Theft of private information. Exposure of data. Manipulated images. The undermining of democratic processes. Technology-facilitated gender-based violence. Zero-day trading. Remotely operated cameras and microphones.
These are among the concerns prompting a conference in London on February 6, 2023, which addressed the threats posed by commercially available cyber intrusion capabilities.
What are we talking about?
If you are wondering what exactly “commercially available cyber intrusion capabilities” refers to, you are not alone. It’s a deliberately broad term meant to capture the evolving commercial ecosystem of products, services, and actors that support or engage in some form of unauthorized digital intrusion. Think spyware, vulnerability exploits, and hackers for hire. In some instances, these services and tools can be relatively benign or even beneficial, such as for the cyber defense and resilience of companies, governments, and organizations; or they can be harmful, as the above examples demonstrate. These capabilities are also often employed in counterterrorism and law enforcement, which governments portray as legitimate uses but may be used in ways that violate human rights.
In a relatively short amount of time, the number of actors engaged in providing these products and skills has proliferated significantly, in proportion to a growing demand. On both ends, many actors are non-governmental and the chain becoming increasingly complex. Not surprisingly, this has generated a murky grey area in which it is not always clear what products and services are fully permissible, what are legally permissible but ethically not ok, and what is outright criminal or irresponsible. This gets even murkier when considering the role of governmental actors vis-à-vis commercial ones in obtaining and using relevant products and services.
The conference was a starting point for a new process – dubbed the Pall Mall Process given the conference location on the street of that name – initiated by France and the United Kingdom (UK) to respond to this challenge. It builds on a myriad of existing of efforts and dialogues held in other venues. Just prior to the conference the United States announced a new policy of visa restrictions on individuals involved in the misuse of commercial spyware -the most recent in a series of actions aimed at promoting accountability in this area. Google has just published a new report on the topic, while research by civil society organizations such as Access Now, Amnesty International, and Citizen Lab among others, has helped to expose the human harms caused by some types of capabilities, mainly spyware, and point fingers at the culprits. The Cybersecurity Tech Accords recently launched a set of industry principles to curb so-called “cyber mercenaries”, which was also the focus of a roundtable at the 2023 Paris Peace Forum.
What is the Pall Mall Process?
Given the breadth of efforts underway, one might wonder what the added value of a new process can or should be, and how best to focus next steps. It certainly sends a political signal, reinforced by the presence of the UK’s Deputy Prime Minster at the conference who spoke of the “cyberspace race with our adversaries”, noting that “…as they develop the tools to do us harm, … we define the risks, develop the rules and build the global alliance.”
The major formal output is a declaration endorsed by 25 states, two regional organizations, and several non-governmental stakeholders spanning tech, investment, research, and civil society sectors. The declaration outlines various harms and challenges posed by the growing market of capabilities including in relation to human rights and international peace and security whilst also reinforcing the legitimate and responsible use of these tools. An annex offers working definitions for major categories of such capabilities, including access- and malware-as-a-service; actors including hackers for hire and hacking-as-a-service companies; the vulnerability marketplace; and a few others.
Accountability, precision, oversight, and transparency are put forward as four pillars framing the commitment from signatories to continue work in this area in the lead-up to a second conference in Paris next year. Throughout there are affirmations concerning international law and other relevant frameworks, including the voluntary cyber norms endorsed by the UN General Assembly and the UN Guiding Principles on Business and Human Rights.
On February 7th, participating governments met for a closed meeting that was not open to other stakeholders.
What can we learn from other efforts?
To be effective, future action will need to navigate and attempt to resolve the complex questions that surfaced throughout the conference: where exactly is the line between legitimate and illegitimate use? How is responsible activity understood, and signaled? Are some of these tools and capabilities just so problematic that they should not be developed or sold at all? How can regulatory or policy responses be designed in ways that will respond to the unique categories of threats or actors that are encompassed by this broad term? How to bring along states and other stakeholders that were either not invited or chose to not participate, and what are the incentives?
Some of these questions are not necessarily unique to the cyber intrusion issue, although undoubtedly this is a deeply complex area. Stimson’s ongoing cyber accountability research and work can prove useful here. In our examination of diverse non-cyber threats, we have been encountering similar themes as well as good practice and instructive examples for accountability.1 Stimson’s research report on lessons learned from non-cyber issues for accountability will be published later in 2024. We are examining arms control and non-proliferation, climate, private contractors, and outer space, among other issues and mechanisms. For example, our research into arms control mechanisms can be informative, such as the 2013 Arms Trade Treaty (ATT). It too was centered around finding a balance between the legitimate and responsible trade in conventional weapons and preventing human rights violations, among other harms and violations of international law. This is represented in the Treaty through its risk assessment process, in which exporting states review on a case-by-case basis the likely impact or result of a transfer against a set of internationally agreed criteria. The ATT community has also engaged with complex supply chains comprised of diverse actors involved in brokering, importing, and transiting items, and had to develop shared understandings around illegal, illegitimate, and irresponsible behavior, as well as how to reasonably foresee and determine future use. Granted, the ATT is about physical items and cyber is all about intangibles, but its emphasis on affecting behavioral change is instructive.
Other frameworks, such as the Montreux Document, the multistakeholder International Code of Conduct Association, and the Wassenaar Arrangement, will also have relevance to this topic.
It’s very encouraging to see accountability, transparency, and oversight affirmed as pillars for future action and it is hoped that the positive momentum can be translated into meaningful and effective action. This is not just a technological issue, but one about preventing cyber harm to individuals and communities. The Declaration is a strong start, but a declaration alone is not enough. To translate positive momentum into effective solutions, the process must prioritize active engagement with the private sector, academia, and civil society. These actors bring indispensable expertise, oversight, and accountability mechanisms that can bridge the gap between policy and practice. Moreover, the next steps should include the development of a detailed action plan that outlines specific objectives, roles and responsibilities, timelines, and mechanisms for collaboration and compliance. Only through a concerted effort that embraces transparency, enforces accountability, and values the insights of all sectors can we hope to advance not just technologically, but also in safeguarding the cyber welfare of individuals and communities worldwide.
With thanks to Anne-Marie Buzatu of ICT4Peace for her contributions to this piece
Notes
- 1Stimson’s research report on lessons learned from non-cyber issues for accountability will be published later in 2024. We are examining arms control and non-proliferation, climate, private contractors, and outer space, among other issues and mechanisms.
