Once embedded, it operates silently in the background, intercepting communications, tracking locations and extracting sensitive data without the victim's knowledge.

Compromised devices infected with spyware often exhibit noticeable lag and high temperatures, a sign that the program is eating up processing power and draining the battery as it covertly performs data extraction and surveillance tasks. 

The State Department is leading an international effort to deter global spyware abuses. It encourages participating nations to impose domestic and international controls on spyware makers and their investors. 

The U.S. argues that spyware abuses threaten privacy and freedoms of expression, and that targeting individuals with such tools has been linked to arbitrary detentions, forced disappearances and extrajudicial killings. 

Several current and former U.S. officials and lawmakers have been targeted by the cyber surveillance tools. 

Several times this year, State has used new authorities enacted in February that allow the U.S. to impose visa restrictions on individuals involved in surveillance tech abuses.

But American law enforcement has also engaged with spyware companies. The FBI in 2022 confirmed that it had tested a surveillance offering from NSO Group, a well-documented Israeli spyware provider, for use in criminal investigations. At the time, the agency said the license was not used in a real scenario.

Recent court records from ongoing litigation between NSO Group and WhatsApp revealed that the Israeli cyberspying company handles the installation and data extraction process for its surveillance software, rather than delegating those actions to its government clients. NSO, which was blacklisted by the U.S. earlier in the decade, infected some 1,400 WhatsApp users in 2019, accompanying court documents allege.

NSO’s flagship Pegasus spyware might be hiding on more phones than assumed, according to research from iVerify released last week. The study scanned 2,500 devices and uncovered seven infections.

The Biden administration is also reviewing a $2 million contract between Immigration and Customs Enforcement and Paragon Solutions, another Israeli spyware firm, amid concerns that the deal violates terms set out in a spyware executive order issued last year, WIRED reported in October.

Spyware development is largely fueled by the private sector. Google findings released earlier this year show industrial spying technology vendors have made lucrative business selling their products to governments.