Regulating Commercial Cyber Intrusion Capabilities

Twenty-one nations signed and launched the so-called Pall Mall Process Code of Practice for States to establish guidelines regarding the development, facilitation, purchase, transfer and use of commercial cyber intrusion capabilities (CCICs) last month in Paris. 

The Pall Mall Process is an international multi-stakeholder initiative, first launched in February 2024, to explore the policy options and practices that could mitigate the threat of irresponsible usage of commercial cyber intrusion tools, according to a statement from the U.K. government. 

Cyber intrusion—the ability to access and manipulate a system or network remotely—can be marketed for legitimate purposes, but the proliferation of CCICs raises national security and human rights concerns. 

“CCICs should not be used to target individuals or members of a group based on any discriminatory grounds, to violate or abuse human rights and fundamental freedoms, including the right to freedom of expression, and that no one should be subjected to arbitrary or unlawful interference with privacy,” the Pall Mall policy statement read. 

The policy statement explained that without oversight of the CCIC market, cyber criminals could potentially acquire destructive cyber capabilities and target journalists, human rights defenders, government officials and critical national infrastructure. 

The four pillars of the Pall Mall Process include principles of accountability, precision, oversight and transparency. 

According to the policy statement, cyber intrusion activity should be conducted in a manner that is in line with existing applicable international law, the United Nations consensus framework on responsible state behavior in cyberspace and domestic legal frameworks. As such, states should establish national policy frameworks, rules, regulation and oversight for the use of CCICs. 

Additionally, the policy statement calls for applying controls on the export of CCICs and incentivizing responsible activity across the CCIC market by excluding CCIC vendors that do not meet the standard of responsible behavior from government procurement. 

To further deter irresponsible behavior, the policy suggests imposing a cost, such as criminal proceedings, financial or travel restrictions, on individuals involved in facilitating or benefiting from the irresponsible use of CCICs. 

The Pall Mall policy also recommends supporting victims of irresponsible CCIC use, like journalists, human right defenders and government officials, by providing judicial remedies, investigations, stronger reporting methods and campaigns to raise awareness of risks. 

To ensure precision in the responsible use of CCICs, the Pall Mall statement encourages governments to voice a clear stance on CCIC policies and verify that CCICs align with the determined responsible use cases. 

It also recommends that organizations stay informed on emerging risks and ways to combat them and especially share that knowledge between governments. This would prompt a consistent global message of best practices for using CCICs. 

Cybersecurity education and training for professionals involved in the CCIC market is also a step toward minimizing the risk of irresponsible use of CCICs. 

To ensure transparency around the use of CCICs, the policy statement recommends that government and industry entities disclose their use, and there should be oversight of government use of CCICs. 

“The Code is a huge step in the right direction. While it is not legally binding, it sets out clearly the best practices expected of states that commit to tackling the proliferation of commercial cyber intrusion capabilities and crucially offers the framework for states to have conversations about the way forward with the multiple stakeholders in their own jurisdictions and ways to legislate domestically to incorporate the Pall Mall provisions into their national laws,” said Katharina Sommer, the head of public affairs for NCC Group, who attended the second Pall Mall conference. “The states that signed the code have likely seriously considered that step, which suggests they have also considered ways of implementing (at least some of) the different provisions. This is positive momentum.” 

In addition, Stephen Doughty, U.K. minister for Europe, North America and overseas territories, provided remarks at the Pall Mall conference. 

“This bold package of commitments will help us to regulate the market, mitigating against harms that hacking tools can cause, and this will be good for us as states, making it easier to protect national security while ensuring a stable cyberspace,” he stated. “And it will be good for the industry, too. By providing a clear view of what responsible activity looks like, we can make it easier for legitimate companies to operate in the right way.” 

“But this commitment must translate into action,” Doughty continued. “Over the coming days, we must focus on how to put these measures into practice, track progress and hold ourselves accountable. This is how we can protect our citizens and ensure that cyberspace remains free, open, peaceful and secure.” 

The Pall Mall Process Code of Practice for States is now supported by 25 countries: Austria, Denmark, Estonia, Finland, France, Germany, Ghana, Greece, Hungary, Italy, Japan, Kosovo, Luxembourg, Moldova, the Netherlands, Poland, the Republic of Ireland, the Republic of Korea, Romania, Slovakia, Slovenia, Sweden, Switzerland, the United Kingdom and the United States.