‘Ground-Game Diplomacy’ Key to Fighting Misuse of Commercial Spyware Globally
NATHANIEL FICK served from 2022 to 2025 as the inaugural U.S. Ambassador at Large for Cyberspace & Digital Policy at the Department of State.
In an effort to combat growing digital threats, the U.S. government over the past few years has upped its fight against cyber mercenaries by establishing spyware guardrails within its agencies. In 2023, President Joe Biden signed an executive order restricting the use of commercial spyware by U.S. agencies. The U.S. government then took the effort a step further by coordinating a joint statement signed by more than a dozen countries pledging to do the same.
It was all a part of the U.S. government’s international strategy for creating digital solidarity across countries. And key to that diplomatic effort from 2022 to 2025 was Nathaniel Fick, who served as the first U.S. Ambassador at Large for Cyberspace and Digital Policy.
FP Analytics interviewed Fick about the U.S. government’s domestic and international response to the growing spyware issue. The following transcript has been edited for length and clarity.
FP Analytics (FPA): What impact has artificial intelligence (AI) had on cyber mercenaries, and how did your diplomatic efforts address that?
Nathaniel Fick (NF): AI is a foundational, crosscutting technology that affects every industry and, therefore, every criminal enterprise. Aspects of AI are going to be beneficial to attackers: They’re going to have the ability to build tools more quickly, to discover vulnerabilities more quickly, to conduct more operations of greater complexity with greater speed and simultaneity. But at the same time, AI is going to have benefits for defenders. You’re going to be able to build better software, for instance, create less-buggy software, analyze more data, and target your defenses more effectively. I think it remains to be seen as the tech plays out whether it advantages the attacker or the defender.
FPA: How quickly have private firms been able to harness those advantages, compared to governments?
NF: One feature of cyber attackers is that they’re unconstrained by law or policy or any of the structural aspects that defenders have to adhere to. So, usually, the attackers can move more quickly, because they’re less constrained. During the Biden administration, we certainly worked hard to make sure we kept innovation as the north star of the U.S. government’s approach. I was part of the deliberations inside the White House that resulted in the voluntary commitments of leading AI developers in the United States [to commit to safety standards]. And voluntary was really important for two reasons: First, it was fast, and we didn’t have time to get sucked into a long regulatory swirl like the EU did, for instance. And second, voluntary, by definition, doesn’t constrain innovation. So, if you believe that we’re in a global competition to determine which metaphorical operating system defines the future of technology—and I do believe that—then we need to harness the innovative power of American business, because that’s ultimately the wellspring of our strength.
FPA: Do you think diplomacy is the right tool to combat this industry? If so, how can it overcome these challenges?
NF: Diplomacy has always got to be a tool—that’s a foundational principle. As with any international problem, we’ve got to talk about it. Maybe that’s going to generate the results we want, and maybe it’s not, but there simply must be a diplomatic element. So, the question is: Is that sufficient, and what other steps can we take? You can sanction, and you can name-and-shame, but those have costs, too. The administration is always going to weigh the national security interests against the costs of taking different steps to implement them. I think that’s where [Biden’s] spyware executive order was important. Its implementation may never be perfect, but it really enabled us to get out front and say, “Look, we are eating our own cooking,” so to speak, right? We are signing up to play by the rules that we’re asking you to abide by. We’re leading by example.
FPA: The choice for the global community is one between a “rights-respecting” approach and a more repressive approach. What are the implications of these divergent approaches for addressing the growing cyber mercenaries market?
NF: You’ve got a major competition unfolding in the world between two different worldviews governing the development of tech. You have the worldview that the U.S. and our like-minded allies champion—which is an organic, bottom-up, multistakeholder participatory process where governments and companies and civil society organizations are all involved in the process. It is a rights-respecting process that takes into account human rights aspects in every step of developing, deploying, and using technology. And then there’s a competitive worldview, which is the worldview championed mostly by the Chinese, and also by the Russians, the Iranians, and others, that is not organic and bottom-up, it’s not participatory. It’s a much more centralized, top-down, authoritarian way of interacting with tech. It does not include big roles for private industry. It does not include big roles for civil society. And it fundamentally does not bake human rights thinking into every step of the process. If that worldview becomes the dominant one, then you’re going to see a wildly different interaction between governments and commercial spyware.
FPA: What would you say has been the impact of President Biden’s initiatives in the early stages, and how can they be built upon, moving forward?
NF: Because tech is so intrinsically transnational, it’s very hard to have much effect on the global technology landscape with action just inside our national borders. So, that’s why we made a real effort from the beginning to internationalize, multi-nationalize the executive order through this joint statement. And so, I think what’s going to matter is continuity in the next administration—that this not get repealed. If it doesn’t get repealed, then the work ahead is really twofold: One, it’s to make sure the United States government agencies actually abide by the guidance in the executive order. And two, that we continue to do the ground-game diplomacy to sign up more partners to the joint statement.
FPA: With the change in administration, what is likely to stay the same, and what do you expect to change in terms of how the U.S. deals with the risks and impacts of cyber mercenaries?
NF: If you put every issue across a spectrum—from those issues where we would expect to have the greatest continuity with the new administration, to those we would expect to have the greatest discontinuity—I think most of these tech issues fall on the side of greater continuity. I actually think there’s a lot of alignment between the old team and the new team on the importance of tech to national security and how we’re approaching it broadly in policy terms.
FPA: What are the private sector’s responsibilities in combatting cyber mercenaries, and how can they work with governments to make the global response more cohesive and effective?
NF: Most of the time, when we’re talking about cyber mercenaries and the tools they’re using, you’re talking about software developers—so it’s not a bunch of guys with guns at a hidden camp in the desert, it’s an office suite in a suburban office park, and it’s people in T-shirts and jeans sitting at computer terminals building software. They are companies, they are usually incorporated, they are funded sometimes by outside venture capital and private equity. In addition to having government customers, they often have commercial customers. There are all kinds of uses of spyware and legitimate uses of these technologies. And so, what we’re really talking about is not the eradication of spyware. We’re talking about a commitment to combating the misuse of commercial spyware. It’s about managing a very difficult challenge that’s probably intrinsic to the digital era and something that’s always going to be with us. So, we need to be ready to continue advocating and doing this work for the long haul.
FPA: Can you elaborate on some of the legitimate uses? And is that just from government customers, like law enforcement, for example, or also private uses?
NF: I think that certainly there are legitimate law enforcement and national security uses of spyware operating with a court order or congressional oversight. On the corporate side, too, when we’re using devices that are owned and operated by our employers, we’re usually consenting to the monitoring of those devices. There’s no expectation of privacy on those devices, and most of us as employees read that agreement and sign that agreement willingly as a condition of employment. So, I do think we need to be clear about what we’re talking about. We’re talking about misuse, and not every use is misuse.
Nathaniel Fick served from 2022 to 2025 as the inaugural U.S. Ambassador at Large for Cyberspace & Digital Policy at the Department of State. He is an investor and entrepreneur, and was previously CEO of the cybersecurity software company Endgame. Earlier in his career, he served as a Marine Corps infantry and reconnaissance officer.
Amy Hogan Burney
Digital Weapons for Sale: Countering the Growing Cyber Mercenary Market
Industry partners and governments must work hand-in-hand to protect citizens and critical infrastructure from malicious actors.
Carine Kanimba and Dr. Ron Deibert
Spyware’s Human Toll: Cyber Mercenaries Inflict ‘Enormous Harms’ on Their Targets
Q&As with Dr. Ron Deibert and Carine Kanimba
Sophie in’t Veld
An Inquiry on Spyware in the EU Revealed Abuses by Member States. Now What?
Without binding action from the European Commission, recommendations to safeguard the use of spyware and regulate its trade will be ignored—at Europe’s peril.