Sec. 309. Measures to mitigate counterintelligence threats from proliferation and use of foreign commercial spyware
3,629 words·~16 min read·
/bill/117/hr/8367/rh/section-309A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
Congress finds the following: The proliferation of foreign commercial spyware poses an acute and emergent threat to the national security of the United States. Foreign entities have developed and supplied foreign commercial spyware to other foreign governments that used these tools to maliciously target officials of the United States Government. Many of those foreign governments have, in service of their repressive activities, targeted journalists, businesspeople, activists, academics, and other persons.
Furthermore, public reports suggest that foreign companies involved in the proliferation of foreign commercial spyware maintain close ties to foreign governments and their intelligence services. This close relationship between foreign governments and the companies selling foreign commercial spyware furthers the already substantial counterintelligence concerns for any end-user of these products, including potential end-users in the United States. To mitigate the grave counterintelligence threat posed by the rapid spread of these tools—as well as to improve the digital security of citizens of the United States, combat cyber threats, and mitigate unlawful surveillance—the United States on January 19, 2022, finalized a rule establishing controls on the export, reexport, or in-country transfer of certain items that can be used for malicious cyber activities.
In furtherance of the same national security objectives, the Commerce Department on November 4, 2021, released a rule adding four foreign companies to the Entity List for engaging in activities that are contrary to the national security or foreign policy interests of the United States. This rule had the practical effect of preventing the listed companies from receiving American technologies. Subsequent public reports indicate that at least one of the four companies added to the Entity List attempted to evade these and other restrictions, and a private consultancy which oversees that company informed the European Parliament in 2022 that it could not confirm the blacklisted company is complying with all relevant laws and regulatory frameworks.
It is the sense of Congress that the intelligence community, with its unique authorities, foreign intelligence mission, analytical capabilities, and other capabilities, is best positioned to lead the efforts of the United States Government to mitigate the counterintelligence threats posed by the rapidly expanding ecosystem of foreign commercial spyware, including by devising and implementing strategies to protect personnel of the United States Government from being maliciously targeted.
It shall be the policy of the United States to decisively act against counterintelligence threats posed by foreign commercial spyware, as well as the individuals who lead entities selling foreign commercial spyware and who are reasonably believed to be involved, have been involved, or pose a significant risk to being or becoming involved, in activities contrary to the national security or foreign policy interests of the United States. Title XI of the National Security Act of 1947 ( 50 U.S.C. 3231 et seq. ) is amended by inserting after section 1102 the following new section (and conforming the table of contents at the beginning of such Act accordingly):
Not later than March 1, 2023, and annually thereafter, the Director of National Intelligence, in coordination with the Director of the Central Intelligence Agency, the Director of the National Security Agency, and the Director of the Federal Bureau of Investigation, shall submit to the congressional intelligence committees a report containing an assessment of the counterintelligence threats and other risks to the national security of the United States posed by the proliferation of foreign commercial spyware.
The assessment shall incorporate all credible data, including open-source information. Each report under paragraph
(1)shall include the following, if known: A list of the most significant foreign companies, as determined by the Director of National Intelligence, selling, leasing, or otherwise providing foreign commercial spyware, and associated foreign commercial entities, assessed by the intelligence community to be the most significant foreign actors in the global proliferation of foreign commercial spyware. A description of the foreign commercial spyware marketed by the foreign companies identified under subparagraph
(A)and an assessment by the intelligence community of the foreign commercial spyware. An assessment of the counterintelligence risk to personnel of the intelligence community posed by such spyware. Details of where each foreign company identified under subparagraph
(A)is domiciled, as well as any foreign country in which the company has subsidiaries or resellers acting as the local agent on behalf of the foreign parent company. A description of how each such foreign company is financed, where the foreign company acquired its capital, and the major investors in the foreign company. An assessment by the intelligence community of any relationship between each such foreign company and a foreign government, including any export controls and processes to which the foreign company is subject. To the extent such information is obtainable through clandestine collection or open source intelligence, a list of the foreign customers of each such foreign company, including the understanding by the intelligence community of the organizations and end-users within any foreign government that procured the spyware of that foreign company. With respect to each foreign customer identified under subparagraph (G), an assessment by the intelligence community regarding how the foreign customer is using the spyware, including whether the spyware has been used to target personnel of the intelligence community. With respect to the first report, a mitigation plan to reduce the exposure of personnel of the intelligence community to foreign commercial spyware. With respect to each report following the first report, details of steps taken by the intelligence community since the previous report to implement measures to reduce the exposure of personnel of the intelligence community to foreign commercial spyware. Each report under paragraph
(1)shall be submitted in classified form. The Director of National Intelligence shall share each report under paragraph
(1)with the heads of other appropriate Federal departments and agencies, including the President, the heads of all elements of the intelligence community, the Secretary of State, the Attorney General, the Director of the Federal Bureau of Investigation, the Secretary of Commerce, and the heads of any other agencies the Director determines appropriate. The Director of National Intelligence shall submit to the appropriate congressional committees a list of companies selling, leasing, or otherwise providing foreign commercial spyware that the Director determines are engaged in activities that pose a counterintelligence risk to personnel of the intelligence community. The Director shall update the list under paragraph
(1)not less frequently than annually. Each list under paragraph
(1)shall be submitted in classified form. The Director of National Intelligence shall share each list under paragraph
(1)with the heads of other appropriate Federal departments and agencies, including the President, the heads of all elements of the intelligence community, the Secretary of State, the Attorney General, the Director of the Federal Bureau of Investigation, the Secretary of Commerce, and the heads of any other agencies the Director determines appropriate. The Director of National Intelligence may prohibit any element of the intelligence community from procuring, leasing, or otherwise acquiring on the commercial market, or extending or renewing a contract to procure, lease, or otherwise acquire, foreign commercial spyware from a foreign spyware company. In determining whether and how to exercise the authority under subparagraph (A), the Director of National Intelligence shall consider— the assessment of the intelligence community of the counterintelligence threats or other risks to the United States posed by the foreign commercial spyware; and the assessment of the intelligence community of whether the foreign commercial spyware has been used to target United States Government personnel. The Director of National Intelligence may prohibit the purchase or use by the intelligence community of spyware from a domestic company if the Director determines that the spyware was originally sourced, in whole or in part, from a foreign company. In considering whether and how to exercise the authority under subparagraph
(A)with respect to spyware, the Director of National Intelligence shall consider— whether the original owner or developer retains any of the physical property or intellectual property associated with the spyware; whether the original owner or developer has verifiably destroyed all copies of the data collected by or associated with the spyware; whether the personnel of the original owner or developer retain any access to data collected by or associated with the spyware; whether the use of the spyware requires the user to connect to an information system of the original owner or developer or of a foreign government; and whether the spyware poses a counterintelligence risk to the United States or any other threat to the national security of the United States. The Director of National Intelligence may prohibit any element of the intelligence community from entering into any contract or other agreement for any purpose with a domestic company that has acquired, in whole or in part, any foreign commercial spyware. In considering whether and how to exercise the authority under subparagraph
(A)with respect to a domestic company that has acquired foreign commercial spyware, the Director of National Intelligence shall consider— whether the original owner or developer of the spyware retains any of the physical property or intellectual property associated with the spyware; whether the original owner or developer of the spyware has verifiably destroyed all copies of the data collected by or associated with the spyware; whether the personnel of the original owner or developer of the spyware retain any access to data collected by or associated with the spyware; whether the use of the spyware requires the user to connect to an information system of the original owner or developer or of a foreign government; and whether the spyware poses a counterintelligence risk to the United States or any other threat to the national security of the United States. The head of an element of the intelligence community may request from the Director of National Intelligence the waiver of a prohibition made under paragraph (1), (2), or (3). The Director may issue such a waiver in response to such a request if— such waiver is in the national security interest of the United States; and the Director submits to the congressional intelligence committees the notice described in subparagraph (B). Not later than 30 days after issuing a waiver under subparagraph (A), the Director of National Intelligence shall submit to the congressional intelligence committees notice of the waiver. Such notice shall include— an identification of the head of the element of the intelligence community that requested the waiver; the rationale for issuing the waiver; and the considerations that informed the ultimate determination of the Director to issue the wavier. The Director of National Intelligence may terminate a prohibition made under paragraph (1), (2), or
(3)at any time. Not later than 30 days after the date on which the Director of National Intelligence exercises the authority to issue a prohibition under subsection (c), the Director of National Intelligence shall notify the congressional intelligence committees of such exercise of authority. Such notice shall include— a description of the circumstances under which the prohibition was issued; an identification of the company or product covered by the prohibition; any information that contributed to the decision of the Director to exercise the authority, including any information relating to counterintelligence or other risks to the national security of the United States posed by the company or product, as assessed by the intelligence community; and an identification of each element of the intelligence community to which the prohibition has been applied. Not later than 30 days after the date on which an element of the intelligence community becomes aware that a Government-issued mobile device was targeted or compromised by foreign commercial spyware, the Director of National Intelligence, in coordination with the Director of the Federal Bureau of Investigation, shall notify the congressional intelligence committees of such determination, including— the component of the element and the location of the personnel whose device was targeted or compromised; the number of devices compromised or targeted; an assessment by the intelligence community of the damage to national security of the United States resulting from any loss of data or sensitive information; an assessment by the intelligence community of any foreign government, or foreign organization or entity, and, to the extent possible, the foreign individuals, who directed and benefitted from any information acquired from the targeting or compromise; and as appropriate, an assessment by the intelligence community of the capacity and will of such governments or individuals to continue targeting personnel of the United States Government. In this section: The term appropriate congressional committees means— the Committee on Foreign Affairs, the Committee on Armed Services, and the Permanent Select Committee on Intelligence of the House of Representatives; and the Committee on Foreign Relations, the Committee on Armed Services, and the Select Committee on Intelligence of the Senate. The term domestic company means a commercial entity, or any subsidiary or affiliate of the entity, incorporated or domiciled in the United States that— sells, leases, or otherwise provides foreign commercial spyware, including by reason of— taking ownership, in whole or in part, of a foreign spyware company; or entering into a partnership with a foreign spyware company; or otherwise owns, leases, or has access to foreign commercial spyware. The term foreign commercial spyware means a tool (or set of tools) sold, leased, marketed, or otherwise provided as an end-to-end system originally developed or owned by a foreign spyware company that provides a purchaser remote access to information stored on or transiting through an electronic device connected to the internet, including end-to-end systems that— allow malign actors to infect mobile and internet-connected devices with malware over both wireless internet and cellular data connections, including without any action required by the user of the device; can record telephone calls and other audio; track the location of the device; or access and retrieve information on the device, including text messages, files, e-mails, transcripts of chats, contacts, photos, and browsing history. The term foreign spyware company means an entity that is— incorporated or domiciled outside the United States; and not subject to the laws and regulations of the United States regulating the surveillance of citizens of the United States and foreign citizens. The term Government-issued mobile device means a smartphone, tablet, or laptop, or similar portable computing device, that is issued to personnel of the intelligence community by a department or agency of the United States Government for official use by the personnel. The term United States person has the meaning given that term in Executive Order 12333 ( 50 U.S.C. 3001 note), or any successor order. . Not later than 120 days after the date of the enactment of this Act, the Director of National Intelligence shall— issue standards, guidance, best practices, and policies for elements of the intelligence community to protect Government-issued mobile devices from being compromised by foreign commercial spyware; survey elements of the intelligence community regarding the processes used by the elements to routinely monitor Government-issued mobile devices for known indicators of compromise associated with foreign commercial spyware; or submit to the appropriate congressional committees a report on the sufficiency of the measures in place to routinely monitor Government-issued mobile devices of appropriate personnel of the intelligence community for known indicators of compromise associated with foreign commercial spyware. The report under subparagraph
(B)may be submitted in classified form. Section 904(d)(7) of the Counterintelligence Enhancement Act of 2002 ( 50 U.S.C. 3383(d)(7) ) is amended by adding at the end the following new paragraph: In carrying out efforts to secure Government-issued mobile devices, to consult with the private sector of the United States and reputable third-party researchers to identify vulnerabilities from foreign commercial spyware and maintain effective security measures for such devices. In this subparagraph, the terms Government-issued mobile devices and foreign commercial spyware have the meaning given those terms in section 1102A of the National Security Act of 1947. . The President may impose the sanctions described in paragraph
(2)with respect to— a foreign company the President determines, based on credible evidence, to pose a counterintelligence or other risk to the national security of the United States, such as a company included on the watchlist required by subsection
(b)of section 1102A of the National Security Act of 1947, as added to subsection (d). any foreign individual who— is a current or former senior executive officer employed by a company described in subparagraph (A); and is responsible for or complicit in, or has directly or indirectly engaged in, the proliferation of foreign commercial spyware that could enable the targeting of United States Government officials or personnel of the intelligence community; any foreign individual who— is a current or former official of a foreign government or is acting for or on behalf of such official; and is responsible for or complicit in, or has directly or indirectly engaged in, the targeting of United States Government officials or personnel of the intelligence community through the use of foreign commercial spyware; or any foreign person that has materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in support of— a foreign company selling, leasing, or otherwise providing foreign commercial spyware; or the targeting of United States Government officials or personnel of the intelligence community through the use of foreign commercial spyware. The sanctions described in this paragraph are the following: The President shall exercise all of the powers granted to the President under the International Emergency Economic Powers Act ( 50 U.S.C. 1701 et seq. ) (except that the requirements of section 202 of such Act ( 50 U.S.C. 1701 ) shall not apply) to the extent necessary to block and prohibit all transactions in property and interests in property of a person determined by the President to be subject to paragraph
(1)if such property and interests in property are in the United States, come within the United States, or come within the possession or control of a United States person. In the case of a foreign person determined by the President to be subject to paragraph
(1)who is an individual, the foreign person is— inadmissible to the United States; ineligible to receive a visa or other documentation to enter the United States; and otherwise ineligible to be admitted or paroled into the United States or to receive any other benefit under the Immigration and Nationality Act ( 8 U.S.C. 1101 et seq. ). In the case of a foreign person determined by the President to be subject to paragraph
(1)who is an individual, the visa or other entry documentation of the person shall be revoked, regardless of when such visa or other entry documentation is or was issued. A revocation under this subparagraph shall take effect immediately and automatically cancel any other valid visa or entry documentation that is in the person’s possession. Sanctions under this paragraph shall not apply with respect to a foreign person if admitting or paroling the person into the United States is necessary to permit the United States to comply with the Agreement regarding the Headquarters of the United Nations, signed at Lake Success June 26, 1947, and entered into force November 21, 1947, between the United Nations and the United States, or other applicable international obligations. The President may exercise all authorities provided under sections 203 and 205 of the International Emergency Economic Powers Act (50 U.S.C. 1702 and 1704) to carry out this subsection and shall issue such regulations, licenses, and orders as are necessary to carry out this subsection. Any person that violates, attempts to violate, conspires to violate, or causes a violation of this subsection or any regulation, license, or order issued to carry out subparagraph
(A)shall be subject to the penalties provided for in subsections
(b)and
(c)of section 206 of the International Emergency Economic Powers Act ( 50 U.S.C. 1705 ) to the same extent as a person that commits an unlawful act described in subsection
(a)of that section. The authorities to impose sanctions authorized under this subsection shall not include the authority to impose sanctions on the importation of goods. In this paragraph, the term good means any article, natural or man-made substance, material, supply or manufactured product, including inspection and test equipment, and excluding technical data. The President may terminate the application of sanctions under this subsection at any time. Not later than 30 days after the date of the enactment of this Act, the Director of National Intelligence shall submit to the congressional intelligence committees a report on the potential for the United States to lead an effort to devise and implement a common approach with the Five Eyes Partnership to mitigate the counterintelligence risks posed by the proliferation of foreign commercial spyware, including by seeking commitments from partner countries of the Five Eyes Partnership to implement measures similar to the requirements under this section and section 1102A of the National Security Act of 1947 ( 50 U.S.C. 3231 et seq. ), as added by this section. The report under paragraph
(1)shall be submitted in unclassified form, but may contain a classified annex, consistent with the protection of intelligence sources and methods. In this section: The term appropriate congressional committees means— the Committee on Foreign Affairs, the Committee on Armed Services, and the Permanent Select Committee on Intelligence of the House of Representatives; and the Committee on Foreign Relations, the Committee on Armed Services, and the Select Committee on Intelligence of the Senate. The terms foreign commercial spyware , foreign spyware company , and Government-issued mobile device have the meanings given those terms in section 1102A of the National Security Act of 1947 ( 50 U.S.C. 3231 et seq. ), as added by this section. The term Five Eyes Partnership means the intelligence alliance comprising Australia, Canada, New Zealand, the United Kingdom, and the United States. The term foreign person means a person that is not a United States person. The term person means an individual or an entity (including a company).
Connectionstraces to 8
Traces to 8 documents
U.S. Code
- Applicability to United States intelligence activities of Federal laws implementing international treaties and agreements§ 3231
- Short title§ 3001
- National Counterintelligence and Security Center§ 3383
- Unusual and extraordinary threat; declaration of national emergency; exercise of Presidential authorities§ 1701
- Definitions§ 1101
- Presidential authorities§ 1702
- Penalties§ 1705
Citation graph
cites case law
Sec. 309
Measures to mitigate counterintelligence threats from proliferation and use of foreign commercial spyware
Cites 8Cited by 0 across 0 sources