Apr 18, 2023 - Technology

Cybersecurity researchers are playing spyware whack-a-mole

Illustration of a smartphone with an angry face multiplying into many smartphones.

Illustration: Brendan Lynch/Axios

Now that the Biden administration has taken a stronger stance against some commercial spyware vendors, the real race begins: detecting and squashing them.

The big picture: Spyware vendors are known to operate in the shadows and obfuscate their business structure to confuse potential buyers. Dark market dealings, generic intermediaries and swiftly shifting practices can make identifying dubious vendors feel like playing whack-a-mole to researchers.

  • The most egregious form of spyware allows a user to target someone else's phone without them knowing, giving unfettered access to phone calls, text messages and real-time location.
  • And many vendors, such as well-known Israeli company NSO Group, in recent years have been spotted selling their tools to both authoritarian and democratic governments that abuse the tech to target dissidents, human rights activists, politicians and journalists.

Driving the news: Researchers at the University of Toronto's Citizen Lab uncovered new details last week about how Israeli spyware vendor QuaDream's products were used around the world to target journalists, political opposition figures and an NGO worker.

Between the lines: Experts tell Axios research like Citizen Lab's will play an outsize role in containing the commercial spyware ecosystem as the Biden administration enforces it through a new executive order.

  • The order bans U.S. government use of commercial spyware that either "poses significant counterintelligence or security risks" or has "significant risks of improper use by a foreign government or foreign person."
  • Proving this will require insights into not only which vendors come with those risks, but also which of their subsidiaries.

Assessing spyware vendors can be difficult. Like criminal hacking gangs, many prefer to operate outside of the public eye or to sell products through third-party vendors and secret subsidiaries, Natalia Krapiva, tech legal counsel at Access Now, told Axios.

  • For example: Shortly after President Joe Biden signed the executive order last month, the New York Times reported that a U.S. government office had purchased an NSO product through a little-known subsidiary. (The U.S. placed NSO on a trade blacklist in 2021.)

The intrigue: As agencies determine what spyware they can use, the federal government will need to dedicate more resources to in-house teams and civil society researchers investigating vendors, Krapiva said.

  • "We actually have been winning," she added. "But at the same time, we need help, we need help from the governments, we need help regulating and imposing more transparency around this."

Meanwhile, the game of whack-a-mole isn't likely to last forever, Jon Callas, director of public interest technology at the Electronic Frontier Foundation, told Axios.

  • The executive order will likely discourage most agencies from even trying to procure spyware to begin with — and U.S. tech vendors from trying to enter the spyware market too.
  • "Having potential entrants into spyware-making know that this is not considered to be a good thing and might even be illegal will chase them away," Callas said.

Yes, but: Government demand for spyware remains high.

  • India is reportedly looking for a new spyware tool to replace the high-profile NSO Group's Pegasus, according to the Financial Times.
  • Biden's executive order bars only commercial spyware, not government-created tools. Law enforcement interest in spyware in their investigations still exists too.
  • "It is good, but it is only a start, and we need the administration to go from here and do even more to protect people's privacy," Callas said.

Sign up for Axios’ cybersecurity newsletter Codebook here

Go deeper