Building accountability into the coming spyware ban

The Biden administration is reportedly considering an executive order that is perhaps long overdue. Essentially, this order would limit whether and how the federal government can use foreign commercial spyware. The primary target of this executive order is aimed at spyware makers like NSO Group. While a potential executive order is sure to be strict on those types of companies, if I were a regulator implementing a ban of this magnitude, I would want the impact to be widespread, including the prevention of purchasing or downloading apps which contain foreign spyware from app stores like the Apple App Store or the Google Play Store. 

As someone who's managed cybersecurity at the top levels of state government in California, I believe we need to start setting clear standards and expectations for applications and restrict apps which include foreign commercial spyware. In fact, I see this being one of the biggest potential opportunities and benefits that can come out of this executive order, particularly for IT managers. 

Jen Easterly and Eric Goldstein recently addressed the topic of security standards as they pertain to technology. Just like cars come with standard safety features, so too should the technology we interact with each day. Hopefully, this view and the wider impacts of spyware are taken into strong consideration as the executive order moves towards completion.

We have already witnessed several executive orders under the current administration, including one from May 2021 to improve the nation's overall cybersecurity posture and the push in September 2021 for agencies to adopt zero-trust cybersecurity architectures. Based on how those executive orders were structured, here are some things to keep an eye on this time around.

What the executive order is likely to address

When organizations discover they have spyware running, they typically turn to antivirus mechanisms, threat detection and response solutions, or they look at some form of machine learning or AI. The goal is not only to detect spyware and vulnerabilities but also to remediate them. Machine learning and AI have become key components to both the remediation of threats and the creation of more sophisticated attacks. Because of this, and buoyed by the buzz around ChatGPT, a new AI prototype chatbot with an uncanny ability to write original content and converse on command, I would expect the order will address these topics. 

The executive order on spyware should also include some language about general cyber hygiene, including managing, detecting, and remediating vulnerabilities. Having thresholds and guiding principles is a critical component to get everyone on the same page. One of the biggest challenges working in security at the state level is navigating the different pockets of maturity within government organizations. The more we can get a standardized level of maturity and processes, the better prepared we will be to address difficult challenges like distributed denial of service attacks and weeding out spyware. The nature of cybersecurity is that you are often only as strong as your weakest link.  

Topics the executive order may or may not address

There are several important topics that the order could address, but if neglected, will need to be confronted in future orders or legislation. The first is punishment for willful negligence. To date, in many cases even those who willfully avoid taking the necessary steps or worse – are actively hiding or lying about vulnerabilities – have only received a slap on the wrist. They may get terminated, but it is unlikely they receive any fines or jail time. The exception to this is the recent Uber settlement, which may have marked a paradigm shift moving forward. I believe that to enact real change, there needs to be harsher punishments for the more extreme cases. It's time to hold people accountable. If you're found to be in non-compliance with security regulations as an organization, whether you're a state government or a private entity, then there needs to be consequences. 

Another key consideration involves the setting of checkpoints. As the administration goes through this process of issuing the order, they will need to hit critical checkpoints to move things forward. The biggest markers will likely involve getting some concurrence from influential associations and organizations.  Without the buy-in and recommendations from some of the most influential enterprise tech companies, any order or legislation faces a very real chance of being dead on arrival as enforcement will be near impossible.