At least 50 U.S. government employees are suspected or confirmed to have been targeted with commercial spyware that hacks smartphones to spy on their owners, the White House said Monday.
A White House official said on a phone call that the number of known victims who work for the U.S. spans “at least 10 countries on multiple continents.” The White House requested that the official not be named as part of the terms of the call.
“Our efforts to identify additional targeted personnel continue, and we obviously cannot rule out even more instances,” the official said.
The White House also announced that President Joe Biden would sign an executive order aimed at curtailing spyware abuse by setting guidelines for the companies that produce it. The official said the order gives the White House the power to ban a company’s software across all federal agencies if it is found to have used spyware to target activists, curb political dissent or spy on Americans.
The announcement comes after a series of revelations in recent years about the use of advanced smartphone spyware by some governments around the world. A 2018 report by The Citizen Lab, a technology and internet project at the University of Toronto, found that one type of spyware had most likely been used by 36 different operators in 45 countries.
The shadowy companies behind this spyware make up a growing industry that gives governments a way to spy on individuals’ smartphones. Spyware programs have been shown to provide near-total access to a target’s smartphone, even to email accounts and to microphones in order to listen in on private conversations.
While spyware companies often say their products are used to catch criminals, they’ve been repeatedly deployed against journalists, political candidates, researchers and activists around the world, leading to widespread condemnation from human rights advocates.
There is believed to be only one previous public instance of U.S. officials’ devices being infected with spyware. In 2021, nine State Department employees were hacked with Pegasus, the flagship program of Israeli spyware company NSO Group, according to a Reuters report. The U.S. sanctioned NSO Group, as well as another spyware company, Candiru, around the same time.
John Scott-Railton, a senior researcher at Citizen Lab, which has done prolific reporting on Pegasus attacks on journalists and human rights workers' phones, praised the executive order as a likely effective way to steer the spyware industry toward less abuse.
“Most of the companies in the industry have the goal of eventually selling to the USA,” Scott-Railton said.
“Now, the U.S. is saying: You’ve got two doors. Behind one door is, be ethical and judicious and maybe you get a chance. Behind the proliferation door: lose our number forever. And that’s a big, powerful thing for an industry built around profit.”