Governance & Risk Management , Privacy , Standards, Regulations & Compliance
Biden Administration Blacklists 2 Commercial Spyware Firms
Cytrox and Intellexa Accused of Threatening Privacy and Security WorldwideThe U.S. government has added two more commercial spyware vendors to its list of organizations that face restrictions if they attempt to procure American goods or services.
See Also: Using the Netskope HIPAA Mapping Guide
The move is designed to combat surveillance tool manufacturers that facilitate the illicit use of their commercial spyware.
The sanctioned companies are Intellexa S.A. in Greece, Intellexa Limited in Ireland, Cytrox Holdings Crt in Hungary and Cytrox AD in North Macedonia. All are now subject to U.S. technology export licensing requirements.
Intellexa and Cytrox appear to have close ties although the full extent of their relationship isn't clear. Israeli newspaper Haaretz reported last month that Intellexa had been formed by a former Israeli army intelligence officer as an alliance of commercial spyware firms based in Cyprus and Greece. Intellexa purchased Cytrox in 2019, the newspaper reported, and continued to sell its Predator surveillance tools.
All four organizations have been added to the U.S. Department of Commerce's Bureau of Industry and Security's Entity List, accused of "trafficking in cyber exploits used to gain access to information systems, threatening the privacy and security of individuals and organizations worldwide," the Department of Commerce said.
The Entity List is a White House tool for dealing with organizations working in conflict with U.S. national security or foreign policy interests. It is designed to prevent adversaries from accessing "commodities, software and technology that could contribute to the development of surveillance tools that pose a risk of misuse in violations or abuses of human rights," according to the Commerce Department.
Already on the blacklist are Israel's NSO Group and Candiru. Both companies were sanctioned by the Biden administration in November 2021 for allegedly supplying spyware to foreign governments for use in targeting officials, journalists, activists, academics, embassy workers and others.
The market for commercial spyware has boomed over the past decade. At least 30 vendors now offer tools designed to remotely retrieve smartphone text messages, surreptitiously activate microphones and obtain precise locations. Despite assurances from multiple vendors that they have strong controls in place to prevent their tools from being used inappropriately, civil society activists say such tools are regularly employed by authoritarian or repressive regimes.
"The proliferation of commercial spyware poses distinct and growing counterintelligence and security risks to the United States, including to the safety and security of U.S. government personnel and their families," the Department of State said in a statement.
"The misuse of these tools globally has also facilitated repression and enabled human rights abuses, including to intimidate political opponents and curb dissent, limit freedom of expression, and monitor and target activists and journalists," it added.
Spyware abuses involving apps such as Cytrox's Predator - also sold by Intellexa - as well as NSO Group's Pegasus have triggered recent political scandals in several European countries. Also, U.S. diplomats stationed in Uganda in 2021 reportedly found Pegasus on their devices.
In March, President Joe Biden signed an executive order prohibiting agencies from buying licenses for spyware used by foreign governments to spy on dissidents. The move was designed to limit the government's use of advanced surveillance software such as Pegasus or Cytrox. At the time, the White House said at least 50 U.S. personnel overseas had been targeted by advanced spyware in 10 countries on multiple continents.
"We remain laser-focused on stemming the proliferation of digital tools for repression," BIS Undersecretary Alan Estevez said Tuesday.
The University of Toronto's Citizen Lab, which tracks illicit government surveillance programs, warned last year that such software was being used "in politics, elections and human rights abuses" (see: Pegasus Spyware Spotted in Nagorno-Karabakh War).
Europe also has been targeting the illicit use of spyware. Last year, a European Parliament committee investigating the abuse of commercial spyware tools such as Pegasus called for a ban on all "modern spyware." In May, the committee revised its recommendations, instead calling for a slew of new regulatory safeguards.