50 U.S. Code § 3232a - Measures to mitigate counterintelligence threats from proliferation and use of foreign commercial spyware

(a) Definitions

In this section:

(1) Appropriate congressional committees

The term “appropriate congressional committees” means—

(A) the Select Committee on Intelligence, the Committee on Foreign Relations, the Committee on Armed Services, the Committee on Banking, Housing, and Urban Affairs, the Committee on the Judiciary, the Committee on Appropriations, and the Committee on Homeland Security and Governmental Affairs of the Senate; and

(B) the Permanent Select Committee on Intelligence, the Committee on Foreign Affairs, the Committee on Armed Services, the Committee on Financial Services, the Committee on the Judiciary, the Committee on Appropriations, the Committee on Homeland Security, and the Committee on Oversight and Reform of the House of Representatives.

(2) Covered entity

The term “covered entity” means any foreign company that either directly or indirectly develops, maintains, owns, operates, brokers, markets, sells, leases, licenses, or otherwise makes available spyware.

(3) Foreign commercial spyware

The term “foreign commercial spyware” means spyware that is developed (solely or in partnership with a foreign company), maintained, sold, leased, licensed, marketed, sourced (in whole or in part), or otherwise provided, either directly or indirectly, by a foreign company.

(4) Foreign company

The term “foreign company” means a company that is incorporated or domiciled outside of the United States, including any subsidiaries or affiliates wherever such subsidiaries or affiliates are domiciled or incorporated.

(5) Spyware

The term “spyware” means a tool or set of tools that operate as an end-to-end system of software to provide an unauthorized user remote access to information stored on or transiting through an electronic device connected to the Internet and not owned or operated by the unauthorized user, including end-to-end systems that—

(A) allow an unauthorized user to remotely infect electronic devices with malicious software, including without any action required by the user of the device;

(B) can record telecommunications or other audio captured on a device not owned by the unauthorized user;

(C) undertake geolocation, collect cell site location information, or otherwise track the location of a device or person using the internal sensors of an electronic device not owned by the unauthorized user;

(D) allow an unauthorized user access to and the ability to retrieve information on the electronic device, including text messages, files, e-mails, transcripts of chats, contacts, photos, and browsing history; or

(E) any additional criteria described in publicly available documents published by the Director of National Intelligence, such as whether the end-to-end system is used outside the context of a codified lawful intercept system.

(b) Annual assessments of counterintelligence threats

(1) Requirement

Not later than 90 days after December 23, 2022, and annually thereafter, the Director of National Intelligence, in coordination with the Director of the Central Intelligence Agency, the Director of the National Security Agency, and the Director of the Federal Bureau of Investigation, shall submit to the appropriate congressional committees a report with an accompanying classified annex containing an assessment of the counterintelligence threats and other risks to the national security of the United States posed by the proliferation of foreign commercial spyware. The assessment shall incorporate all credible data, including open-source information.

(2) Elements

Each report under paragraph (1) shall include the following, if known:

(A) A list of the most significant covered entities.

(B) A description of the foreign commercial spyware marketed by the covered entities identified under subparagraph (A) and an assessment by the intelligence community of the foreign commercial spyware.

(C) An assessment of the counterintelligence risk to the intelligence community or personnel of the intelligence community posed by foreign commercial spyware.

(D) For each covered entity identified in subparagraph (A), details of any subsidiaries, resellers, or other agents acting on behalf of the covered entity.

(E) Details of where each covered entity identified under subparagraphs (A) and (D) is domiciled.

(F) A description of how each covered entity identified under subparagraphs (A) and (D) is financed, where the covered entity acquired its capital, and the organizations and individuals having substantial investments or other equities in the covered entity.

(G) An assessment by the intelligence community of any relationship between each covered entity identified in subparagraphs (A) and (D) and any foreign government, including any export controls and processes to which the covered entity is subject.

(H) A list of the foreign customers of each covered entity identified in subparagraphs (A) and (D), including the understanding by the intelligence community of the organizations and end-users within any foreign government.

(I) With respect to each foreign customer identified under subparagraph (H), an assessment by the intelligence community regarding how the foreign customer is using the spyware, including whether the foreign customer has targeted personnel of the intelligence community.

(J) With respect to the first report required under paragraph (1), a mitigation plan to reduce the exposure of personnel of the intelligence community to foreign commercial spyware.

(K) With respect to each report following the first report required under paragraph (1), details of steps taken by the intelligence community since the previous report to implement measures to reduce the exposure of personnel of the intelligence community to foreign commercial spyware.

(3) Classified annex

In submitting the report under subsection [1] (2), the Director shall also include an accompanying but separate classified annex, providing a watchlist of companies selling, leasing, or otherwise providing foreign commercial spyware that the Director determines are engaged in activities that pose a counterintelligence risk to personnel of the intelligence community.

(4) Form

Each report under paragraph (1) shall be submitted in classified form.

(5) Dissemination

The Director of National Intelligence shall separately distribute each report under paragraph (1) and each annex under paragraph (3) to the President, the heads of all elements of the intelligence community, the Secretary of State, the Attorney General, the Secretary of Commerce, the Secretary of Homeland Security, the National Cyber Director, and the heads of any other departments or agencies the Director of National Intelligence determines appropriate.

(c) Authority to prohibit purchase or use by intelligence community

(1) Foreign commercial spyware

(A) In general

The Director of National Intelligence may prohibit any element of the intelligence community from procuring, leasing, or otherwise acquiring on the commercial market, or extending or renewing a contract to procure, lease, or otherwise acquire, foreign commercial spyware.

(B) Considerations

In determining whether and how to exercise the authority under subparagraph (A), the Director of National Intelligence shall consider—

(i) the assessment of the intelligence community of the counterintelligence threats or other risks to the United States posed by foreign commercial spyware;

(ii) the assessment of the intelligence community of whether the foreign commercial spyware has been used to target United States Government personnel.

(iii) whether the original owner or developer retains any of the physical property or intellectual property associated with the foreign commercial spyware;

(iv) whether the original owner or developer has verifiably destroyed all copies of the data collected by or associated with the foreign commercial spyware;

(v) whether the personnel of the original owner or developer retain any access to data collected by or associated with the foreign commercial spyware;

(vi) whether the use of the foreign commercial spyware requires the user to connect to an information system of the original owner or developer or information system of a foreign government; and

(vii) whether the foreign commercial spyware poses a counterintelligence risk to the United States or any other threat to the national security of the United States.

(2) Company that has acquired foreign commercial spyware

(A) Authority

The Director of National Intelligence may prohibit any element of the intelligence community from entering into any contract or other agreement for any purpose with a company that has acquired, in whole or in part, any foreign commercial spyware.

(B) Considerations

In considering whether and how to exercise the authority under subparagraph (A), the Director of National Intelligence shall consider—

(i) whether the original owner or developer of the foreign commercial spyware retains any of the physical property or intellectual property associated with the spyware;

(ii) whether the original owner or developer of the foreign commercial spyware has verifiably destroyed all data, and any copies thereof, collected by or associated with the spyware;

(iii) whether the personnel of the original owner or developer of the foreign commercial spyware retain any access to data collected by or associated with the foreign commercial spyware;

(iv) whether the use of the foreign commercial spyware requires the user to connect to an information system of the original owner or developer or information system of a foreign government; and

(v) whether the foreign commercial spyware poses a counterintelligence risk to the United States or any other threat to the national security of the United States.

(3) Notifications of prohibition

Not later than 30 days after the date on which the Director of National Intelligence exercises the authority to issue a prohibition under subsection (c), the Director of National Intelligence shall notify the congressional intelligence committees of such exercise of authority. Such notice shall include—

(A) a description of the circumstances under which the prohibition was issued;

(B) an identification of the company or product covered by the prohibition;

(C) any information that contributed to the decision of the Director of National Intelligence to exercise the authority, including any information relating to counterintelligence or other risks to the national security of the United States posed by the company or product, as assessed by the intelligence community; and

(D) an identification of each element of the intelligence community to which the prohibition has been applied.

(4) Waiver authority

(A) In general

The head of an element of the intelligence community may request from the Director of National Intelligence the waiver of a prohibition made under paragraph (1) or (2).

(B) Director of National Intelligence determination

The Director of National Intelligence, upon receiving the waiver request in subparagraph (A), may issue a waiver for a period not to exceed one year in response to the request from the head of an element of the intelligence community if such waiver is in the national security interest of the United States.

(C) Notice

Not later than 30 days after approving a waiver request pursuant to subparagraph (B), the Director of National Intelligence shall submit to the congressional intelligence committees, the Subcommittee on Defense of the Committee on Appropriations of the Senate, and the Subcommittee on Defense of the Committee on Appropriations of the House of Representatives a written notification. The notification shall include—

(i) an identification of the head of the element of the intelligence community that requested the waiver;

(ii) the details of the waiver request, including the national security interests of the United States;

(iii) the rationale and basis for the determination that the waiver is in the national security interests of the United States;

(iv) the considerations that informed the ultimate determination of the Director of National Intelligence to issue the wavier; [2] and

(v) and any other considerations contributing to the determination, made by the Director of National Intelligence.

(D) Waiver termination

The Director of National Intelligence may revoke a previously granted waiver at any time. Upon revocation of a waiver, the Director of National Intelligence shall submit a written notification to the congressional intelligence committees, the Subcommittee on Defense of the Committee on Appropriations of the Senate, and the Subcommittee on Defense of the Committee on Appropriations of the House of Representatives not later than 30 days after making a revocation determination.

(5) Termination of prohibition

The Director of National Intelligence may terminate a prohibition made under paragraph (1) or (2) at any time. Upon termination of a prohibition, the Director of National Intelligence shall submit a notification of the termination to the congressional intelligence committees, the Subcommittee on Defense of the Committee on Appropriations of the Senate, and the Subcommittee on Defense of the Committee on Appropriations of the House of Representatives not later than 30 days after terminating a prohibition, detailing the basis for the termination, including any United States national security interests that may be affected by such termination.

(July 26, 1947, ch. 343, title XI, § 1102A, as added Pub. L. 117–263, div. F, title LXIII, § 6318(c), Dec. 23, 2022, 136 Stat. 3515.)

---

[1]  So in original. Probably should be “paragraph”.

[2]  So in original. Probably should be “waiver;”.

Statutory Notes and Related Subsidiaries

Rule of Construction—No Enhanced Authorities

Pub. L. 117–263, div. F, title LXIII, § 6318(e), Dec. 23, 2022, 136 Stat. 3521, provided that:

“Nothing in this section [enacting this section, amending section 3383 of this title, and enacting provisions set out as notes under this section] or an amendment made by this section shall be construed as enhancing, or otherwise changing, the authorities of the intelligence community to target, collect, process, or disseminate information regarding United States Government personnel.”

[For definition of “intelligence community” as used in section 6318(e) of Pub. L. 117–263, set out above, see section 6002 of div. F of Pub. L. 117–263, set out as a note under section 3003 of this title.]

Statement of Policy

Pub. L. 117–263, div. F, title LXIII, § 6318(b), Dec. 23, 2022, 136 Stat. 3515, provided that:

“It shall be the policy of the United States to act decisively against counterintelligence threats posed by foreign commercial spyware, as well as the individuals who lead entities selling foreign commercial spyware and who are reasonably believed to be involved, have been involved, or pose a significant risk to being or becoming involved, in activities contrary to the national security or foreign policy interests of the United States.”

[For definition of “foreign commercial spyware” as used in section 6318(b) of Pub. L. 117–263, set out above, see section 6318(a) of div. F of Pub. L. 117–263, set out below.]

Protection of Covered Devices

Pub. L. 117–263, div. F, title LXIII, § 6318(d)(1)–(3), Dec. 23, 2022, 136 Stat. 3520, provided that:

“(1) Requirement.—

Not later than 120 days after the date of the enactment of this Act [Dec. 23, 2022], the Director of National Intelligence shall—

“(A) issue standards, guidance, best practices, and policies for elements of the intelligence community to protect covered devices from being compromised by foreign commercial spyware;

“(B) survey elements of the intelligence community regarding the processes used by the elements to routinely monitor covered devices for indicators of compromise associated with foreign commercial spyware; and

“(C) submit to the congressional intelligence committees a report on the sufficiency of the measures in place to routinely monitor covered devices for indicators of compromise associated with foreign commercial spyware.

“(2) Form.—

The report under paragraph (1)(C) may be submitted in classified form.

“(3) Counterintelligence notifications.—

Not later than 30 days after the date on which an element of the intelligence community becomes aware that a covered device was targeted or compromised by foreign commercial spyware, the Director of National Intelligence, in coordination with the Director of the Federal Bureau of Investigation, shall notify the congressional intelligence committees, the Subcommittee on Defense of the Committee on Appropriations of the Senate, and the Subcommittee on Defense of the Committee on Appropriations of the House of Representatives of such determination, including—

“(A) the component of the element and the location of the personnel whose covered device was targeted or compromised;

“(B) the number of covered devices compromised or targeted;

“(C) an assessment by the intelligence community of the damage to national security of the United States resulting from any loss of data or sensitive information;

“(D) an assessment by the intelligence community of any foreign government, or foreign organization or entity, and, to the extent possible, the foreign individuals, who directed and benefitted from any information acquired from the targeting or compromise; and

“(E) as appropriate, an assessment by the intelligence community of the capacity and will of such governments or individuals to continue targeting personnel of the United States Government.”

[For definitions of “intelligence community” and “congressional intelligence committees” as used in section 6318(d)(1)–(3) of Pub. L. 117–263, set out above, see section 6002 of div. F of Pub. L. 117–263, set out as a note under section 3003 of this title.]

[For definitions of “covered device” and “foreign commercial spyware” as used in section 6318(d)(1)–(3) of Pub. L. 117–263, set out above, see section 6318(a) of div. F of Pub. L. 117–263, set out below.]

Definitions

Pub. L. 117–263, div. F, title LXIII, § 6318(a), Dec. 23, 2022, 136 Stat. 3515, provided that:

“In this section:

“(1) Covered device.—

The term ‘covered device’ means any electronic mobile device including smartphones, tablet computing devices, or laptop computing devices, that is issued by an element of the intelligence community for official use.

“(2) Foreign commercial spyware; foreign company; spyware.—

The terms ‘foreign commercial spyware’, ‘foreign company’, and ‘spyware’ have the meanings given those terms in section 1102A of the National Security Act of 1947 (50 U.S.C. 3231 et seq. [probably means 50 U.S.C. 3232a]), as added by this section.”

[For definition of “intelligence community” as used in section 6318(a) of Pub. L. 117–263, set out above, see section 6002 of div. F of Pub. L. 117–263, set out as a note under section 3003 of this title.]