US targets 6 to 8 month timeframe for new nations to join spyware pact

The State Department is aiming to add more nations to a U.S.-led pact focused on deterring worldwide spyware abuses within the next six to eight months, the agency told Nextgov/FCW.

Six countries last week joined the year-old alliance that encourages nations to impose domestic and international controls on spyware makers and their investors. More nations were interested in joining, but various complications involved in coordinating with their governments made it impossible to finalize anything by the time of the March 18 announcement, according to the spokesperson, who spoke on the condition of anonymity in order to be candid about the talks.

The six to eight month range is an expected window of time and could be subject to change, they said.

“These weren’t the only six countries we have been engaged with,” the spokesperson said. “I think there’s a broader group … that are like-minded that we were hopeful would join at the summit but didn’t quite get there.” 

The spokesperson declined to name specific nations but noted that all were supportive of the pact’s idea. “Our diplomatic engagements have been very targeted toward a group of like-minded countries that are already close to us on this. When we come to them, we already know we’re most of the way there,” they said.

Spyware — software programs surreptitiously planted on victims’ devices to surveil their movements and capture private communications — has been deployed extensively by governments against journalists, politicians and dissidents around the world.

U.S. officials, including those working abroad for State, have previously been targeted by the technology. The White House last year said foreign governments used spyware to target U.S. personnel, and a senior National Security Council official recently said the number of victims has since increased. High-profile lawmakers who lead foreign affairs and national security efforts in Congress have also been targeted by cyber surveillance tools.

President Joe Biden last year signed a sweeping executive order that prohibits federal agencies from using commercial spyware technologies in ways that enable human rights abuses or compromise national security.

The spokesperson said the complications arose around adding more countries to the list because the specific nations were still working to get their affiliated intelligence and national security agencies to orient their policies with that of the agreement. 

“Most of these countries don’t want to sign the joint statement until they have that whole-of-government consensus,” the spokesperson said. State has made a list of priority countries it wants to add to the list, and has focused less on adversarial nations like those akin to Russia or Iran, they later added.

Some 74 nations have struck deals with spyware vendors, according to U.S. intelligence officials and an analysis released last year from the Carnegie Endowment for International Peace, an international affairs think tank based in Washington.

Spyware development is largely backed by the private sector. A Google analysis released earlier this year shows industrial spyware vendors have made lucrative business selling their products to governments. Earlier this month, the White House convened investors for the first time to warn them about the national security implications of financing spyware ventures. Those investors made voluntary commitments to “guide investments in ways that promote the values of free and open societies,” according to the State Department.

Spyware manufacturers have come under fire for selling their technologies to governments around the world, who have deployed them on targets across the Middle East, Europe and Latin America, among other places.

The State Department in February implemented a policy that would allow the U.S. to impose visa restrictions on individuals linked to commercial spyware abuses. In early March, it unveiled the first iteration of those sanctions, hitting a Greek spyware vendor and its leaders, including a former Israeli government intelligence operative.

That Greek manufacturer, Intellexa, was previously added to a restriction list that prohibits American firms from engaging in certain business activities with them, under justification that it threatens U.S. national security and foreign policy interests.

That move built on the November 2021 addition of NSO Group and Candiru to a federal blacklist, when it was determined the phone hacking tools produced by those companies had been used by foreign governments to target government officials, academics, journalists and others.

The U.S. argues that spyware abuses threaten privacy and freedoms of expression and that targeting individuals with such tools has been linked to arbitrary detentions, forced disappearances and sometimes extrajudicial killings. But American law enforcement agencies have also engaged with such spyware companies. The FBI in 2022 confirmed that it had tested NSO’s Pegasus spyware offering for use in criminal investigations, though it claimed the license was only used for testing and was not applied in a real scenario.