The US and 10 other countries on Thursday issued a major anti-spyware declaration, which was the first of its kind. US President Joe Biden on Wednesday signed an executive order banning spyware from the US federal government.
Although neither announcement specifically named Israel, in a media briefing by a top US administration official, NSO Group was repeatedly discussed, and a recent US think tank report claimed that Israeli spyware (including multiple groups) has conquered a significant majority of the global spyware market.
The Jerusalem Post has learned that some of the groups on the list continue to use commercial Israeli spyware, and their commitment may be more nuanced in terms of defining what is the misuse of spyware and what it means to use spyware legally.
Until now, countries have been hesitant to take a clear stand against spyware due to many countries’ intelligence and law-enforcement agencies needing such tools to fight terrorism, organized crime and drug lords.
This new statement could usher in a new more aggressive crackdown on spyware, which could heavily impact Israel’s cyberattack sector, which has already taken some blows since NSO and other Israeli firms were put on the US Commerce Department’s “blacklist” in late 2021.
The statement said Australia, Canada, Costa Rica, Denmark, France, New Zealand, Norway, Sweden, Switzerland, the United Kingdom and the United States all “recognize the threat posed by the misuse of commercial spyware and the need for strict domestic and international controls on the proliferation and use of such technology.”
“Commercial spyware has been misused across the world by authoritarian regimes and in democracies,” it said. “Too often, such powerful and invasive tools have been used to target and intimidate perceived opponents and facilitate efforts to curb dissent; limit freedoms of expression, peaceful assembly, or association; enable human rights violations and abuses or suppression of civil liberties; or track or target individuals without proper legal authorization, safeguards, or oversight.”
“The misuse of these tools presents significant and growing risks to our national security, including to the safety and security of our government personnel, information, and information systems,” it said.
“We therefore share a fundamental national security and foreign policy interest in countering and preventing the proliferation of commercial spyware that has been or risks being misused for such purposes, in light of our core interests in protecting individuals and organizations at risk around the world... We are committed, where applicable and subject to national legal frameworks, to implementing the Guiding Principles on Government Use of Surveillance Technologies and the Code of Conduct developed within the Export Controls and Human Rights Initiative,” the statement said.
In addition, the declaration said the nations would take concrete steps to push back on spyware’s marketability by “working within our respective systems to establish robust guardrails and procedures to ensure that any commercial spyware use by our governments is consistent with respect for universal human rights, the rule of law, and civil rights and civil liberties.”
The countries commit to preventing export of software
The declaration committed to “preventing the export of software, technology, and equipment to end-users who are likely to use them for malicious cyber activity, including unauthorized intrusion into information systems, in accordance with our respective legal, regulatory, and policy approaches and appropriate existing export control regimes.”
The countries said they would engage in “robust information sharing on commercial spyware proliferation and misuse, including to better identify and track these tools,” and work “closely with industry partners and civil society groups to inform our approach, help raise awareness, and set appropriate standards, while also continuing to support innovation.”
They concluded by saying they would engage “additional partner governments around the world, as well as other appropriate stakeholders, to better align our policies and export control authorities to mitigate collectively the misuse of commercial spyware and drive reform in this industry, including by encouraging industry and investment firms to follow the United Nations Guiding Principles on Business and Human Rights.”
As much as the declaration stood out as a new level of confronting spyware, the majority of EU countries and democratic countries worldwide did not join the initiative.
It was unclear if this meant that these other countries want to continue to use commercial spyware with less oversight or have other reasons, but countries such as Poland and Hungary, which have been widely reported to have used Israeli spyware, did not sign on. Some other influential European countries not listed include Germany, Italy, Spain, Belgium and the Netherlands.