View all text of Subchapter IX [§ 3231 - § 3244]
§ 3232a. Measures to mitigate counterintelligence threats from proliferation and use of foreign commercial spyware
(a) Definitions
In this section:
(1) Appropriate congressional committees
The term “appropriate congressional committees” means—
(A) the Select Committee on Intelligence, the Committee on Foreign Relations, the Committee on Armed Services, the Committee on Banking, Housing, and Urban Affairs, the Committee on the Judiciary, the Committee on Appropriations, and the Committee on Homeland Security and Governmental Affairs of the Senate; and
(B) the Permanent Select Committee on Intelligence, the Committee on Foreign Affairs, the Committee on Armed Services, the Committee on Financial Services, the Committee on the Judiciary, the Committee on Appropriations, the Committee on Homeland Security, and the Committee on Oversight and Reform of the House of Representatives.
(2) Covered entity
(3) Foreign commercial spyware
(4) Foreign company
(5) Spyware
The term “spyware” means a tool or set of tools that operate as an end-to-end system of software to provide an unauthorized user remote access to information stored on or transiting through an electronic device connected to the Internet and not owned or operated by the unauthorized user, including end-to-end systems that—
(A) allow an unauthorized user to remotely infect electronic devices with malicious software, including without any action required by the user of the device;
(B) can record telecommunications or other audio captured on a device not owned by the unauthorized user;
(C) undertake geolocation, collect cell site location information, or otherwise track the location of a device or person using the internal sensors of an electronic device not owned by the unauthorized user;
(D) allow an unauthorized user access to and the ability to retrieve information on the electronic device, including text messages, files, e-mails, transcripts of chats, contacts, photos, and browsing history; or
(E) any additional criteria described in publicly available documents published by the Director of National Intelligence, such as whether the end-to-end system is used outside the context of a codified lawful intercept system.
(b) Annual assessments of counterintelligence threats
(1) Requirement
(2) Elements
Each report under paragraph (1) shall include the following, if known:
(A) A list of the most significant covered entities.
(B) A description of the foreign commercial spyware marketed by the covered entities identified under subparagraph (A) and an assessment by the intelligence community of the foreign commercial spyware.
(C) An assessment of the counterintelligence risk to the intelligence community or personnel of the intelligence community posed by foreign commercial spyware.
(D) For each covered entity identified in subparagraph (A), details of any subsidiaries, resellers, or other agents acting on behalf of the covered entity.
(E) Details of where each covered entity identified under subparagraphs (A) and (D) is domiciled.
(F) A description of how each covered entity identified under subparagraphs (A) and (D) is financed, where the covered entity acquired its capital, and the organizations and individuals having substantial investments or other equities in the covered entity.
(G) An assessment by the intelligence community of any relationship between each covered entity identified in subparagraphs (A) and (D) and any foreign government, including any export controls and processes to which the covered entity is subject.
(H) A list of the foreign customers of each covered entity identified in subparagraphs (A) and (D), including the understanding by the intelligence community of the organizations and end-users within any foreign government.
(I) With respect to each foreign customer identified under subparagraph (H), an assessment by the intelligence community regarding how the foreign customer is using the spyware, including whether the foreign customer has targeted personnel of the intelligence community.
(J) With respect to the first report required under paragraph (1), a mitigation plan to reduce the exposure of personnel of the intelligence community to foreign commercial spyware.
(K) With respect to each report following the first report required under paragraph (1), details of steps taken by the intelligence community since the previous report to implement measures to reduce the exposure of personnel of the intelligence community to foreign commercial spyware.
(3) Classified annex
(4) Form
(5) Dissemination
(c) Authority to prohibit purchase or use by intelligence community
(1) Foreign commercial spyware
(A) In general
(B) Considerations
In determining whether and how to exercise the authority under subparagraph (A), the Director of National Intelligence shall consider—
(i) the assessment of the intelligence community of the counterintelligence threats or other risks to the United States posed by foreign commercial spyware;
(ii) the assessment of the intelligence community of whether the foreign commercial spyware has been used to target United States Government personnel.1
1 So in original. The period probably should be a semicolon.
(iii) whether the original owner or developer retains any of the physical property or intellectual property associated with the foreign commercial spyware;
(iv) whether the original owner or developer has verifiably destroyed all copies of the data collected by or associated with the foreign commercial spyware;
(v) whether the personnel of the original owner or developer retain any access to data collected by or associated with the foreign commercial spyware;
(vi) whether the use of the foreign commercial spyware requires the user to connect to an information system of the original owner or developer or information system of a foreign government; and
(vii) whether the foreign commercial spyware poses a counterintelligence risk to the United States or any other threat to the national security of the United States.
(2) Company that has acquired foreign commercial spyware
(A) Authority
(B) Considerations
In considering whether and how to exercise the authority under subparagraph (A), the Director of National Intelligence shall consider—
(i) whether the original owner or developer of the foreign commercial spyware retains any of the physical property or intellectual property associated with the spyware;
(ii) whether the original owner or developer of the foreign commercial spyware has verifiably destroyed all data, and any copies thereof, collected by or associated with the spyware;
(iii) whether the personnel of the original owner or developer of the foreign commercial spyware retain any access to data collected by or associated with the foreign commercial spyware;
(iv) whether the use of the foreign commercial spyware requires the user to connect to an information system of the original owner or developer or information system of a foreign government; and
(v) whether the foreign commercial spyware poses a counterintelligence risk to the United States or any other threat to the national security of the United States.
(3) Notifications of prohibition
Not later than 30 days after the date on which the Director of National Intelligence exercises the authority to issue a prohibition under subsection (c), the Director of National Intelligence shall notify the congressional intelligence committees of such exercise of authority. Such notice shall include—
(A) a description of the circumstances under which the prohibition was issued;
(B) an identification of the company or product covered by the prohibition;
(C) any information that contributed to the decision of the Director of National Intelligence to exercise the authority, including any information relating to counterintelligence or other risks to the national security of the United States posed by the company or product, as assessed by the intelligence community; and
(D) an identification of each element of the intelligence community to which the prohibition has been applied.
(4) Waiver authority
(A) In general
(B) Director of National Intelligence determination
(C) Notice
Not later than 30 days after approving a waiver request pursuant to subparagraph (B), the Director of National Intelligence shall submit to the congressional intelligence committees, the Subcommittee on Defense of the Committee on Appropriations of the Senate, and the Subcommittee on Defense of the Committee on Appropriations of the House of Representatives a written notification. The notification shall include—
(i) an identification of the head of the element of the intelligence community that requested the waiver;
(ii) the details of the waiver request, including the national security interests of the United States;
(iii) the rationale and basis for the determination that the waiver is in the national security interests of the United States;
(iv) the considerations that informed the ultimate determination of the Director of National Intelligence to issue the waiver; and
(v) and any other considerations contributing to the determination, made by the Director of National Intelligence.
(D) Waiver termination
(5) Termination of prohibition
(July 26, 1947, ch. 343, title XI, § 1102A, as added Pub. L. 117–263, div. F, title LXIII, § 6318(c), Dec. 23, 2022, 136 Stat. 3515; amended Pub. L. 118–31, div. G, title IX, § 7901(a)(4), Dec. 22, 2023, 137 Stat. 1106.)