As the commercial spyware market explodes, the security industry and the U.S. government alike are exploring a number of ways to curb the sale and usage of surveillance tools.
However, they face an array of challenges. Though spyware tools violate privacy and human rights, they are used widely by law enforcement, intelligence and government agencies - even reportedly by the U.S. government itself - and it’s difficult to contain something at such a global scale. At this point there are also more and more companies offering up spyware tools and capabilities. Privacy experts describe a “whack-a-mole” situation where, even if one company is blacklisted, sued or otherwise, there are numerous others with the same offerings.
In its latest move against spyware on Tuesday, the U.S. government added two entities - Intellexa and Cytrox - to the Department of Commerce’s export control list “for trafficking in cyber exploits used to gain access to information systems, thereby threatening the privacy and security of individuals and organizations worldwide.” Intellexa and Cytrox (which, according to Cisco Talos, is owned by Intellexa) are known for providing law enforcement and intelligence agencies with the Predator spyware, which has various information stealing, surveillance and remote-access capabilities.
The export control listing is one way the U.S. government is trying to crack down on spyware. In order to export software or hardware to entities on this list, U.S.-based companies must apply for a license from the Department of Commerce’s Bureau of Industry and Security - and, based on the license review policy, they will likely be denied. Cisco Talos researchers, who have previously analyzed the Predator spyware, said that the news is “an important step” in curbing spyware.
“This decision prevents these companies from acquiring exploits used to deploy their spyware - which is the more volatile component of the whole spyware ecosystem,” said Nick Biasini, head of outreach and Vitor Ventura, lead security researcher with Cisco Talos. “Every time a patch is released for iOS or Android platforms, an exploit becomes useless pretty quickly depending on how fast users apply the updates. Most notably, this decision shows the will and action by the Biden administration against those that have shown willingness to abuse these technologies against their own citizens, activists and dissidents.”
“Most notably, this decision shows the will and action by the Biden administration against those that have shown willingness to abuse these technologies against their own citizens, activists and dissidents.”
The Biden administration has previously blacklisted NSO Group and a company called Candiru due to “evidence that these entities developed and supplied spyware to foreign governments that used these tools to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers.”
NSO Group is one of the more prolific and infamous spyware firms and has been exposed by numerous security researchers for selling the Pegasus commercial spyware to customers to install on target devices. Starting in 2021, NSO Group faced several financial and reputational struggles brought on in part by the U.S. blacklisting and also in part due to lawsuits by Meta and Apple.
The blacklisting of Intellexa and Cytrox is one of the first moves to be made by the Biden administration after it released an executive order that prohibits U.S. government use of commercial spyware. Privacy experts say that the executive order is another good way of putting pressure on spyware firms - however, the details in how the plan is executed are critical.
“The executive order - if it really worked and they were really limiting government use of spyware - it would be great,” said Cindy Cohn, executive director of the Electronic Frontier Foundation. “Their problem right now is implementation, because we keep finding out more and more law enforcement at the federal level or agencies or pieces of the federal government are using spyware.”
Ultimately both these efforts are still limited in how they tackle the issue of spyware. The Executive Order applies primarily to agencies within the federal government. And while export controls restrict the export by U.S. companies of technology to these foreign firms, this still has a limited impact on the companies as their developers are located abroad and can search elsewhere for hardware and software used to develop their products. Intellexa and Cytrox operate in multiple countries including Greece, Hungary, Ireland and North Macedonia, for example.
“We've seen over and over that no government can be trusted with this tool.”
Riana Pfefferkorn, a research scholar at the Stanford Internet Observatory, said she is “not convinced that this whack-a-mole approach will keep spyware attacks at bay.”
“It's been heartening to see the impact that sanctions and other measures by the U.S. and other authorities have had on NSO Group,” said Pfefferkorn. “But blacklisted entities can simply disband and reorganize (often under another country's flag), and meanwhile, other spyware sellers continue operating unless and until they're sanctioned too. So when one entity runs into rough waters, their customers - oppressive governments, and even supposedly democratic ones, around the world - can simply shift to a different seller.”
One other aspect of spyware that’s not being addressed by these solutions? The victims, said Cohn. These have often included activists, journalists, dissidents and others.
“We have a range of things we do [addressing] other things that hurt people, and we should open up that toolbox,” said Cohn. “Export restrictions really are only looking at certain things, they’re very limited… we could do a lot more to make it harder to get a hold of these tools and limit their purposes.”
Lawmakers have called on the U.S. government to additionally impose financial sanctions on spyware companies, which would also clamp down on U.S.-based investors that these surveillance companies depend on. Financial sanctions would also specifically target CEOs and senior executives associated with these companies by adding them to the Specially Designated Nationals list, blocking their assets and prohibiting U.S. citizens from conducting business with them.
“It's time for global action regulating when and how these tools can be leveraged with oversight and consequences for abuse.”
However, beyond the confines of the U.S. there needs to be better international alignment against spyware. Many privacy experts, such as David Kaye, a former United Nations special rapporteur on freedom of expression, have advocated for a more drastic approach: A complete global moratorium on selling, transferring or using spyware, for instance.
“We've seen over and over that no government can be trusted with this tool; it invariably and inevitably leads to abuse, despite spyware sellers' weak assertions that they cut off customers who misuse their products,” said Pfefferkorn. “Once the deed's been done, it's cold comfort to the victims that the same government won't be able to use that tool anymore.”
Whether through U.S. measures or through international efforts, security experts agree that there needs to be better oversight and accountability when it comes to spyware. This is especially true as the commercial spyware market is growing at a rapid pace, and even if entities like NSO Group and Intellexa are impacted by certain measures, other organizations - like the recently disclosed Quadream - continue to pop up.
“Right now, these tools can be abused by any country, against any target they choose with little or no oversight,” said Cisco Talos’ Biasini and Ventura. “Taking a piecemeal approach where each country applies their own rules and regulations is riddled with pitfalls and caveats where certain countries will always skirt what is considered ethical. It's time for global action regulating when and how these tools can be leveraged with oversight and consequences for abuse.”