Immigration and Customs Enforcement (ICE) has resumed a contract with Paragon Solutions, an Israeli spyware vendor known for its Graphite tool. Originally paused due to compliance concerns with an executive order limiting U.S. government use of foreign-made spyware, the contract was reinstated after Paragon’s acquisition by a U.S.-based firm. Graphite has already been documented targeting European journalists through zero-click exploits on Apple devices. Apple patched the flaws, but the broader story is about the normalization of commercial spyware for domestic use. Tools once tightly controlled are steadily entering operational environments that were never intended to see them.
The deployment pattern is predictable. A tool is bought for a specific mission, like counterterrorism or organized crime investigations. Over time, once infrastructure, vendor relationships, and training are in place, the operational logic of the contract encourages broader use. Contracts motivate usage because underutilization is seen as wasteful. The government might not operate with the same commercial mindset as a private company, but the core principle is the same. Once the capability is available, every new mission or policy reason can expand its use. Expecting these tools to stay limited to their initial goals is unrealistic and creates blind spots for leaders who face both technical and organizational risks.
The technical risk is high. Tools like Graphite can turn any smartphone into a live sensor, bypassing encryption and extracting messages, photos, audio, and location data directly from the device. Direct targeting is clear. An executive, lawyer, or high-profile employee may be compromised because they are of interest. Indirect targeting is more subtle and often more dangerous. A family member attending a protest, a colleague with undisclosed political views, or household staff like an au pair or personal assistant can become an entry point. Through these connections, sensitive corporate data or strategic insights can be collected into surveillance without anyone realizing it. For CISOs, this means the risk extends well beyond the individual with the device.
Real-world cases demonstrate how collateral exposure occurs. Journalists covering organized crime in Europe were compromised through their sources’ phones, and family members of activists in Italy were unknowingly monitored. Lawyers representing high-profile clients have also been caught in surveillance because of their communications. In one U.S. financial investigation, employee phones were compromised, indirectly implicating colleagues with no direct link to the case. These examples highlight that indirect targeting is real and that anyone connected to a target, such as family, staff, or colleagues, can unintentionally become a target.
If you have nothing to hide, you have nothing to fear. – Joseph Goebbels
Critics may argue that corporations cannot and should not defend against nation-state operations or domestic agencies with surveillance capabilities. That view overlooks several important points. Nation-state grade tools have already been used against people with no links to terrorism or organized crime, making spillover a real concern. The boundary between state power and private sector interests is increasingly blurred, with data shared across regulatory, law enforcement, and intelligence agencies. What starts as surveillance of one person can quickly turn into leverage against an entire organization. Companies are already combating threats backed by the state, such as ransomware and industrial espionage. Ignoring domestic spyware is more naive than realistic.
One complicating factor is that general counsel often do not fully understand these risks. Legal teams may assume that surveillance of employees or their families is unlikely or remote, but the reality is that data obtained from domestic spyware can be used in regulatory inquiries, subpoenas, or other forms of leverage. Traditional legal strategies do not account for how collateral exposure through family, household staff, or colleagues can intersect with corporate operations, leaving companies unprepared when surveillance-derived information is invoked.
Cultural and legal norms that once reassured people are eroding. Surveillance powers spread, data collected for one purpose is repurposed, and evidence can be laundered through parallel construction to hide its origins. Mechanisms for data sharing across agencies ensure that tools and data rarely stay with their original operator. This creates a pathway for regulatory bodies to quietly gain insights from surveillance and exert pressure in ways corporate counsel may not expect. There is little to no oversight, and minimal, if any, recourse for companies harmed, even accidentally, through surveillance overreach.
For companies, the implications are clear. Incident response plans should specifically address targeted mobile device compromises. It all starts with hygiene. Device hardening, including secure configurations, timely patching, reducing unnecessary applications, and staying aware of changing restrictions on hardened Android deployments, helps decrease the attack surface. Following established security frameworks reinforces these measures. Awareness and protections should extend beyond employees to family members, colleagues, and household staff who might inadvertently act as vectors. Legal teams should prepare for situations where subpoenas or warrants depend on surveillance data, and having policies in place ahead of time is much better than reacting under pressure.
Surveillance tools are not limited to a single purpose. They evolve, expand, and are frequently repurposed because the temptation to do so is ongoing. For Chief Information Security Officers, the reality is clear. Domestic agencies now have access to spyware that was once only available to authoritarian governments, and the risk of spillover into private sector life is real and unavoidable. Understanding that contractual logic naturally influences how these tools are used highlights why organizations cannot ignore this threat. Preparing with strong technical, operational, and legal strategies is essential for any company aiming to safeguard its people, data, and operations.
Practical Steps for CISOs
To address these risks, CISOs should adopt a proactive, layered approach. First, incident response plans must explicitly include procedures for targeted mobile compromises, including containment, forensic analysis, and escalation paths to legal and executive teams. Second, device hardening should be prioritized. This includes secure operating system builds, rapid patching of vulnerabilities, minimizing unnecessary applications, and considering restrictions imposed by vendors like Google that may complicate hardened Android deployments. Third, security standards such as Security Technical Implementation Guides or similar frameworks should be applied consistently across all devices. Fourth, awareness programs must extend beyond employees to include family members, colleagues, and household staff who may act as indirect vectors. Fifth, legal preparedness is critical. General counsel should understand how surveillance-derived data could be used, develop protocols for subpoenas and warrants, and work closely with IT and security teams before any incident occurs. Finally, routine tabletop exercises simulating indirect exposure can reveal hidden vulnerabilities, improve cross-functional coordination, and ensure both technical and legal teams are operationally prepared.
Taking these concrete steps allows organizations to lower their exposure, safeguard sensitive data, and ensure that both direct and indirect threats from domestic spyware are identified and addressed before they escalate into operational or legal crises.ganizations can reduce exposure, protect sensitive data, and ensure that both direct and indirect threats from domestic spyware are recognized and managed before they become operational or legal crises.
About the Author
