FY2025 NDAA targets spyware threats to U.S. diplomats, military devices

The U.S. government’s must-pass defense policy bill includes a measure that aims to shield military servicemembers and diplomats from ensnarement by commercial spyware programs.

The provision, slotted into the $895.2 billion National Defense Authorization Act for the 2025 fiscal year, seeks to secure U.S. government-issued devices used by diplomats, armed forces personnel and staffers in the U.S. Agency for International Development.

It mandates the establishment of cybersecurity standards, a review of past spyware compromises and regular reporting to Capitol Hill on incidents involving spyware, including assessments of security impacts and identification of responsible foreign entities.

The software applications, surreptitiously planted on victims’ devices to surveil their movements and capture private communications, have been deployed by governments against journalists, politicians and dissidents around the world for years. To date, at least 74 nations have likely contracted with spyware providers.

Within 120 days of the NDAA’s enactment, the Secretary of Defense and relevant agencies must develop cybersecurity standards, guidance and best practices to prevent device compromises. Additionally, the secretary is directed to review instances from the past two years where spyware breaches potentially led to unauthorized disclosures of sensitive information. 

A report summarizing these measures and past incidents must be submitted to the appropriate congressional committees and may include classified details, the bill’s text says.

In the event of a major compromise, the Defense Department must notify Congress within 60 days of discovery. The notification would include key details, such as the location of compromised personnel, the number of affected devices and an assessment of national security damage resulting from data loss. 

The notification should also identify, where possible, any foreign governments, firms or individuals responsible for or benefiting from the breach. And, starting one year after the NDAA is passed, the DOD must submit an annual report to Congress for the next five years about previous incidents involving relevant devices compromised by spyware.

Spyware is stealthily installed on victims’ devices, oftentimes through exploiting software vulnerabilities or tricking users into clicking malicious links. Once embedded, it operates silently in the background, intercepting communications, tracking locations and extracting sensitive data without the victim's knowledge.

Compromised devices infected with spyware often exhibit noticeable lag and high temperatures, a sign that the program is eating up processing power and draining the battery as it covertly performs data extraction and surveillance tasks. 

The State Department is leading an ongoing international pact designed to deter global spyware abuses. The alliance encourages participating nations to impose domestic and international controls on spyware makers and their investors. 

The U.S. argues that spyware abuses threaten privacy and freedoms of expression, and that targeting individuals with such tools has been linked to arbitrary detentions, forced disappearances and extrajudicial killings. 

Several current and former U.S. officials and lawmakers have been targeted by the cyber surveillance tools. 

Multiple times this year, State has used new authorities enacted in February that allow the U.S. to impose visa restrictions on individuals involved in surveillance tech abuses.

But American law enforcement has also engaged with spyware companies. The FBI in 2022 confirmed that it had tested a surveillance offering from NSO Group, a well-documented Israeli spyware provider, for use in criminal investigations. At the time, the agency said the license was not used in a real scenario.

Recent court records from ongoing litigation between NSO Group and WhatsApp revealed the Israeli cyberspying company handles the installation and data extraction process for its surveillance software, rather than delegating those actions to its government clients. NSO, which was blacklisted by the U.S. earlier in the decade, infected some 1,400 WhatsApp users in 2019, accompanying court documents allege.

NSO’s flagship Pegasus spyware might be hiding on more phones than assumed, according to research from iVerify released last week. The study scanned 2,500 devices and uncovered seven infections.

The Biden administration is also reviewing a $2 million contract between Immigration and Customs Enforcement and Paragon Solutions, another Israeli spyware firm, amid concerns that the deal violates terms set out in a spyware executive order issued last year, WIRED reported in October.

Spyware development is largely fueled by the private sector. Google findings released earlier this year show industrial spying technology vendors have made lucrative business selling their products to governments.