Introduction: A challenge to Washington's spyware stance
A fresh inquiry from Capitol Hill is intensifying the scrutiny on the U.S. government's use of commercial spyware, questioning whether federal agencies are practicing what the Commerce Department preaches. Representative Summer Lee (D-PA) has sent a formal letter to the Commerce Department demanding a briefing on the government's use of these powerful surveillance tools, a move first reported by CyberScoop. The letter lands at a critical juncture, following recent admissions that U.S. Immigration and Customs Enforcement (ICE) has used commercial spyware and the eyebrow-raising appointment of a former Trump administration official to lead NSO Group, the controversial Israeli firm behind the infamous Pegasus spyware.
Background: Sanctions, executive orders, and persistent use
The U.S. government has publicly maintained a hardline stance against the proliferation of spyware that enables human rights abuses. In November 2021, the Commerce Department added NSO Group and another Israeli firm, Candiru, to its Entity List. This designation effectively blacklisted the companies, restricting U.S. firms from doing business with them. The rationale was clear: their tools had been used by foreign governments to "maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers," according to the official announcement.
This policy was reinforced in March 2023 when President Biden issued Executive Order 14091, which prohibited U.S. government agencies from using commercial spyware that poses risks to national security or is implicated in human rights abuses. The order, however, left room for legitimate, lawful use, creating a gray area that is now at the heart of Rep. Lee's inquiry.
The context for this renewed scrutiny is twofold. First, an April 2024 report confirmed that ICE was a customer of commercial spyware, though the vendor's name remains undisclosed. Second, news broke in early June that Brian Bulatao, a former chief of staff to Secretary of State Mike Pompeo, had been appointed executive chairman of NSO Group. This move is widely seen as an attempt by the beleaguered firm to rehabilitate its image in Washington and lobby for its removal from the Entity List.
Technical details: The power of 'zero-click'
The technology at the center of this debate is exceptionally potent. NSO Group's Pegasus is not ordinary malware; it is a military-grade surveillance tool designed for total compromise of mobile devices. Its most notorious feature is the use of "zero-click" exploits, which require absolutely no interaction from the target.
Unlike phishing attacks that trick a user into clicking a malicious link, a zero-click exploit can infect a device simply by receiving a message or a call. One of the most well-documented examples was the FORCEDENTRY exploit, discovered by Citizen Lab in 2021. It leveraged a vulnerability in Apple's iMessage (tracked partly as CVE-2021-30860) to silently install Pegasus on iPhones. Before that, a 2019 exploit used a vulnerability in WhatsApp's calling function (CVE-2019-3568) to inject the spyware, even if the user never answered the call.
Once installed, Pegasus grants the operator complete control over the device. It can exfiltrate emails, text messages, photos, and contacts. It can activate the microphone and camera for live eavesdropping, track the user's location in real-time, and siphon data from encrypted messaging apps. This level of intrusion makes it an invaluable tool for intelligence agencies but also an unparalleled threat to privacy and dissent when misused.
Impact assessment: Hypocrisy, risk, and the path forward
Rep. Lee's inquiry forces a difficult conversation about policy coherence. How can the U.S. government blacklist a company like NSO Group for enabling surveillance abuses abroad while its own agencies, like ICE, are potentially using similar tools? This apparent contradiction undermines U.S. credibility when advocating for digital human rights on the global stage.
The primary victims of this technology have historically been journalists, human rights defenders, and political dissidents in authoritarian countries. The Pegasus Project investigation in 2021 revealed a list of over 50,000 potential surveillance targets, painting a grim picture of its global abuse. However, the threat is not confined to foreign nations. U.S. State Department employees abroad have also been targeted, highlighting the direct national security risk these tools pose to American interests.
The appointment of Brian Bulatao at NSO Group further complicates the matter. While his supporters might argue he can bring American-style oversight to the firm, critics see it as an attempt to use political connections to legitimize a company whose products have caused immense harm. Lee's letter directly asks the Commerce Department if it has had any communication with Bulatao, signaling congressional concern over this potential influence campaign.
The stakes are high. Unchecked use of commercial spyware by any government sets a dangerous precedent. It normalizes invasive surveillance, creates a market for zero-day vulnerabilities that puts everyone at risk, and erodes the foundational privacy that underpins free societies. Rep. Lee's push for a briefing could be the first step toward greater transparency and stricter legislative guardrails on domestic use of these technologies.
How to protect yourself
Defending against a sophisticated, state-sponsored attack like Pegasus is exceptionally difficult for an average individual. The zero-click nature of its exploits means that even the most cautious users can be compromised. However, several steps can help improve your overall security posture and make you a harder target.
- Keep everything updated: This is the most critical step. Companies like Apple and Google are in a constant arms race with exploit developers. Install operating system and application updates as soon as they become available, as they often contain patches for the very vulnerabilities spyware relies on.
- Enable Lockdown Mode (iOS): If you use an iPhone and believe you might be a high-risk target (e.g., you are a journalist, activist, or diplomat), enable Apple's Lockdown Mode. This feature severely restricts device functionality to reduce the attack surface, disabling features often targeted by spyware.
- Restart your device regularly: Some spyware implants, including earlier versions of Pegasus, do not have perfect persistence, meaning they can be wiped from memory by a simple reboot. While newer versions have overcome this, regular restarts can still disrupt certain types of attacks.
- Practice digital hygiene: Be wary of unsolicited links and attachments, even from known contacts whose accounts could be compromised. Use multi-factor authentication on all your accounts.
- Secure your connections: While it won't stop a zero-click exploit, using a trusted VPN service can help protect your general internet traffic from network-level snooping at public Wi-Fi hotspots. Likewise, using apps with strong end-to-end encryption like Signal for communication is always a good practice.
The demand for transparency from Congress is a vital check on the government's power. As these surveillance tools become more potent and pervasive, ensuring they are used within a strict, accountable, and rights-respecting framework is not just a matter of policy, but a defense of democratic principles.
