Endpoint Security , Governance & Risk Management , Government
US, UK and France Pressure Commercial Spyware Industry
Countries Seek International Guidelines for Responsible Use of Commercial SpywareThe United States ramped up pressure on the commercial surveillance industry shortly before the United Kingdom and France convened a summit intend to culminate in an international agreement limiting the proliferation of advanced spyware.
See Also: Frost Radar™ on Healthcare IoT Security in the United States
U.S. Secretary of State Antony Blinken on Monday announced a policy of limiting entry visas for individuals involved in the misuse of commercial spyware or who control the companies that furnish spyware to governments that deploy the apps to snoop on journalists, activists and dissidents. The limits also apply to close family members, such as children and spouses.
Approximately two dozen countries, including the United States, assembled in the United Kingdom on Tuesday for a two-day meeting initiating talks dubbed the Pall Mall Process that participants said will result in guidelines for the responsible deployment of commercial spyware. Participants include companies such as Google and Microsoft.
"Many of these tools and services can be used for legitimate purposes, but they should not be developed or used in ways that threaten the stability of cyberspace or human rights and fundamental freedoms," participants said. They plan to meet again in France next year.
Google, which tracks the global commercial spyware industry, estimates there are 40 global purveyors of such spyware - apps that record and transmit the activity on infected smartphones. Even devices that have the very latest operating system patches and security fixes can be infected (see: Dozens of Commercial Spyware Vendors at Work, Google Warns).
Human rights organizations have long highlighted that governments with authoritarian predispositions - including countries in Europe such as Poland and Hungary - have used spyware to surveil opposition groups despite claims from some vendors that they only sell their goods for use in combating national security threats and crime.
In announcing the new visa restriction, the Department of State linked commercial surveillance to "arbitrary detentions, forced disappearances, and extrajudicial killings in the most egregious of cases." President Joe Biden in March signed an executive order banning the federal government from buying licenses for spyware used by foreign governments to spy on dissidents and has restricted exports to some spyware vendors (see: US Limits Government Use of Advanced Smartphone Spyware).
John Scott-Railton, a senior researcher at The Citizen Lab, lauded the Biden administration's decision. The "visa ban will be impactful because it follows the people. Prior efforts focused on spyware companies, which is good. But spyware players play shell games with corporate identities. Now, no matter what your company name is this week, you still can't go to Disney World," Scott-Railton said.
Speaking at a closed-door Pall Mall Process event, U.K. Deputy Prime Minister Oliver Dowden said that threats from cyber intrusion tools have become more challenging due to the advancements being made in artificial intelligence.
"Thanks to rapid advances in technology - including AI - those weapons are becoming cheaper, more widespread and easier to use," Dowden said. "If we fail to act, this market will rapidly become a driver for much of the cyber threat we face."
Dowden said private sector companies can play a vital role in preventing spyware intrusion by ensuring that their products receive regular patches and by mitigating supply chain risks.
In addition to the U.K. and France, other Pall Mall Process participants include the Republic of Cyprus, Greece, Japan, Germany, Australia and the Gulf Cooperation Council, which is a regional body. Private sector participants include Apple, BAE Systems and Eset.