The process significantly neglects the role of governments in proliferation of these capabilities.
Editor’s Note: One of the authors was invited by the U.K. Foreign, Commonwealth & Development Office to comment on the draft declaration and join the conference as panel chair. Due to prior commitments, the author was not able to join the conference and was only able to provide little feedback—consistent with the message of this piece—on the declaration.
In February, France and the United Kingdom launched an initiative entitled the Pall Mall Process with the objective of “Tackling the Proliferation and Irresponsible Use of Commercial Cyber Intrusion Capabilities.” The initiative is intended to develop guidelines for the responsible use of commercially available capabilities leveraged in intrusive surveillance operations. Yet the organizers of the process fail to substantially address the elephant in the room: the leading role that governments play in fueling this currently out-of-control ecosystem.
Spyware Exemplifies the Dangers of Commercial Cyber Intrusion Capabilities
Commercially available cyber intrusion capabilities, including intrusive surveillance software or “spyware,” are a bane of human rights defenders, journalists, dissidents, and other individuals who might criticize governments around the world. Spyware is often used to track and surveil their communications. High-profile cases of these types of incidents include the use of commercial intrusive surveillance software against family members and close contacts of the murdered journalist Jamal Khashoggi, members of the Greek government and opposition, and human rights lawyers, journalists, and anti-corruption activists in Mexico. Another noteworthy case is “Project Raven,” which involves a U.S. company selling intrusion capabilities to the cyber intrusion unit of the United Arab Emirates, staffed with former U.S. National Security Agency employees. The recently released Annual Threat Assessment of the U.S. Intelligence Community states that “[f]rom 2011 to 2023, at least 74 countries contracted with private companies to obtain commercial spyware, which governments are increasingly using to target dissidents and journalists.”
Governments Take the First Steps Toward Reigning in Spyware Risks
Western governments have recently begun to address the risks posed by spyware. In 2021, before the creation of the Pall Mall Process, the U.S. Department of Commerce added two Israeli spyware companies—including the infamous NSO Group—to the Entity List—a trade restriction list published by the department that includes the names of certain foreign individuals, entities, and governments. According to the Commerce Department, the Israeli NSO Group and another spyware company, Candiru, were added to the list, “based on evidence that these entities developed and supplied spyware to foreign governments that used these tools to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers.” Later on, in 2023, the Commerce Department added another “four foreign commercial spyware entities to the Entity List for engaging in activities contrary to the national security or foreign policy interests of the United States.” These entities included spyware developers Intellexa and Cytrox.
What’s more, in March, the U.S. Department of the Treasury, via the Office of Foreign Assets Control (OFAC), added two individuals and five entities linked to Intellexa to the Specially Designated Nationals list. Individuals and entities on this list have their assets blocked, and U.S. persons are generally prohibited from dealing with them. Compared with the Entity List, the OFAC designation shows that the current U.S. administration is making good on its commitment to tackling spyware.
Sanctioning spyware companies and individuals is certainly not the only mechanism deployed by Western governments to address the use and proliferation of spyware. In 2022, the European Parliament launched an inquiry committee (known as the PEGA Committee—which was named after Pegasus, a cyber intrusion product of the NSO Group) to investigate member state and third-party violations of the Charter of Fundamental Rights of the European Union through the use (and abuse) of intrusive surveillance software. In its final report, the committee recommended more safeguards in the use of surveillance software and tighter export controls, among other measures.
Also, in early 2023, President Biden issued an executive order prohibiting the U.S. government from using “Commercial Spyware that Poses Risks to National Security.” More specifically, the executive order requires U.S. government entities interested in purchasing commercial spyware to evaluate whether the product poses a threat to national security or counterintelligence or has been used by foreign governments for human rights violations or to surveil U.S. citizens, in which cases they are prohibited from acquiring the product. Likewise, after several years of investigations, Germany’s Staatsanwaltschaft (the country’s public prosecutor’s office) filed charges in 2023 against four individuals responsible for the FinFisher Group—known for their spyware product FinSpy—for illegally selling intrusive surveillance software to the Turkish government in violation of export restrictions. The filing followed a yearlong investigation that included a seizure of the company’s bank accounts and ultimately its insolvency in 2022.
The aforementioned actions were commendable first steps to address the spyware problem, but whether they will effectively curb the abuse of commercially available intrusive surveillance software is still unknown.
The Pall Mall Process Seeks to Address Commercial Cyber Intrusion Capabilities Beyond Spyware
The Pall Mall Process sought to build on this growing momentum. The process brought together states and non-state actors (such as industry, including Google and Microsoft and information technology security companies, as well as civil organizations) to tackle the dangers stemming from the commercial cyber intrusion capability ecosystem. These risks, which extend far beyond that of spyware, include intrusive surveillance software and commercial intrusion services as well as developers and sellers of vulnerabilities and exploits such as Zerodium.
The process seeks to “establish guiding principles and highlight policy options for States, industry and civil society in relation to the development, facilitation, purchase, and use of commercially available cyber intrusion capabilities.” Commercially available cyber intrusion capabilities are defined as “tools and services made available by cyber intrusion companies and similar high-end capabilities developed by other companies,” including as-a-service business models. The declaration specifies that the cyber intrusion ecosystem comprises inter alia, access-as-a-service, malware-as-a-service, and hacking-as-a-service models, and vulnerability and exploit marketplaces. As explained in further detail below, these definitions demonstrate that the scope of the process is severely limited, most notably by leaving out the role of governments and noncommercial products, and potentially also by excluding companies that exclusively cater to governments.
A Narrow Focus on Commercially Available Capabilities
From the outset, the Pall Mall Process was limited by its exclusive focus on “commercially available” capabilities, meaning that the organizers excluded proliferation and irresponsible use of cyber intrusion capabilities developed by governments themselves. Therefore, risks arising from proliferation of capabilities such as the one that enabled “Project Raven,” or, for example, China’s irresponsible use of capabilities, are not covered by the Pall Mall Process.
Additionally, the declaration appears to exclude by definition noncommercial intrusion capabilities, such as the free Metasploit framework, as well as dual-intent tools, such as Cobalt Strike (because they are intended for security testing and not for intrusion, even though they can also be used for the latter), and other freely available exploits for known vulnerabilities. These noncommercial intrusion capabilities, dual-intent tools, and freely available exploits are frequently used by criminals and other threat actors. Thus, from a technical perspective, it is hard to understand why they would not be in scope of the Pall Mall Process.
From a political perspective, however, it is understandable that the organizers may have chosen to narrow their efforts to make the process easier to create and implement, thus helping to further progress on the issue. Unfortunately, excluding noncommercial intrusion capabilities, dual-intent tools, and freely available exploits is a missed opportunity.
Furthermore, it is unclear whether the wording “commercially available” capabilities includes or excludes cyber intrusion capabilities developed by companies that solely cater to governments rather than the general public. The declaration does not define this term, but it often refers to items accessible to “the general public,” such as “‘off-the-shelf’ products or services” mentioned in the declaration. Whether the initiative will solely target cyber intrusion capabilities available to the general public is a crucial question, given that many companies in this sector exclusively serve government clients, including the NSO Group and other players such as Austria-based DSIRF. Such commitments presumably are an attempt to mitigate the fact that the surveillance capabilities these companies are selling can be used for human rights violations. By pledging to exclusively sell to government clients, the makers of surveillance capabilities thus somehow limit the proliferation of their tools to (in many cases) democratically legitimated entities. However, these companies play an important part in the cyber intrusion capabilities ecosystem, so, if the organizers of the Pall Mall Process did not intend to exclude these players, they would be well advised to make this clear in future statements.
Governments Play a Key Role in the Proliferation of Cyber Intrusion Capabilities
The process’s emphasis on commercially available capabilities reflects misplaced priorities, especially since governments are often fundamental sources of the proliferation and irresponsible utilization of cyber intrusion capabilities. When governments choose to buy cyber intrusion capabilities from private companies, they create and maintain an industry that perhaps would not exist without well-funded government contracts. In other words: Governments are fueling the commercial cyber intrusion capabilities ecosystem with millions of taxpayer dollars every year. While these contracts are normally agreed upon in secret, the leak of cyber intrusion company Hacking Team offers an insight into the economics of cyber intrusion capabilities. The company’s revenue exceeded 40 million euros in government contracts. Therefore, a first step for governments in any initiative such as the Pall Mall Process would be to acknowledge their own critical role in this ecosystem. So far, governments have largely failed.
If governments are committed to limiting the proliferation and irresponsible use of these capabilities, they need to pivot to developing their own tools, share them only with trustworthy partners, and use them responsibly. That includes legal safeguards, operational standards, transparency reporting, and more. Alternatively, governments that don’t (or claim to not) have the resources to develop these capabilities themselves or without access to them from international partners, need to thoroughly vet companies they choose to procure capabilities from. For example, governments should do due diligence on possible human rights violations committed with and supported by tools and services of such vendors. What’s more, these governments should not conduct any business with other governments or entities that have been reported to engage in unlawful activities or violate human rights with their tools and services.
Limiting the scope of the Pall Mall Process to commercially available cyber intrusion tools also makes little practical sense. Currently, the process makes no mention of the human element—people with the skills and knowledge to conduct cyber intrusions and develop corresponding tools. “Project Raven” clearly illustrates that it is difficult to segment the cyber intrusion capabilities market because it relies on people with skills, who often move from one government’s agency to another government’s subcontractor, or from government to commercial entities and vice versa. In other words, cyber intrusion professionals are highly mobile—and they take their skill sets with them from government to private entity and back, ultimately contributing to the proliferation of cyber intrusion capabilities wherever they land. An initiative that aims at developing guidelines for the responsible use of commercially available capabilities leveraged in intrusive cyber operations must address these individuals regardless of their current employer, albeit in a nuanced way that doesn’t unduly limit their career choices.
A Step Back From a Previous Commitment
The Pall Mall Process’s failure to address the role of governments adequately is even more surprising given that its creators—France and the United Kingdom—were involved in a 2023 initiative that was on point in this regard. Together with the governments of Australia, Canada, Costa Rica, Denmark, New Zealand, Norway, Sweden, Switzerland, and the United States, they published a joint statement entitled “Efforts to counter the proliferation and misuse of commercial spyware.” While the objective of the document is narrower than that of the Pall Mall declaration, it puts the responsibilities of governments at center stage. The statement clearly points out that “[c]ommercial spyware has been misused across the world by authoritarian regimes and in democracies.” Subsequently, the authoring governments commit to establishing “robust guardrails and procedures” for government use of these technologies, “preventing the export of software, technology, and equipment to end-users who are likely to use them for malicious cyber activity,” and to establishing “robust information sharing on commercial spyware proliferation and misuse, including to better identify and track these tools.”
The 2023 statement also establishes a commitment to “engaging additional partner governments around the world, as well as other appropriate stakeholders, to better align our policies and export control authorities to mitigate collectively the misuse of commercial spyware and drive reform in this industry.” It’s important to note that the Pall Mall Process may be an attempt to make good on this promise, considering that all supporters of the 2023 statement except for Costa Rica also backed the Pall Mall declaration. What’s more, France and the United Kingdom were also able to broaden the declaration’s circle of supporters, most notably by bringing regional organizations such as the African Union and the Gulf Cooperation Council on board.
It does seem, however, like the organizers of the Pall Mall Process sacrificed substance in exchange for a larger supporter base. From an outsider’s perspective, it’s likely impossible to determine exactly why the organizers of the Pall Mall declaration are so reluctant to address the role of governments in the proliferation of cyber intrusion capabilities than in the 2023 statement. Yet this hesitancy is likely (at least in part) related to the governments that were involved in the Pall Mall Process.
France and the United Kingdom reached out to several states that currently face allegations of irresponsibly using cyber intrusion capabilities or that are (or have been) home to cyber intrusion companies. Of these countries, Cyprus, Greece, Italy, Poland, and Singapore all agreed to be named in the declaration, while Hungary, Mexico, Spain, and Thailand attended the conference but declined to sign on as supporters. Israel, home to several notable commercial cyber intrusion companies, did not even attend the conference. Furthermore, the process received support from African Union member states including Nigeria, Ghana, Morocco, Malawi, and Zambia and Rwanda as well as Gulf Cooperation Council members Saudi Arabia and the United Arab Emirates, all of which have been accused of violating human rights through the use of cyber intrusion capabilities.
As the Pall Mall declaration is less ambitious than the aforementioned statement published by 11 liberal democracies, this focus on a broad supporter base may have been premature. If governments want to make progress in developing guidelines for the use and spread of cyber intrusion capabilities, they should stick to like-minded formats of liberal democracies with strong commitments to digital rights—on this thorny issue, it is difficult enough to come to consensus even in such formats.
Indicative of the governments’ emphasis on broad participation in the process rather than substance is its listing of operational norms. Operational norms for cyber intrusion capabilities have already been discussed interdisciplinarily in much more detail for years (such as for government hacking in criminal investigations and active cyber defense operations). A startling attempt to shift the attention from the governments to other stakeholders is the declaration’s paragraph 9, in which the authors “strongly encourage … industry, civil society, academia, members of the technical community, and individuals to continue to build greater global cyber capacity for defensive purposes to ensure secure, safe, inclusive, and trustworthy access to the opportunities offered by digital technologies.” Telling civil society, academia, and individuals to work on securing digital technologies while at the same time using taxpayers’ money to fund the cyber intrusion industry that undermines the security of said technologies sounds disingenuous, to say the least.
What Now?
There is some government action that remains in the scope of the Pall Mall Process: government purchases of commercial off-the-shelf cyber intrusion products or services. The declaration acknowledges that a growing market for surveillance software means that more states will have access to such tools. However, it does not specify which policy instruments the process will seek to address. The declaration makes a blanket reference to “existing international export control frameworks and the ongoing development of domestic action by national jurisdictions,” the application of international law, and “appropriate safeguards and oversight.”
However, this attempt to include government responsibility and action appears to be nothing but lip service. The declaration refers to “norm (j)” of the United Nations Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security. This cyber norm holds that “(s)tates should encourage responsible reporting of [information and communication technology (ICT)] vulnerabilities and share associated information on available remedies to such vulnerabilities to limit and possibly eliminate potential threats to ICTs and ICT-dependent infrastructure.” The norm has been endorsed by the international community through the United Nations General Assembly. Effective cyber intrusion capabilities are built around ICT vulnerabilities that are often not reported and where information on available remedies is not shared. When procuring and using such capabilities, governments could disclose the underlying vulnerabilities to the respective vendor or maintainer and create and share information about how to mitigate the threat from those capabilities. Governments procuring capabilities and then disclosing the respective vulnerabilities to vendors and maintainers and/or sharing remedial information with government agencies, industry, and the public is, however, very rare—presumably because doing so would likely render the procured capabilities useless and would violate contractual obligations.
Thus, while states have not been able to agree on consensus language of what the implementation of this norm entails exactly, it is highly likely that both the in-house development and the commercial purchasing of cyber intrusion capabilities violate this norm to varying degrees. The effectiveness of capabilities deteriorates when the underlying vulnerabilities are disclosed in a timely manner to the vendors and maintainers and information about how to mitigate the impact of the capabilities is shared. It remains unclear how the declaration’s organizers will affirm their commitment to the framework of responsible state behavior while also wilfully neglecting large parts of state action regarding cyber intrusion capabilities.
Besides, different sources disagree regarding to what extent the supporters commit themselves to complying with the content of the statement. The U.K. government has stated that the declaration was an “international agreement, signed by participants.” However, the statement hardly goes beyond a mere declaration of intent and refers not to signatories or even supporters but, instead, simply to “(s)tates and international organisations represented.” Even so, not all parties present at the conference—including Hungary, Mexico, Spain, and Thailand–—were comfortable with being listed in the declaration, according to media reporting. Taken together, the declaration’s lack of substance as well as the fact that the conference was closed to the media give the impression that launching a multistakeholder process was more important than subject-matter progress.
It’s Not Too Late to Correct the Pall Mall Process’s Course
It is commendable that the organizers of the Pall Mall Process have taken on the issue of “the Proliferation and Irresponsible Use of Commercial Cyber Intrusion Capabilities” As the name suggests, the process foresees a series of steps, including a 2025 follow-up conference.
It is essential, however, to carefully and ambitiously define the scope of the problem the process seeks to address from the start—particularly if governments seek the participation of civil society organizations, which typically have scarce resources for accompanying such initiatives. This is not the case for the Pall Mall declaration. Rather, its wording is in part ambiguous, its scope is narrow, and its narrative is deliberately misleading. Faced with the trade-off between making substantial progress on the subject matter and involving a broad group of states and non-state actors, the organizers of the process seem to have chosen the latter.
Moving forward, all actors involved can try to steer the process in a direction that is more likely to produce solutions that effectively tackle proliferation and irresponsible use. Considering that it is highly unlikely that vulnerable groups would face the current threat from cyber intrusion capabilities if governments had not created demand for such products and services, future steps of the initiative need to put governments (and their involvement in creating this issue) center stage. The process would benefit from discussions that focus on the concrete, effective implementation of actions that curb proliferation and irresponsible use—such as better oversight, more transparency and accountability, ethical procurement guidelines, and rigid operational norms for government cyber intrusion operations. For governments, the first step in this direction is simple: publicly admit their role in the ecosystem—and start from there.
– Sven Herpig, Alexandra Paulus, Published courtesy of Lawfare.
