A $2 million contract between the United States Immigration and Customs Enforcement (ICE) and Israeli spyware firm Paragon Solutions has been halted and is now subject to a compliance review. This pause has drawn attention as it serves as an early evaluation of the Biden administration’s executive order aimed at limiting the government’s use of commercial spyware technologies.
Signed on September 27, the contract was reported by WIRED shortly afterward and was intended for a range of services, including the deployment of proprietary hardware and training. However, on October 8, ICE’s Homeland Security Investigations (HSI) issued a stop-work order to assess whether the contract aligns with Executive Order 14093, which focuses on safeguarding national security and upholding human rights in the context of surveillance technologies.
The executive order, enacted by President Biden in March 2023, seeks to impose stricter controls on the government’s engagement with commercial spyware, promoting its responsible application. The order underscores a commitment to ensuring that such technologies are used in ways that do not compromise civil liberties or national integrity.
The Department of Homeland Security (DHS) has not disclosed if the contract specifically involves Paragon’s primary spyware tool, Graphite, which is known for its capabilities in extracting data from cloud backups. Concerns surrounding the use of such powerful tools bring into focus elements of cybersecurity that warrant revisiting the initial review processes established under the executive order.
A senior official from the US administration, who requested anonymity, noted the proactive stance taken by DHS to clarify the scope and adherence of the contract in relation to the new regulations. This dialogue reflects a collaborative effort to ensure transparency and accountability in the utilization of potentially invasive surveillance tools.
As part of the compliance process dictated by the executive order, a thorough examination of the vendor and the technology is required. This aims to uncover any potential risks associated with counterintelligence and improper use of surveillance technologies. Notably, the order mandates that operational use of any commercial spyware can only commence after a minimum of seven days following notification to the White House or until explicit consent is received from the national security advisor.
The evaluation process that concludes as part of this review will ultimately determine whether the contract proceeds based on the circumstances found. The outcome will be guided by the need to ensure that the vendor and tool in question do not conflict with the standards outlined in the executive order. This case serves as a critical primer on the evolving landscape of cybersecurity regulations and the implications for government contracts with surveillance technology providers, emphasizing the ongoing need for vigilance in a digital age marked by sophisticated adversary tactics.
In this context, considerations derived from the MITRE ATT&CK framework may prove pertinent, particularly regarding adversary tactics such as initial access and privilege escalation, as well as potential implications of these cybersecurity measures for various stakeholders in the U.S.
