SPYWAREThe Executive Order on Commercial Spyware: Implications and Prospects

By Rohit Kumar Sharma

Published 5 June 2023

The growing national security threat from misuse of commercial spyware is increasingly being recognized. The US has been taking the lead in addressing the growing menace of unregulated spyware companies and the proliferation of intrusive tools. The Biden administration’s latest Executive Order will ensure that commercial spyware firms will be subjected to unprecedented scrutiny.

On 27 March 2023, President Joe Biden signed an Executive Order (EO) banning the use of commercial spyware by the United States government that poses risks to national security or has been used by foreign actors for human rights abuse.1 The EO makes a case for the ‘responsible’ use of commercial spyware. It also mandates due diligence requirements on all government acquisitions through Federal Acquisition Regulations (FAR). Similarly, vendors are also required to exercise due diligence to ensure their technology is not getting used against the US’ interests or for any other purposes listed in the EO.

Measures against the uncontrolled spread of commercial spyware have been in progress for a considerable duration. The EO is the latest decisive step following the series of actions by the Biden administration to deal with the proliferation of commercial spyware. Interestingly, the directive coincided with the Second Summit for Democracy, which endorsed technological advancement for democratic values and principles.2 The US administration’s lead in declaring the unregulated proliferation and misuse of commercial spyware as a national security issue will undoubtedly have positive implications, though its execution could face obstacles.

What is a Commercial Spyware?
The measures taken to prevent the misuse of spyware demonstrate an increasing apprehension towards using targeted surveillance by state and non-state actors, when done without adequate oversight or safeguard. The issue of misuse of spyware has long been in the news. International organizations have thoroughly documented the methods through which this technology has been operationalized for lawful and unlawful reasons.

Numerous terms are being used to describe the growing sector, including ‘cyber mercenaries’, ‘intrusion as a service’, ‘surveillance for hire’, or ‘private sector offensive actors’. Using the term ‘commercial spyware’ is appropriate to ensure consistency throughout the text. This is particularly fitting as the term was mentioned in the EO

According to the National Institute of Standards and Technology (NIST), spyware is defined as,

Software that is secretly or surreptitiously installed into an information system to gather information on individuals and organizations without their knowledge.