Main Logo Expert commentary on tech and security

The Pall Mall Process could be a catalyst for international collaboration on commercial cyber intrusion capabilities

Gil Baram 25 March 2024
Share On:
The growing demand for commercial spyware necessitates collaboration between countries, companies, and multi-stakeholders in defining ‘responsible behaviour’ in this field
Main Top Image
Image created with the assistance of Midjourney

On February 5, US officials announced new restrictions to curb the global spyware industry. The US Secretary of State, Antony Blinken, explained that the misuse of commercial spyware has been linked to “arbitrary detentions, forced disappearances and extrajudicial killings in the most egregious of cases”. This was the latest step in ongoing attempts to establish rules for responsible behaviour in the development and use of commercial cyber intrusion capabilities.

Growing misuse of commercial cyber intrusion capabilities has ushered in a new era of complexity in cybersecurity. Last year, the UK’s intelligence, security, and cyber agency GCHQ warned that more than 80 countries had purchased spyware over the past decade. This issue was the focal point of an international conference hosted by the United Kingdom and France, culminating in the launch of the “Pall Mall Process” on February 6. This global initiative aims to establish guiding principles and policy options for governments, industry, and civil society organisations to tackle the misuse of commercial cyber intrusion capabilities.

A growing market

The market for cyber intrusion tools is growing fast. Nations are increasingly turning to cyber capabilities for strategic goals and they often outsource these needs, fuelling demand for offensive cyber tools and services. Various products have been developed: commercial spyware, hackers-for-hire, hacking-as-a-service, commercial intrusive surveillance software, and opaque marketplaces for vulnerabilities and zero-day exploits. Sophisticated cyber capabilities are now available for both state and non-state actors, heightening the potential for malicious and irresponsible use.

Although usually designed for legitimate security and intelligence purposes, these tools are often repurposed for more nefarious ends. The issue is not just about the tools themselves but also their dual-use nature. What was intended to track terrorists can easily be turned against journalists, activists, and political dissidents.

The rise of ‘mercenary spyware’ – where private firms engage in cyber surveillance often crossing ethical and legal boundaries – is an especially worrying trend. A recent example is the US Treasury Department’s decision to ban a company named Intellexa, which developed the widely used “Predator” spyware. The software was used to target journalists, human rights workers, and high-level political figures, including the president of the European Parliament and the outgoing president of Taiwan. At least two sitting members of the US Congress were also targeted by it.

The role of the state and private sector

The role of the state in this murky landscape is complex. On one hand, governments are responsible for ensuring national cybersecurity, and therefore have an incentive to clamp down. On the other, they are also key customers, using these very tools for surveillance that can result in human rights violations. Some states routinely ignore human rights altogether when using spyware—also in the name of national security. This dichotomy presents a challenging dilemma. How do we balance the legitimate needs of national security with the potential for abuse?

The private sector has its own responsibility to prevent misuse and abuse, albeit guided by states. The United Nations Guiding Principles on Business and Human Rights say that states should “protect against human rights abuse within their territory, and should set out clearly the expectation that all business enterprises in their territory and/or jurisdiction respect human rights throughout their operations.” Setting—and enforcing—such expectations through procurement policies and liability rules would help prevent abuse of these capabilities.

Responsible development and use

In addition to regulation, the debate is increasingly focusing on responsibility. The United Kingdom, for example, positions itself as a responsible cyber power. By advocating for a balanced approach that respects both innovation and ethical standards, the UK aims to lead by example in the global arena. This involves not only implementing strict regulations but also fostering a culture of responsibility among technology creators and users, ensuring that advancements in cyberspace contribute positively to society.

The private sector—and especially the big tech companies—could help in this fight. They can actively limit the spread of spyware and help create norms on responsible use. In a recent report, Google’s Threat Analysis Group (TAG) noted that the private sector is now responsible for a significant portion of the most sophisticated offensive cyber tools TAG detected: out of 25 zero-day vulnerabilities that were exploited in 2023, 20 were exploited by commercial surveillance vendors. Such action highlights the urgent need for industry-wide consensus and action against such practices.

In December 2022, Meta published its landmark “Policy Recommendations for Tackling the Surveillance-for-Hire Industry,” arguing that the unchecked expansion of surveillance tools poses a direct threat to civil liberties and human rights. Meta’s recommendations included, among others, a call to regulate the activities of surveillance-for-hire companies and establish accountability frameworks for them. For the industry, Meta recommended ‘know your customer’ protocols and non-sale lists to “limit the sale of spyware tools to entities with a high risk of abuse”. Meta itself started taking down various Facebook and Instagram accounts affiliated with spyware firms, including Spanish firm Variston IT, its Italian subsidiary TrueL IT, and UAE-based Protect Electronic Systems.

Moving forward: The Pall Mall Process

The Pall Mall Process is a collaborative effort on the need for domestic and international controls on commercial spyware technology, calling for actions to tackle cyber intrusion capabilities proliferation. The Pall Mall Process declaration includes 27 countries, big tech companies like Microsoft, Google, and Meta, and key organisations such as the Atlantic Council, the ShadowServer Foundation, the CyberPeace Institute, and the European Cyber Conflict Research Incubator (ECCRI CIC). This diverse coalition represents a sincere effort to redefine norms and establish a safer, more respectful digital environment. However, the notable absence of Israel, home to the controversial spyware firm NSO Group, underscores the challenges in achieving a comprehensive and united stance against invasive surveillance practices.

The declaration outlines four key pillars to frame future multi-stakeholder engagement:

  1. Accountability: Activities should be legal, responsible and in line with international human rights law and domestic frameworks.
  2. Precision: The development and use of capabilities should be precise, avoiding unintended, illegal, or irresponsible consequences.
  3. Oversight: Adequate assessment and due diligence mechanisms are essential for both users and vendors to ensure responsible activity.
  4. Transparency: Clarity needs to be ensured in supply chains and business practices.

The conversation about responsible behaviour in cyberspace is not just a legal or technical one; it is fundamentally about our values and the kind of digital world we want to create. The Pall Mall Process represents a commitment to an ongoing, inclusive global dialogue, with a follow-up conference planned in Paris in 2025. It is a significant step towards a future where commercial offensive cyber capabilities are developed and used responsibly, balancing the needs of national security with the imperatives of human rights in order to maintain global stability.

As long as the process is inclusive and creates opportunities for commercial cyber intrusion companies to engage with governments, civil society, and other stakeholders, it is possible to create a common understanding of ‘responsible behaviour’ and begin to implement it.

avatar
Gil Baram

Related

Featured image
Hooked On Trends
Drones enhance defences in the Ukraine war
Mauro Gilli / Niklas Masuhr 10 January 2024
Read more arrow
Featured image
Hooked On Trends
Understanding patterns of cyber conflict coverage in media
Christos Makridis / Lennart Maschmeyer / Max Smeets 9 February 2024
Read more arrow
Featured image
Hooked On Trends
The race to adopt AI has negative cybersecurity implications
Katharine Palmer / Nicolas Zahn 1 May 2024
Read more arrow

Terms and Conditions for the AI-Cybersecurity Essay Prize Competition

Introduction

The AI-Cybersecurity Essay Prize Competition (the “Competition”) is organized by Virtual Routes (“Virtual Routes”) in partnership with the Munich Security Conference (“MSC”). It is sponsored by Google (the “Sponsor”). By entering the Competition, participants agree to these Terms and Conditions (T&Cs).

Eligibility

The Competition is open to individuals worldwide who are experts in the fields of cybersecurity and artificial intelligence (“AI”). Participants must ensure that their participation complies with local laws and regulations.

Submission Guidelines

Essays must address the question: “How will Artificial Intelligence change cybersecurity, and what are the implications for Europe? Discuss potential strategies that policymakers can adopt to navigate these changes.”

Submissions must be original, unpublished works between 800-1200 words, excluding footnotes but including hyperlinks for references.

Essays must be submitted by 2 January 2025, 00:00 am CET., through the official submission portal provided by Virtual Routes.

Only single-authored essays are accepted. Co-authored submissions will not be considered.

Participants are responsible for ensuring their submissions do not infringe upon the intellectual property rights of third parties.

Judging and Awards

Essays will be judged based on insightfulness, relevance, originality, clarity, and evidence by a review board comprising distinguished figures from academia, industry, and government.

The decision of the review board is final and binding in all matters related to the Competition.

Prizes are as follows: 1st Place: €10,000; Runner-Up: €5,000; 3rd Place: €2,500; 4th-5th Places: €1,000 each. The winner will also be invited to attend The Munich Security Conference

Intellectual Property Rights

The author retains ownership of the submitted essay.

By submitting the essay, the author grants Virtual Routes exclusive, royalty-free rights to use, reproduce, publish, distribute, and display the essay for purposes related to the Competition, including but not limited to educational, promotional, and research-related activities.

The author represents, warrants, and agrees that no essay submitted as part of the essay prize competition violates or infringes upon the rights of any third party, including copyright, trademark, privacy, publicity, or other personal or proprietary rights, breaches, or conflicts with any obligation, such as a confidentiality obligation, or contains libellous, defamatory, or otherwise unlawful material.

The author agrees that the organizers can use your name (or your pseudonym) and an image of you in association with your essay for purposes of publicity, promotion and any other activity related to the exercise of its rights under these Terms.

The organizers may remove any essay-related content from its platforms at any time and without explanation.

The organizers may block contributions from particular email or IP addresses without notice or explanation.

The organizers may enable advertising on its platforms and associated social media accounts, including in connection with the display of your essay. The organizers may also use your Material to promote its products and services.

The organizers may, at its sole discretion, categorise Material, whether by means of ranking according to popularity or by any other criteria.

Data Protection

Personal information collected in connection with the Competition will be processed in accordance with Virtual Routes’ Privacy Policy. Participants agree to the collection, processing, and storage of their personal data for the purposes of the Competition.

Liability and Indemnity

Virtual Routes, MSC, and the Sponsor will not be liable for any damages arising from participation in the Competition, except where prohibited by law.

Participants agree to indemnify Virtual Routes, MSC, and the Sponsor against any claims, damages, or losses resulting from a breach of these T&Cs.

General Conditions

Virtual Routes reserves the right to cancel, suspend, or modify the Competition or these T&Cs if fraud, technical failures, or any other factor beyond Virtual Routes’ reasonable control impairs the integrity or proper functioning of the Competition, as determined by Virtual Routes in its sole discretion.

Any attempt by any person to deliberately undermine the legitimate operation of the Competition may be a violation of criminal and civil law, and, should such an attempt be made, Virtual Routes reserves the right to seek damages from any such person to the fullest extent permitted by law.

Governing Law

These Terms and Conditions are governed by the laws of the United Kingdom, without regard to its conflict of law principles. Any dispute arising out of or in connection with these Terms and Conditions, including any question regarding its existence, validity, or termination, shall be referred to and finally resolved by the courts of the United Kingdom. The participants agree to submit to the exclusive jurisdiction of the courts located in the United Kingdom for the resolution of all disputes arising from or related to these Terms and Conditions or the Competition.