Join us at Binding Hook Live on October 27 at Underbelly Boulevard Soho in London
Join us at Binding Hook Live
Request an invite
Main Logo Expert commentary on tech and security

Third time’s the charm for Pall Mall in Paris?

Lena Riecke 15 April 2025
Share On:
States agree on a code of practice to govern commercial cyber intrusion capabilities, but unresolved issues may inhibit successful implementation
Main Top Image
Paris. Photo: Alexander Kagan/Unsplash

As springtime bloomed in Paris in the first week of April 2025, 21 states (later joined by Romania and the United States) signed a non-binding code of practice to tackle the proliferation and irresponsible use of commercial cyber intrusion capabilities (CCICs) during the third instalment of the Pall Mall Process. Yet several unresolved questions remain, the answers to which are fundamental to the code’s success.

Problematic CCIC Industry

For years, civil society has documented the risks that the commercial proliferation and misuse of CCICs can pose to national and international security, respect for human rights, and democratic institutions. For example, both autocratic and several democratic states have deployed commercial spyware to conduct espionage and perpetrate digital repression against scores of politicians, dissidents, journalists, and others worldwide.

Concern about the negative externalities of the CCIC industry extends well beyond the spyware market. It relates to a complex and interconnected ecosystem of, inter alia, vendors, researchers, brokers, and investors, through which a broad array of tools and services becomes commercially available to ‘irresponsible’ state and nonstate actors. 

The industry for CCICs – which are generally understood to procure access to a targeted device, system, or network without the permission of its user, operator, or owner – has boomed over the past decades. Now, states are struggling to rein it in.

The Pall Mall Process

Faced with reports of growing commercial cyber intrusion capability misuse and an expanding and diversifying marketplace, the United Kingdom and France jointly launched the Pall Mall Process in 2024. The process is a multi-stakeholder initiative that brings together states, international organisations, private industry, academia, and civil society to establish guiding principles and discuss policy options for governing CCICs. 

Following the inaugural Pall Mall Declaration in February 2024, and a state-only meeting in November of that year, Pall Mall participants convened on 3 and 4 April 2025 to discuss a voluntary code of practice for states. The code builds on a multi-stakeholder consultation conducted by the United Kingdom and France, which compiled good practices from 73 respondents to combat the proliferation and irresponsible use of CCICs. 

Setting out good practices for states regarding the development, facilitation, purchase, transfer and use of CCICs, the code is structured around the process’s four core pillars: accountability, precision, oversight, and transparency. 

They say that all good things come in threes, but will the outcome of the third Pall Mall meeting be ‘the charm’ for governing CCICs? As it stands, the code leaves several questions unanswered. Three areas of concern stand out.

‘Responsible’ use conundrum

To paraphrase one Paris participant, who drew on a quote often attributed to Tolstoy: the best stories – or, in this case, the most complicated problems – do not concern good versus bad but rather pit good against good. While commercial cyber intrusion capabilities can jeopardise national and international security, undermine respect for human rights, and put democratic institutions at risk, they can also contribute to crime prevention, counterterrorism, and other purposes that protect these very interests.

Accordingly, the code faces the challenging task of differentiating desirable from reprehensible state uses of CCICs. In its attempt to do so, it introduces several standards, including ‘responsible’, ‘lawful’, ’legal’, and ‘legitimate’. However, these terms are open to interpretation and are not necessarily synonymous. 

For example, use that is ‘legal’, complying with domestic law, might nevertheless be considered ‘irresponsible’ or ‘illegitimate’. Is ‘legitimate’ CCIC use necessarily ‘responsible’? While the code implicitly defines ‘responsible’ use, it is largely silent on its relationship to, and the meaning of, the other terms.

The potential variation in and incoherence between these standards invites disparity in states’ understanding of what the code condemns versus what it encourages them to do. This will likely aggravate divergence in national implementation, which is already a risk due to the code’s voluntary nature. To give the Pall Mall Process a real chance at reining in the CCIC industry, the ‘responsible’ use conundrum must be addressed.

Question of accountability

Although accountability is a core pillar of the process, the code contains little to ensure that states are held to their commitments. Instead, it largely focuses on ensuring the accountability of private industry. While this is an essential part of governing CCICs, the code’s commitments pertain solely to, and are entirely dependent on, states for their implementation.

In parts, the silence on enforcement goes hand-in-hand with the code’s voluntary nature. Yet its non-binding character does not preclude the inclusion of measures to demonstrate and evaluate states’ compliance, as well as to condemn non-compliance. In Paris, nonstate stakeholders discussed options to bolster accountability, such as self-reporting by participating states and the creation of positive incentives to reward compliant parties.

Several code signatories, including Greece and Italy, have faced allegations of misusing CCICs or enabling their commercial proliferation to ‘irresponsible’ end-users. Hungary, meanwhile, has been criticised for systematically subverting the rule of law in the CCIC context and beyond. Should further states join the code, for example during future iterations of the Pall Mall Process, questions of accountability will likely persist. Follow-up discussions on measures to assess and incentivise state compliance will thus be essential for maintaining the credibility of the process.

Risk of divergence

Finally, the code raises questions about divergence in states’ willingness to commit to CCIC governance and the potential for the resulting disparities in governance approaches to fragment markets. To date, only 23 states worldwide are code signatories. 

The tendency of vendors to hop between jurisdictions seeking the most favourable regulatory environment underlines the importance of collective governance efforts. Otherwise, the implementation of stricter regulatory measures by some states might simply prompt an exodus of private industry to more lenient ones.

Ultimately, the emergence of parallel, less regulated markets may be inevitable. This does not mean that success for Pall Mall is out of reach. Creating a unified marketplace that is sufficiently attractive to sway a large part of the industry to adhere to more stringent rules would already go a long way to mitigating the negative externalities of the current CCIC marketplace.

This requires harmonious implementation of the code as well as its support by states with the political capital and market power to lead others in reconfiguring market incentives. The decision to join by the United States, which had not done so initially despite taking significant actions to rein in the CCIC industry under its previous administration, is reason for cautious optimism. However, it is worrying that several states previously expressing their interest in participating in the Pall Mall Process, such as Five Eyes members New Zealand and Australia, have not signed up.

All in all, as is the nature of international political commitments, the success of the Pall Mall code of practice depends on what states make of it. As a multilateral, multi-stakeholder effort, the process creates a unique regulatory opportunity, providing a forum for collective international action and giving impetus to states’ development and implementation of national policies to counter the negative externalities of the commercial cyber intrusion industry. One thing is clear: to make the best of the opportunity at hand and to set the Pall Mall Process up for future success, states will need to answer the questions that the code of practice leaves unresolved before these pull it apart at the seams.

avatar
Lena Riecke

Related

Featured image
Binding Edge
The mechanisms of cyber-enabled information campaigning
Jelena Vićić / Richard Harknett 21 June 2024
Read more arrow
Featured image
Binding Edge
Brave new(ish) world, brave new(ish) approach
Irfan Hemani 15 February 2024
Read more arrow
Featured image
Binding Edge
Balancing security, innovation, and regulation in cyber threat (artificial) intelligence
Omree Wechsler 4 March 2025
Read more arrow

Terms and Conditions for the AI-Cybersecurity Essay Prize Competition

Introduction

The AI-Cybersecurity Essay Prize Competition (the “Competition”) is organized by Virtual Routes (“Virtual Routes”) in partnership with the Munich Security Conference (“MSC”). It is sponsored by Google (the “Sponsor”). By entering the Competition, participants agree to these Terms and Conditions (T&Cs).

Eligibility

The Competition is open to individuals worldwide who are experts in the fields of cybersecurity and artificial intelligence (“AI”). Participants must ensure that their participation complies with local laws and regulations.

Submission Guidelines

Essays must address the question: “How will Artificial Intelligence change cybersecurity, and what are the implications for Europe? Discuss potential strategies that policymakers can adopt to navigate these changes.”

Submissions must be original, unpublished works between 800-1200 words, excluding footnotes but including hyperlinks for references.

Essays must be submitted by 2 January 2025, 00:00 am CET., through the official submission portal provided by Virtual Routes.

Only single-authored essays are accepted. Co-authored submissions will not be considered.

Participants are responsible for ensuring their submissions do not infringe upon the intellectual property rights of third parties.

Judging and Awards

Essays will be judged based on insightfulness, relevance, originality, clarity, and evidence by a review board comprising distinguished figures from academia, industry, and government.

The decision of the review board is final and binding in all matters related to the Competition.

Prizes are as follows: 1st Place: €10,000; Runner-Up: €5,000; 3rd Place: €2,500; 4th-5th Places: €1,000 each. The winner will also be invited to attend The Munich Security Conference

Intellectual Property Rights

The author retains ownership of the submitted essay.

By submitting the essay, the author grants Virtual Routes exclusive, royalty-free rights to use, reproduce, publish, distribute, and display the essay for purposes related to the Competition, including but not limited to educational, promotional, and research-related activities.

The author represents, warrants, and agrees that no essay submitted as part of the essay prize competition violates or infringes upon the rights of any third party, including copyright, trademark, privacy, publicity, or other personal or proprietary rights, breaches, or conflicts with any obligation, such as a confidentiality obligation, or contains libellous, defamatory, or otherwise unlawful material.

The author agrees that the organizers can use your name (or your pseudonym) and an image of you in association with your essay for purposes of publicity, promotion and any other activity related to the exercise of its rights under these Terms.

The organizers may remove any essay-related content from its platforms at any time and without explanation.

The organizers may block contributions from particular email or IP addresses without notice or explanation.

The organizers may enable advertising on its platforms and associated social media accounts, including in connection with the display of your essay. The organizers may also use your Material to promote its products and services.

The organizers may, at its sole discretion, categorise Material, whether by means of ranking according to popularity or by any other criteria.

Data Protection

Personal information collected in connection with the Competition will be processed in accordance with Virtual Routes’ Privacy Policy. Participants agree to the collection, processing, and storage of their personal data for the purposes of the Competition.

Liability and Indemnity

Virtual Routes, MSC, and the Sponsor will not be liable for any damages arising from participation in the Competition, except where prohibited by law.

Participants agree to indemnify Virtual Routes, MSC, and the Sponsor against any claims, damages, or losses resulting from a breach of these T&Cs.

General Conditions

Virtual Routes reserves the right to cancel, suspend, or modify the Competition or these T&Cs if fraud, technical failures, or any other factor beyond Virtual Routes’ reasonable control impairs the integrity or proper functioning of the Competition, as determined by Virtual Routes in its sole discretion.

Any attempt by any person to deliberately undermine the legitimate operation of the Competition may be a violation of criminal and civil law, and, should such an attempt be made, Virtual Routes reserves the right to seek damages from any such person to the fullest extent permitted by law.

Governing Law

These Terms and Conditions are governed by the laws of the United Kingdom, without regard to its conflict of law principles. Any dispute arising out of or in connection with these Terms and Conditions, including any question regarding its existence, validity, or termination, shall be referred to and finally resolved by the courts of the United Kingdom. The participants agree to submit to the exclusive jurisdiction of the courts located in the United Kingdom for the resolution of all disputes arising from or related to these Terms and Conditions or the Competition.