On February 5, US officials announced new restrictions to curb the global spyware industry. The US Secretary of State, Antony Blinken, explained that the misuse of commercial spyware has been linked to “arbitrary detentions, forced disappearances and extrajudicial killings in the most egregious of cases”. This was the latest step in ongoing attempts to establish rules for responsible behaviour in the development and use of commercial cyber intrusion capabilities.

Growing misuse of commercial cyber intrusion capabilities has ushered in a new era of complexity in cybersecurity. Last year, the UK’s intelligence, security, and cyber agency GCHQ warned that more than 80 countries had purchased spyware over the past decade. This issue was the focal point of an international conference hosted by the United Kingdom and France, culminating in the launch of the “Pall Mall Process” on February 6. This global initiative aims to establish guiding principles and policy options for governments, industry, and civil society organisations to tackle the misuse of commercial cyber intrusion capabilities.

A growing market

The market for cyber intrusion tools is growing fast. Nations are increasingly turning to cyber capabilities for strategic goals and they often outsource these needs, fuelling demand for offensive cyber tools and services. Various products have been developed: commercial spyware, hackers-for-hire, hacking-as-a-service, commercial intrusive surveillance software, and opaque marketplaces for vulnerabilities and zero-day exploits. Sophisticated cyber capabilities are now available for both state and non-state actors, heightening the potential for malicious and irresponsible use.

Although usually designed for legitimate security and intelligence purposes, these tools are often repurposed for more nefarious ends. The issue is not just about the tools themselves but also their dual-use nature. What was intended to track terrorists can easily be turned against journalists, activists, and political dissidents.

The rise of ‘mercenary spyware’ – where private firms engage in cyber surveillance often crossing ethical and legal boundaries – is an especially worrying trend. A recent example is the US Treasury Department’s decision to ban a company named Intellexa, which developed the widely used “Predator” spyware. The software was used to target journalists, human rights workers, and high-level political figures, including the president of the European Parliament and the outgoing president of Taiwan. At least two sitting members of the US Congress were also targeted by it.

The role of the state and private sector

The role of the state in this murky landscape is complex. On one hand, governments are responsible for ensuring national cybersecurity, and therefore have an incentive to clamp down. On the other, they are also key customers, using these very tools for surveillance that can result in human rights violations. Some states routinely ignore human rights altogether when using spyware—also in the name of national security. This dichotomy presents a challenging dilemma. How do we balance the legitimate needs of national security with the potential for abuse?

The private sector has its own responsibility to prevent misuse and abuse, albeit guided by states. The United Nations Guiding Principles on Business and Human Rights say that states should “protect against human rights abuse within their territory, and should set out clearly the expectation that all business enterprises in their territory and/or jurisdiction respect human rights throughout their operations.” Setting—and enforcing—such expectations through procurement policies and liability rules would help prevent abuse of these capabilities.

Responsible development and use

In addition to regulation, the debate is increasingly focusing on responsibility. The United Kingdom, for example, positions itself as a responsible cyber power. By advocating for a balanced approach that respects both innovation and ethical standards, the UK aims to lead by example in the global arena. This involves not only implementing strict regulations but also fostering a culture of responsibility among technology creators and users, ensuring that advancements in cyberspace contribute positively to society.

The private sector—and especially the big tech companies—could help in this fight. They can actively limit the spread of spyware and help create norms on responsible use. In a recent report, Google’s Threat Analysis Group (TAG) noted that the private sector is now responsible for a significant portion of the most sophisticated offensive cyber tools TAG detected: out of 25 zero-day vulnerabilities that were exploited in 2023, 20 were exploited by commercial surveillance vendors. Such action highlights the urgent need for industry-wide consensus and action against such practices.

In December 2022, Meta published its landmark “Policy Recommendations for Tackling the Surveillance-for-Hire Industry,” arguing that the unchecked expansion of surveillance tools poses a direct threat to civil liberties and human rights. Meta’s recommendations included, among others, a call to regulate the activities of surveillance-for-hire companies and establish accountability frameworks for them. For the industry, Meta recommended ‘know your customer’ protocols and non-sale lists to “limit the sale of spyware tools to entities with a high risk of abuse”. Meta itself started taking down various Facebook and Instagram accounts affiliated with spyware firms, including Spanish firm Variston IT, its Italian subsidiary TrueL IT, and UAE-based Protect Electronic Systems.

Moving forward: The Pall Mall Process

The Pall Mall Process is a collaborative effort on the need for domestic and international controls on commercial spyware technology, calling for actions to tackle cyber intrusion capabilities proliferation. The Pall Mall Process declaration includes 27 countries, big tech companies like Microsoft, Google, and Meta, and key organisations such as the Atlantic Council, the ShadowServer Foundation, the CyberPeace Institute, and the European Cyber Conflict Research Incubator (ECCRI CIC). This diverse coalition represents a sincere effort to redefine norms and establish a safer, more respectful digital environment. However, the notable absence of Israel, home to the controversial spyware firm NSO Group, underscores the challenges in achieving a comprehensive and united stance against invasive surveillance practices.

The declaration outlines four key pillars to frame future multi-stakeholder engagement:

  1. Accountability: Activities should be legal, responsible and in line with international human rights law and domestic frameworks.
  2. Precision: The development and use of capabilities should be precise, avoiding unintended, illegal, or irresponsible consequences.
  3. Oversight: Adequate assessment and due diligence mechanisms are essential for both users and vendors to ensure responsible activity.
  4. Transparency: Clarity needs to be ensured in supply chains and business practices.

The conversation about responsible behaviour in cyberspace is not just a legal or technical one; it is fundamentally about our values and the kind of digital world we want to create. The Pall Mall Process represents a commitment to an ongoing, inclusive global dialogue, with a follow-up conference planned in Paris in 2025. It is a significant step towards a future where commercial offensive cyber capabilities are developed and used responsibly, balancing the needs of national security with the imperatives of human rights in order to maintain global stability.

As long as the process is inclusive and creates opportunities for commercial cyber intrusion companies to engage with governments, civil society, and other stakeholders, it is possible to create a common understanding of ‘responsible behaviour’ and begin to implement it.

avatar
Gil Baram