Pall Mall Process to tackle commercial hacking proliferation raises more concerns than solutions

A year on from the launch of the Pall Mall Process to tackle “the proliferation and irresponsible use” of commercial hacking tools, there are concerns among its participants that the initiative lacks the ability to actually change how these tools are traded and used.

The market for what are formally called commercial cyber intrusion capabilities (CCICs) is growing, according to a consultation summary published by Pall Mall Process organizers Wednesday, which warned that the threats CCICs pose to national security and human rights “are expected to increase over the coming years.”

Back in 2023, Britain’s cyber and signals intelligence agency GCHQ warned that more than 80 countries had purchased spyware over the past decade — with some using them “to target journalists, human rights activists, political dissidents and opponents and foreign government officials.”

To take action on the issue, last February the British and French governments hosted a conference in London assembling diplomats, industry representatives, academics and civil society groups to pledge to take action on the issue.

As Recorded Future News revealed at the time, a number of the most significant CCICs exporting states — particularly Israel, India, Austria, Egypt and North Macedonia — chose not to participate, and none of the industry representatives sold the kinds of CCICs that caused concern. Russia, which also has a domestic CCICs industry, is unlikely to have been invited.

Although the conference took place shortly after the United States announced it would be restricting visas for people “involved in the misuse of commercial spyware” — and placed several spyware companies suspected of facilitating human rights abuses on its sanctions list — none of the participating countries have since taken similar steps.

The participants in the process have instead now produced a 56-page consultation report on what good practice should look like for CCICs vendors and states. The document — which includes the word “concerns” more than 30 times, and carries the caveat that it does not reflect British or French government policy — features widespread doubts about how the Process could bring into the fold those governments and businesses that show no interest in addressing the issue.

“The challenge remains of how the Pall Mall Process, deliberately casting the net wide to include and engage the majority of the CCIC ecosystem, will actually reach those whose behaviours and conduct needs to change to make a real difference,” said Katharina Sommer, the head of government affairs at NCC Group, a British penetration testing business that participated in the consultation.

“Responsible actors and those seeking clarification and guidance are active participants, and will benefit from the output of the next phase of the Pall Mall Process. But the step change we are all hoping for is harder to foresee at present,” Sommer told Recorded Future News, adding “though that should not stop any of us from continuing to try!”

James Shires, the co-director of the cyber research non-profit Virtual Routes (credited as a participant in the Pall Mall Process under its former name), praised the Process as representing “a significant step forward in the governance of CCICs” but one that still “encounters some of the same fundamental obstacles as other efforts.”

Shires highlighted how governments’ varying definitions of “national security” permitted the abuse of CCICs and prevented independent oversight of how those capabilities were being procured.

He added that the “connection to cybersecurity capacity building highlights an underlying sense of unfairness between the haves and the have-nots. For some developing states, it is ironic that the organisers of the Pall Mall Process, the UK and France, want to restrict access [to CCICs] while championing their own spyware industries.”

Shires added that the “big-tent approach risks agreeing voluntary norms or best practices of the kind that have been established at the UN — and regularly flouted — regarding responsible state behaviour in cyberspace more broadly, rather than specific, targeted actions against known violators and abusers, whether states or companies.”

To-date, targeted action has been taken by the United States, with Secretary of State Antony Blinken describing CCICs as threatening “privacy and freedoms of expression, peaceful assembly, and association.” His comments, made when the State Department issued the country’s visa restrictions for working in the spyware industry, also touched on how the technology is “linked to arbitrary detentions, forced disappearances, and extrajudicial killings in the most egregious of cases.”

The sanctions followed President Joe Biden signing an executive order banning federal agencies from using commercial spyware that could pose security risks to the U.S. or had already been misused by foreign actors — in response to a growing number of incidents of spyware being used to target U.S. officials, government systems and ordinary citizens.

According to a source present at a Pall Mall Process meeting following the election victory for Donald Trump, the participants were doubtful whether the new administration would show an equal interest in the topic — with some actively frustrated that other governments weren’t urgently taking concrete actions to address CCICs being abused.