U.S. cracks down on commercial spyware with visa restrictions

The U.S. government restricted travel visas for 13 individuals tied to the development of commercial spyware, the State Department announced Monday.

Commercial spyware, which is developed by legitimate companies and sold to customers such as governments and law enforcement agencies, represents a major issue in cybersecurity today. Vendors such as Cy4gate, Intellexa and NSO Group typically obtain zero-day vulnerabilities and develop exploits to deliver their commercial spyware. According to Google research published last month, spyware vendors were behind 75% of known zero-day exploits targeting Google products and Android devices last year.

President Joe Biden issued an executive order last month prohibiting the use of commercial spyware within the U.S. government. And in February, Secretary of State Antony Blinken announced a new policy from the State Department to, according to a press statement, "allow the imposition of visa restrictions on individuals involved in the misuse of commercial spyware."

Section 212(a)(3)(C) of the Immigration and Nationality Act allows the U.S. government to enact visa restrictions on individuals believed to have been involved in the misuse of commercial spyware; individuals believed to financially benefit from the misuse of commercial spyware; and the immediate family members of these individuals, including spouses and children.

Monday's announcement marks the first enforcement of this policy, as well as the U.S. government's latest effort to curb the proliferation of these hacking tools. In a press release, the State Department said it was taking steps to "impose visa restrictions on 13 individuals who have been involved in the development and sale of commercial spyware or who are immediate family members of those involved."

The State Department did not name the individuals or specify which commercial spyware vendors they were associated with.

"These individuals have facilitated or derived financial benefit from the misuse of this technology, which has targeted journalists, academics, human rights defenders, dissidents and other perceived critics, and U.S. Government personnel," the press release read.

In a series of posts to X, formerly known as Twitter, in February, Citizen Lab senior researcher John Scott-Railton said the visa rule would be impactful because it "follows the people," as spyware companies could use shell companies and alternate corporate identities to skirt sanctions. With the February policy focusing on individuals and their families, this is not possible. Scott-Railton emphasized this in a separate thread on Monday.

"Visa restrictions are a promising tool in the fight against mercenary spyware. Spyware developers & investors want big returns," he said. "But they also want to spend some of that money on travel to the US & their kids' Ivy League tuition."

Michael De Dora, U.S. policy and advocacy manager at digital civil rights nonprofit Access Now, told TechTarget Editorial that it was "critical" the U.S. government use all available levers to hold responsible individuals accountable.

"Levying sanctions on spyware companies and their executives sends a clear message that facilitating, using, or profiting from the abusive use of spyware technology is unacceptable and will be punished," De Dora said. "While this move is welcomed, Access Now continues to urge the U.S. to name the countries where these individuals are nationals. Access Now also believes these sanctions would hold much more power if the State Department is empowered by law to make public the targets of visa sanctions."

Government entities have shown increased creativity in how they combat cybercrime. As part of the international law enforcement disruption of ransomware-as-a-service giant LockBit announced in February, a coalition of governments led by the U.K.'s National Crime Agency seized the gang's data leak site and published a rebranded version to the same .onion URL, featuring agency press releases, decryption keys, back-end leaks and more. This effort to harm LockBit's reputation could have been a reason why LockBit's comeback is reportedly failing.

TechTarget Editorial reached out to the State Department for additional comment.

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.