At least 50 US government officials are suspected or confirmed to have been targeted by invasive commercial spyware designed to hack mobile phones, a senior US administration official told reporters on Monday, revealing a far bigger number than previously known.
The revelation came as President Joe Biden on Monday issued an executive order banning US government agencies from using spyware that is deemed a threat to US national security or are implicated in human rights abuses.
Pressure has grown in recent weeks on the administration to do more to curb the use of the hacking tools among fellow democracies following press reports that multiple European governments have used spyware on their citizens. A bipartisan group of US lawmakers wrote to Secretary of State Antony Blinken this month urging him to form an “international coalition” to combat spyware.
Such hacking tools pose “distinct and growing counterintelligence and security risks to the United States, including to the safety and security of US personnel and their families,” the senior official said in previewing the executive order.
The directive targets spyware, or malicious software sold by companies around the world that break into the mobile phones of targets with a few clicks.
An impetus for the executive order was the discovery in 2021 that the iPhones of about a dozen US State Department employees were hacked with spyware developed by Israeli firm NSO Group, CNN has reported.
The executive order reflects wide-ranging concerns in the Biden administration that both authoritarian governments and democracies can use the powerful hacking tools to suppress opposition voices or target journalists.
The tools also directly threaten US diplomats.
Democratic Rep. Jim Himes of Connecticut, one of the lawmakers who asked the Biden administration to do more on spyware, said he expects the number of US government personnel confirmed to be targeted by the hacking tools to increase as the US continues to investigate the issue.
The executive order, he told CNN, “sends a strong signal” to spyware firms that their access to the US market depends on ensuring their technology is not abused.
But there’s more the US government can do to crack down, said Himes, the top Democrat on the House Intelligence Committee.
“If a country to which we’re giving significant foreign aid uses [spyware] against … dissidents, against journalists, we need to rethink that foreign aid,” Himes said.
The Biden administration will this week co-host a “Summit for Democracy” with governments around the world where spyware is expected to be a prime topic.
But the extent to which US government agencies themselves have used spyware is unclear. The new directive prohibits US agencies from using spyware “operationally,” but does not preclude using the tools for testing purposes, as the FBI says it has.
The FBI has also explored using NSO Group’s signature hacking tool in criminal investigations before opting not to, while the CIA bought the tool for the East African government of Djibouti, according to a New York Times report.
The senior administration official on Monday declined to detail any examples of when US government agencies may have used commercial spyware operationally in response to a question from CNN.
Ron Deibert, director of the University of Toronto’s Citizen Lab, which investigates spyware abuses, said the new executive order will “make the very lucrative US federal government market inaccessible to firms that present a national security risk and facilitate transnational repression and human rights violations abroad.”
The directive, Deibert told CNN, will hopefully “trigger a common front among allied countries worldwide and send a strong signal that the Wild West days are over for NSO Group and other reckless actors in this space.”
NSO Group, which the US Commerce Department has effectively blocked from buying US software, has long asserted that its hacking tools are only sold to governments for legitimate counter-terrorism or anti-crime purposes.
But the spyware challenge is not confined to one technology or vendor, analysts say. Suspected spyware infections have been found in dozens of countries, from Angola to Zambia, according to a study from the Carnegie Endowment for International Peace.
This story has been updated with additional information.