Key U.S. allies supported the effort but did not sign on to a joint statement committing to the creation of a code of conduct on how to exercise export controls to curb the use of the cyber intrusion technologies by authoritarian regimes, according to a White House release.
The United States will work with Australia, Denmark and Norway over the next year to establish a guide for how governments should safeguard democracy by implementing export controls on surveillance technology such as intrusion software created by the NSO group.
The Export Controls and Human Rights Initiative will “help stem the tide of authoritarian government misuse of technology and promote a positive vision for technologies anchored by democratic value,” the White House said in a press release Friday.
Canada, France, the Netherlands, and the United Kingdom supported, but were not part of a joint statement committing to the initiative, according to the release.
“Over the coming year of action, we commit to working to establish a voluntary, non-binding, written code of conduct around which like-minded states could politically pledge, to use export control tools to prevent the proliferation of software and other technologies used to enable serious human rights abuses,” the joint statement reads.
“The joint statement is a joint statement of intent but those who are supportive are no less committed to partnership and dialogue over the year of action,” a National Security Council spokesperson told Nextgov.
The initiative will also gather policy makers, technical experts, and export control and human rights practitioners to “ensure that critical and emerging technologies work for, and not against, democratic societies,” according to the White House release. It follows a Commerce Department rule issued in October that brought the U.S. in line with 42 other nations as part of the Wassenaar Arrangement, a pact that sets voluntary export controls on technologies that can be used for both military and civilian purposes.
In November, Commerce added the NSO group and three other firms to its Entities List, putting them off limits for receiving any supplies from U.S. persons. The banned entities delivered spyware to governments that used it to target government officials, journalists, businesspeople, activists, academics, and embassy workers, and generally trafficked in cyber exploits used to gain access to information systems, threatening the privacy and security of individuals and organizations worldwide, Commerce said.
But the November listing just scratches the surface. A report from the Atlantic Council revealed a vast marketplace of such firms. The report advocated calling out countries that allow the sale of such tools to authoritarian governments and highlighted Israel and Sweden among those. The authors of the report assessed with high confidence that Israeli firm Cellebrite and Swedish firm Micro Systemation AB (MSAB) have been marketed to Russia, for example.
Both Cellebrite and MSAB are on the General Services Administration’s list of approved commercial services, with Cellebrite openly promoted under the services of government contractor Carahsoft.
Privacy groups like the Electronic Frontier Foundation say governments should hold each other accountable for evaluating surveillance tools and applying appropriate limits whether they’re being used for law enforcement or national security purposes.