Overview

On March 27, 2023, President Biden signed the Executive Order on Prohibition on Use by the United States Government of Commercial Spyware that Poses Risks to National Security (EO), restricting federal agencies’ use of commercial spyware.  The Biden Administration cited targeted attacks utilizing commercial spyware on U.S. officials and human rights abuses abroad as motivations for these restrictions.

Usage Restrictions

The EO is not a blanket ban on commercial spyware.[1]  Instead, it bars federal government agencies from using commercial spyware tools if they pose significant counterintelligence or security risks to the U.S. government, or significant risks of improper use by a foreign government or foreign person, including to target Americans or enable human rights abuses.  Indirect use of such spyware (e.g. through a contractor or other third party) is also prohibited.  The EO establishes risk factors indicative of prohibited commercial spyware, including:

  • Past use of the spyware by a foreign entity against U.S. government personnel or devices;
  • Past use of the spyware by a foreign entity against U.S. persons;
  • The spyware was or is furnished by an entity that maintains, transfers, or uses data obtained from the commercial spyware without authorization from the licensed end-user or the U.S. government, or has disclosed or intends to disclose non-public information about the U.S. government or its activities without authorization from the U.S. government;
  • The spyware was or is furnished by an entity under the direct or effective control of a foreign government or foreign person engaged in intelligence activities directed against the United States;
  • A foreign actor uses the commercial spyware to limit freedoms of expression, peaceful assembly or association; or to enable other forms of human rights abuses or suppression of civil liberties; or
  • The spyware is furnished to governments that have engaged in gross violations of human rights, whether such violations were aided by the spyware or not.

The above restrictions do not apply to the use of commercial spyware for purposes of testing, research, analysis, cybersecurity, or the development of countermeasures for counterintelligence or security risks, or for purposes of a criminal investigation arising out of the criminal sale or use of the spyware.  Additionally, an agency may be able to obtain a waiver allowing it to temporarily bypass the EO’s prohibitions, but only in “extraordinary circumstances.”

Agency Reporting Requirements

The EO contains various agency reporting requirements.  Some are specific to the Director of National Intelligence (DNI) while some apply to all federal agencies:

  • Within 90 days of the EO, the DNI will issue a classified intelligence assessment on foreign commercial spyware and foreign use of commercial spyware.
  • Within 90 days of the DNI assessment, all federal agencies must review their use of commercial spyware and discontinue uses that violate the EO. 
  • If an agency elects to continue using commercial spyware, within one year of the EO it must report its continued use to the Assistant to the President for National Security Affairs (APNSA) and explain why its continued use does not violate the EO.

New Commercial Spyware Procurement Procedures

Agencies seeking to procure commercial spyware “for any purpose other than for a criminal investigation arising out of the criminal sale or use of the spyware” must:

  • Consider any relevant information provided by the DNI, and solicit such information from the DNI if necessary;
  • Consider the risk factors listed above;
  • Consider any controls the commercial spyware vendor has in place to detect and prevent potential security risks or misuse; and
  • Notify APNSA within 45 days of procurement and provide a description of its intended purpose and use(s) for the commercial spyware.  

Key Takeaways

While the EO signals that the federal government is approaching commercial spyware with caution, interested parties should note that the government has been careful not to rule out its usage altogether. The EO, for example, does not address the government’s use of non-commercial (i.e. government-produced) spyware, or mention state or local government use of commercial spyware at all. The EO also allows federal agencies to procure and employ commercial spyware so long as the agency determines that the spyware does not pose a significant risk to national security or for improper use. Vendors of commercial spyware should pay close attention to the risk factors identified in the EO and consider implementing internal controls to address them.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Michael G. Gruden, CIPP/G Michael G. Gruden, CIPP/G

Michael G. Gruden is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Government Contracts and Privacy and Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked…

Michael G. Gruden is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Government Contracts and Privacy and Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked as a Contracting Officer at both the U.S. Department of Defense (DoD) and the U.S. Department of Homeland Security (DHS) in the Information Technology, Research & Development, and Security sectors for nearly 15 years. Michael is a Certified Information Privacy Professional with a U.S. government concentration (CIPP/G). He is also a Registered Practitioner under the Cybersecurity Maturity Model Certification (CMMC) framework. Michael serves as vice-chair for the ABA Science & Technology Section’s Homeland Security Committee.

Michael’s legal practice covers a wide range of counseling and litigation engagements at the intersection of government contracts and cybersecurity. His government contracts endeavors include supply chain security counseling, contract disputes with federal entities, suspension and debarment proceedings, mandatory disclosures to the government, prime-subcontractor disputes, and False Claims Act investigations. His privacy and cybersecurity practice includes cybersecurity compliance reviews, risk assessments, data breaches, incident response, and regulatory investigations.

Photo of Evan D. Wolff Evan D. Wolff

Evan D. Wolff is a partner in Crowell & Moring’s Washington, D.C. office, where he is co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and a member of the Government Contracts Group. Evan has a national reputation for his deep technical…

Evan D. Wolff is a partner in Crowell & Moring’s Washington, D.C. office, where he is co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and a member of the Government Contracts Group. Evan has a national reputation for his deep technical background and understanding of complex cybersecurity legal and policy issues. Calling upon his experiences as a scientist, program manager, and lawyer, Evan takes an innovative approach to developing blended legal, technical, and governance mechanisms to prepare companies with rapid and comprehensive responses to rapidly evolving cybersecurity risks and threats. Evan has conducted training and incident simulations, developed response plans, led privileged investigations, and advised on hundreds of data breaches where he works closely with forensic investigators. Evan also counsels businesses on both domestic and international privacy compliance matters, including the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA). He is also a Registered Practitioner under the Cybersecurity Maturity Model Certification (CMMC) framework.

Photo of Jacob Harrison Jacob Harrison

Jacob Harrison helps his clients navigate both domestic and international legal challenges.

Jake advises U.S. government contractors on internal investigations and state and federal regulatory compliance. His compliance practice focuses on counseling clients operating at the intersection of government contracts and cybersecurity, including

Jacob Harrison helps his clients navigate both domestic and international legal challenges.

Jake advises U.S. government contractors on internal investigations and state and federal regulatory compliance. His compliance practice focuses on counseling clients operating at the intersection of government contracts and cybersecurity, including for cybersecurity compliance reviews, risk assessments, and data breaches.

In his international practice, Jake represents foreign and domestic clients in Foreign Sovereign Immunities Act and Anti-Terrorism Act litigation. He also has experience advising clients involved in cross-border commercial arbitration proceedings.

During law school, Jake served as an associate editor of the Emory Law Journal and interned at the Supreme Court of Georgia and the Georgia House Democratic Caucus. Before attending law school, Jake worked in politics and state government.