Congress wants to know what commercial spyware other countries are using

Intelligence funding bill for 2021 to mandate DNI to submit report to Congress about surveillance vendors and the countries that use spyware.

Senate building

Congress wants to know which foreign governments are using commercially-available surveillance tools -- commonly referred to as spyware.

The US government's new position was included in a draft of the Intelligence Authorization Act for Fiscal Year 2021, the bill that lays out funding for the US government's intelligence operations for next year.

According to the bill's draft text (see Section 503), US officials want the Director of National Intelligence (DNI) to submit a report to Congress on the status of commercially-available software, the companies that make these hacking tools, and which foreign governments or foreign entities are using them.

The bill's text shows that US lawmakers are becoming more worried about the commoditization of powerful hacking tools.

Over the past decade, the number of companies selling this kind of tools has increased dramatically.

Some of these companies have a very public presence, boldly advertise their exploit acquisition programs, and strictly market themselves as sellers of tools meant only for use by government and law enforcement agencies.

However, other companies don't abide by the same rules. Some companies sell hacking tools through shadowy offshore shells to bypass export controls and are more than willing to sell to oppressive regimes, which then use their spyware to go after dissidents, journalists, and human rights activists.

Now, US lawmakers want the DNI to assess the current landscape and come up with solutions to limit the spread of these tools.

The funding bill recommends that the DNI look into working with tech companies to counter or limit the efficacy of these tools, but also at classical approaches like export controls, diplomatic pressure, or through trade agreements.

John Scott-Railton, a Citizen Lab security researcher specialized on investigating commercial spyware, first spotted the new clause in the upcoming intelligence funding bill. In a Twitter thread, Scott-Railton has described the new bill as "very bad news for habitual bad actors."

The current draft of the funding bill passed through the Senate Select Committee on Intelligence last week with a 14-1 vote. The bill will be subject to a vote later this summer.

While there have been many incidents in the past where commercially spyware was used to harass and spy on minorities, reporters, and political figures, the public has never taken this threat seriously, outside of small cyber-security circles. Public opinion changed dramatically after Facebook sued hacking tools maker NSO Group in October 2019 for creating and selling a WhatsApp exploit that was used to spy on users all over the world.