President Joe Biden signed an executive order today banning government agencies from using commercial spyware deemed to present a national security risk to the United States.

The order imposes a ban on agencies using such commercial tools “when they determine, based on credible information, that such use poses significant counterintelligence or security risks to the United States government or that the commercial spyware poses significant risks of improper use by a foreign government or foreign person.”

For the purposes of the executive order, the definition of risk includes commercial spyware that may pose counterintelligence or security risks when a foreign government or person has used the software to gain or attempt to gain access to U.S. government computers.

Also banned is software from vendors that maintain, transfer or use data from spyware without authorization from the end-user or the U.S. government, has disclosed or intends to disclose nonpublic government information, is under the direct control of a foreign government or person engaging in intelligence activities against the U.S government, or may pose a risk of improper use by a foreign government or person.

Upon signing the statement, administration officials told the media that the ban was imposed partly because about 50 U.S. government personnel in at least 10 countries were infected or targeted by such spyware, although no further details were provided.

The Wall Street Journal reported that senior administration officials also said the order is intended to grapple with the rapidly growing international marketplace of cyber intrusion tools that can break into someone’s phone — often with malware that doesn’t require a victim to click on a malicious link or attachment.

There are likely multiple companies that provide such services, but there’s one very well-known company infamous for being able to hack phones with no user input: Israel’s NSO Group. The mention of government personnel being hacked also points to NSO, whose Pegasus software was allegedly used to hack State Department employees based in Uganda in 2021.

The fact that officials didn’t name NSO is surprising, given that parts of the U.S. government haven’t been shy in targeting the company before. The Department of Commerce announced sanctions against NSO in November 2021, saying that the company provides spyware used by foreign governments to target government officials, journalists, businesspeople, activists, academics and embassy workers maliciously.

Although the executive order bans the general use of spyware tools such as those from NSO, commercial spyware can still be purchased with approval on a case-by-case basis. Vendors that find themselves banned through relationships with foreign governments can be considered again if they cancel licensing agreements with governments known to violate human rights.

Photo: Gage Skidmore/Flickr