(Bloomberg) -- A US government probe into how many mobile phones belonging to diplomats and government workers have been infected with spyware could “easily run to the hundreds,” according to a member of the House Intelligence Committee.
Jim Himes, a Democrat representative from Connecticut, told Bloomberg News that the Biden administration is “just beginning to get an inkling of the magnitude of the problem.” He predicted that the probe could find that spyware was used against “hundreds” of federal personnel in “multiple countries.”
Himes was a lead author of a September letter calling on the federal government to better protect US diplomats overseas from spyware and publicly detail instances of such abuse. He received a letter last month written jointly by the Departments of Commerce and State that confirmed commercial spyware has targeted US government personnel serving overseas.
“Spyware technology has sort of moved beyond our ability to ensure that the communications of our diplomats are protected, or even the locations and contacts and photographs of our diplomats are protected. And that’s obviously a huge vulnerability,” he said.
The official confirmation follows a Reuters report from last year that the iPhones of at least nine State Department employees were hacked with spyware developed by Israel’s NSO Group. The employees were either based in Uganda or focused on issues related to the country, according to the report.
The inquiry is focused on how many diplomats and other US personnel have been targeted, who is targeting them and which spyware tools were used, according to the letter and two US officials familiar with the matter. Government efforts are also focused on how to prevent US government employees from falling prey to spyware.
NSO Group’s spyware can covertly record emails, phone calls and text messages, track location and record video and audio using the phone’s camera and microphone. The company has been criticized — and blacklisted by the Commerce Department — because its spyware has been used by its government clients to target government officials, journalists, activists and others.
NSO Group has repeatedly said that it sells its technology to law enforcement and government agencies for the purpose of catching criminals and terrorists.
A US government official familiar with the probe said that it’s ongoing and hasn’t yet reached a conclusion on the number of employees who were successfully targeted. A second person, a senior US official familiar with the inquiry, said even a small number of targeted personnel would pose a serious counterintelligence risk. Both officials spoke on the condition of anonymity given the sensitive nature of the probe.
A new executive order is also in the works that would prohibit government officials from using commercial spyware if there are risks it could be misused or if poses a counterintelligence or security risks to the US, according to the letter.
The inquiry underscores the challenges for the State Department as it tries to protect diplomats working abroad from spyware. Many use apps such as Signal and Meta Platforms Inc.’s Facebook and WhatsApp on their official phones as a necessary part of their work, according to Kelly Fletcher, a former Pentagon official who is the State Department’s new chief information officer.
She said, in her first interview since taking the post, that her agency is “actively hardening” its systems and has “robust processes” for detecting intrusions on mobile device operating systems and applications. But she said challenges remain.
At least half of State Department teleworkers are still using their personal laptops for work, she said. “I would love to see every State Department user on a State Department laptop,” she added.
Fletcher said she wants to give priority to protecting the most valuable five to 10 people at State Department, including the top US diplomat Antony Blinken, describing them as “really rich targets.”
“I believe that there should be separate standards for these very highest-level users,” she said. “What I don’t want these people to do is to like, ‘Oh forget it, I’m just going to use my personal phone.’”
Fletcher said in a statement that the State Department continues to work with other agencies “to monitor and respond to activity of concern targeting State officials.” But she declined to discuss details of the spyware inquiry “for security reasons and to protect our ongoing investigation.”
