Domestic investment in spyware is undermining national security at all levels of society.
Spyware—malicious software used to surveil individuals and organizations—poses a rapidly growing threat to U.S. national security. These technologies are increasingly used to monitor, suppress, and threaten targets, including American citizens. The practice is enabled by a shadowy marketplace that often involves U.S. investors.
Just a couple of months ago, Paragon Solutions was linked to the misuse of spyware in at least seven countries around the world. It is vital that the Trump administration grips this issue early on by tackling the flow of U.S. dollars into spyware.
We suggest three ways the administration can tackle the spyware challenge: by developing a baseline understanding of outbound investments in the spyware market, strengthening disclosure requirements, and providing support to U.S. investors in conducting due diligence.
For years, spyware has been used to target American officials and citizens at home and abroad. In early 2023, several U.S. Congress members’ phones were infected with Predator, a spyware developed by members of the Intellexa Consortium. In 2021, Apple notified around a dozen U.S. officials working in Uganda and at least nine U.S. government employees that they were being targeted by NSO Group’s Pegasus spyware.
Moreover, these capabilities are increasingly falling into the hands of a growing range of actors, including states like Iran and rogue terrorist groups like the Houthis, whose newfound access to some of the most advanced offensive cyber capabilities in cyberspace risks undermining U.S. strategic advantage globally.
So why is there a focus on outbound investment into spyware, and why now? The United States has been a world leader in limiting the proliferation and misuse of spyware for years. Its list of accomplishments includes executive actions, sanctions on key individuals and organizations, export controls, and visa restrictions. At the same time, however, for spyware vendors, access to a well of U.S. investors has been an important means of supporting and growing spyware as an ecosystem—and it remains a part of this market yet to see significant U.S. action.
Understanding the Spyware Market
Congress lacks an understanding of the spyware capabilities of adversaries, including how American companies contribute to this ecosystem. The House Select Committee on the Chinese Communist Party (CCP) set a useful precedent through its extensive investigations into U.S. investments in China, including by venture capital firms, which resulted in legislative and executive action in the form of the Comprehensive Outbound Investment National Security (COINS) Act proposed by Rep. Andy Barr (R-KY) and Rep. John Moolenaar (R-MI), and President Trump’s America First Investment Policy.
The Senate Select Committee on Intelligence could draw upon this model, conducting research to develop a bipartisan understanding of investment into the spyware capabilities of adversaries, which could inform legislative efforts.
As we published last year, a significant proportion of the investment into this industry comes from the United States, Italy, the United Kingdom, and Israel. Critically, over a fourth of those investors are U.S. venture capital firms, including the likes of Battery Ventures, Blumberg Capital, and, more recently, AE Industrial Partners, which acquired Paragon Solutions, a lodestar spyware vendor in the wider spyware ecosystem.
This trend of outbound U.S. investment into spyware highlights that: 1) investment firms, despite restrictions and signaling from the government, still view spyware vendors as a legitimate and profitable investment; and 2) U.S. dollars have directly contributed to a technology that has enabled the targeting of U.S. personnel overseas, officials in allied governments, and Congress members.
Strengthening Disclosure Requirements
Executive Order (EO) 14105 requires notification of outbound investments into certain companies and technologies but only covers quantum technology, AI, semiconductors, and microelectronics and is confined to Chinese companies. The Trump administration should expand the provisions of this order to include dual-use spyware capabilities and make the countries of concern list more representative of U.S. adversaries in the cyber domain.
Alongside the proposed American Investment Accountability Act (AIAA) and the COINS Act, this measure would tackle a significant loophole in U.S. policy: the ability of investors to pour money into sectors of concern, such as spyware, despite American companies being prevented from selling or purchasing spyware under current export controls.
Investment by a U.S. firm into a spyware vendor not only provides direct capital but also legitimizes the vendor’s business activities, which can, in turn, bring additional funds and talent. These “intangible benefits” further enable spyware vendors to enhance their capabilities and, subsequently, enhance the ability of customers to use them against American nationals.
The inverse is also true. When the Commerce Department added NSO Group to its Entity List and subjected it to trade restrictions, it caused a notable divestment of dollars away from that organization, resulting in loss of talent (including its CEO), financial devaluation, an acquisition deal, and even led the company to require an emergency loan to stay afloat. This positive correlation between U.S. investment and the growth of the spyware market provides the government with a meaningful upper hand in tackling spyware.
Members of the Trump national security team have previously worked on policy solutions pertaining to outbound investment, many of which are transferable to spyware as a market. Secretary of State Marco Rubio and Representative Elise Stefanik (R-NY) previously have backed legislative efforts to make U.S. investment into Chinese companies more transparent and favorable to national security, including the Holding Foreign Companies Accountable Act and the proposed AIAA and Trusted Foreign Auditing Act bills.
Supporting Investor Due Diligence
The Outbound Investment Security Program requires U.S. companies to conduct their own due diligence before making an investment decision to determine whether a transaction is prohibited under this rule—but without sufficient guidance on how to do this. By improving the corporate registry apparatus and guidance on beneficial ownership disclosure requirements, the Trump administration can help investors in ensuring their dollars are not being used against national security.
The influx of investment into spyware capabilities is fueling an already significant threat to national security interests, lending legitimacy to and ultimately sustaining a murky marketplace. This only exacerbates a concerning trend in cyberspace—the use of these offensive cyber capabilities by rogue actors against U.S. strategic interests and domestic targets. However, through its economic heft, the Trump administration can stem the flow of dollars working against American interests, and shape the global spyware market for good.
About the Authors: Nitansha Bansal and Jen Roberts
Nitansha Bansal is an assistant director with the Cyber Statecraft Initiative (CSI), part of the Atlantic Council Tech Programs. In this role, her research focuses on the proliferation of offensive cyber capabilities, including spyware and its policy implications for human rights and national security, as well as open source software security. She also supports the CSI’s capacity building efforts and runs the Atlantic Council’s Congressional Cyber and Digital Policy Program. Follow her on X: @NitanshaBansal.
Jen Roberts is an associate director with the Cyber Statecraft Initiative, part of the Atlantic Council Tech Programs. She primarily works on CSI’s Proliferation of Offensive Cyber Capabilities work. Roberts also helps support the Cyber 9/12 Strategy Challenge and is passionate about how the United States with its allies and partners, especially in the Indo-Pacific, can cooperate in the cyber domain. Follow her on X: @csi_jen.
Image: Pungu X / Shutterstock.com.
