White House Review Underway for ICE’s $2 Million Contract with Spyware Vendor

According to reports from WIRED, a $2 million contract between United States Immigration and Customs Enforcement and Israeli commercial spyware firm Paragon Solutions has been put on hold and is currently undergoing a compliance review.

The White House’s examination of this contract represents a significant test for the Biden administration’s executive order that limits the government’s utilization of spyware.

The one-year contract signed on September 27 involves Paragon’s US subsidiary located in Chantilly, Virginia, and ICE’s Homeland Security Investigations Division 3. It was first reported by WIRED on October 1. Subsequently, on October 8, a stop-work order was issued by HSI to assess compliance with Executive Order 14093, as stated by a spokesperson from the Department of Homeland Security to WIRED.

The executive order, which was enacted by President Joe Biden in March 2023, is designed to limit the use of commercial spyware technology by the US government while also advocating for its responsible application in accordance with human rights protections.

DHS has not confirmed whether the contract involves the deployment of Paragon’s primary product, Graphite, an advanced spyware tool that reportedly extracts data mainly from cloud backups. This contract is said to encompass a “fully configured proprietary solution including license, hardware, warranty, maintenance, and training.”

A senior U.S. administration official, who spoke on the condition of anonymity in order to discuss the review of the ICE contract candidly, stated, “We immediately engaged the leadership at DHS and worked very collaboratively together to understand exactly what was put in place, what the scope of this contract was, and whether or not it adhered to the procedures and requirements of the executive order.”

Paragon Solutions has yet to respond to WIRED’s request for commentary regarding the review of the contract.

The executive order outlines a comprehensive process that requires rigorous due diligence concerning both the vendor and the tool, aiming to identify any possible concerns related to counterintelligence, security, and risks of improper use. Additionally, it requires that an agency must not utilize commercial spyware operationally for at least seven days after informing the White House or until it receives consent from the president’s national security adviser.

“Ultimately, the leadership of the department will need to make a determination. The outcome may be—based on the information and the facts available—that this particular vendor and tool does not violate the requirements set forth in the executive order,” states a senior official.

While the specifics of ICE’s contract with Paragon are not widely disclosed, its mere existence has raised concerns among civil liberties advocates. The nonprofit organization Human Rights Watch remarked in a statement that “granting ICE access to spyware heightens the risk of exacerbating” the department’s troubling practices. HRW has also expressed concerns regarding what it describes as the Biden administration’s “piecemeal approach” to regulating spyware.

Experts indicate that the extent to which the US government handles the compliance review of the Paragon contract will affect international confidence in the executive order.

“We are aware of the threats that mercenary spyware presents when sold to authoritarian regimes, yet there is substantial evidence of its detrimental effects even in democracies,” explains John Scott-Railton, a senior researcher at the University of Toronto’s Citizen Lab, who has played a crucial role in revealing abuses associated with spyware. “This underscores the necessity for oversight, transparency, and accountability concerning any attempt by US agencies to acquire these tools.”

Efforts on an international scale to control commercial spyware are accelerating. On October 11, during the 57th session of the Human Rights Council, member states of the United Nations reached an agreement to adopt a statement recognizing the dangers that the improper use of commercial spyware poses to democracies, as well as to the safeguarding of human rights and fundamental freedoms. “This sets an important norm, particularly for nations that profess to be democracies,” remarks Natalia Krapiva, senior tech-legal counsel at the international nonprofit organization Access Now.

While the United States is spearheading global initiatives to tackle spyware with its executive order, trade and visa limitations, as well as sanctions, the European Union has taken a more relaxed approach. Only 11 of the 27 EU member nations have participated in the US-led initiative detailed in the “Joint Statement on Efforts to Counter the Proliferation and Misuse of Commercial Spyware,” which has now gathered 21 signatories, among them Australia, Canada, Costa Rica, Japan, and South Korea.

“An unregulated market poses a danger not only to the citizens of those nations but also to their governments. Our hope is that there will be a growing recognition of this within the EU,” a senior official from the US administration shares with WIRED.

The European Commission released new guidelines on October 16 concerning the export of cyber-surveillance tools, including spyware; however, it has not yet acted on the EU Parliament’s request to create a legislative proposal or to hold countries accountable for misusing this technology.

Earlier this year, Poland initiated an investigation into the spyware practices of the former government. In contrast, a similar inquiry in Spain, related to the alleged use of spyware against politicians, has yet to result in any formal charges against the accused. Meanwhile, an investigation in Greece has determined that governmental agencies acted without misconduct.

“Europe is currently facing a mercenary spyware crisis,” remarks Scott-Railton. “I find it astonishing that European institutions and governments have not taken significant action to tackle this problem, despite the presence of both domestic and international concerns.”

The executive order issued by the US highlights its focus on national security and foreign policy related to the use of such technologies, ensuring compliance with human rights and the rule of law. It also aims to reduce counterintelligence risks, particularly regarding the targeting of US officials. Although Europe recognizes the foreign policy implications, its primary focus has been on human rights aspects rather than addressing counterintelligence and national security challenges.

This threat became increasingly evident in August when Google’s Threat Analysis Group (TAG) discovered that Russian government hackers had been leveraging exploits developed by spyware firms NSO Group and Intellexa.

In May, Access Now and Citizen Lab raised concerns that Estonia might be involved in the hacking of exiled Russian journalists, dissidents, and others through the use of NSO Group’s Pegasus spyware.

“To safeguard themselves from Russia, several European nations are employing the same methods against those whom Russia targets,” stated Krapiva from Access Now. “With these vulnerabilities readily accessible—often sold on the black market—Russia ultimately can acquire them.”

“It’s a significant complication,” she continued. “In their efforts to maintain national security, they are inadvertently compromising it in various ways.”

Scott-Railton from Citizen Lab suggests that these occurrences should alarm European policymakers, similar to how they have concerned their counterparts in the US, who highlighted national security considerations in their executive order.

“What will it take for European leaders to acknowledge the national security risks posed by this technology?” Scott-Railton asks. “Unless they recognize the intertwined threats to human rights and national security, much like the US has, they will continue to face a significant security disadvantage.”

Total
0
Shares
Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Article

Building a Bright Future: NYC Department of Education's Pipeline for Aspiring Cybersecurity Professionals

Next Article

Sensitive Information Leaked: United Nations Database Exposed Online

Related Posts