As spyware market continues to expand, diplomatic Pall Mall Process hits a pivot point

A year on from its launch and days after the Pall Mall Process held its second diplomatic conference, this time in Paris, participants are concerned that the initiative may struggle to surmount the next hurdle facing the effort to reform the spyware and commercial hacking market: getting buy-in from the market itself.

That market for what are formally called commercial cyber intrusion capabilities (CCICs) is growing, as the conference organizers announced earlier this year.

Those participating in the Pall Mall Process say that left unaddressed, this growth will produce more abuses of the technology targeting “journalists, human rights activists, political dissidents and opponents and foreign government officials,” as British intelligence warned in 2023.

Participants in the joint British- and French-led process also fear the economic effects of the market: rewarding the hoarding of cybersecurity vulnerabilities for exploitation rather than incentivizing getting flawed technologies fixed.

The work of participants to-date led to the publication of a Code of Practice on Friday, as first reported by Recorded Future News. The voluntary, non-binding code sets out how countries will regulate CCICs, tackle companies that commit illegal or irresponsible activity, and attempt to avoid hoarding cybersecurity vulnerabilities themselves.

It follows a diplomatic format, with participants submitting track changes to shared statements before deciding whether to endorse the final output. On Friday, 21 countries initially signed the Code of Practice. Romania also signed up on Monday.

The list of signatories introduces some surprises. Austria and Hungary, both countries with their own domestic spyware scandals who did not join the declaration following the first conference in London last year, agreed this time round to uphold the Code of Practice advanced in Paris.

There were also notable absences from signatories who had signed the declaration in London, including all of the United Kingdom’s allies from the Five Eyes intelligence partnership who typically show solidarity with each others’ cyber diplomacy efforts.

Canada’s absence is probably attributable to the country currently holding an election, as is Australia. Although the United States was represented at the conference in Paris, it also did not sign up to the Code of Practice. As with Romania, more countries may agree to participate in the coming days and weeks.

A moment of scandal

The U.S. delegation to the conference caused a stir, according to multiple sources, when JD Work — a former intelligence officer and academic now on the cyber team at the U.S. National Security Council — shocked some delegates by warning that the United States would take lethal action against malicious actors working in the commercial cyber operations space.

During a workshop discussion about how to design anti-abuse protections into CCICs, Work made a contribution from the audience that such technical solutions were impossible and quipped that the best way to drive good behaviour in the market was for bad actors to know that “we’ll kill them.”

Participants who heard the comment told Recorded Future News they were unsure if the comment reflected a change in U.S. policy, and if it was meant literally or figuratively.

While there is a consensus view that under international law cyber operators can be legitimate military targets during an armed conflict, the idea of targeting those operators in other scenarios prompts significant questions about necessity and proportionality.

A spokesperson for the U.S. National Security Council declined to provide an on-the-record comment. Recorded Future News understands Work intended to be metaphorical and his remarks ended up being unintentionally colorful.

Work had previously argued on social media — in a strictly personal capacity — that he believed “lethal response against cyber operators will become increasingly common,” although this was an expectation rather than a policy suggestion.

The concern regarding Work’s comment about lethal response in Paris comes at a time of uncertainty regarding the Trump administration’s foreign policy, and as the U.S. is expected to ramp up its response to adversaries’ offensive cyber operations.

Buy-in from the CICCs market

Participants who spoke to Recorded Future News on the condition of anonymity said there was a clear lack of agreement about how the Code of Practice would actually drive specific activities from industry entities.

One of the criticisms of the Pall Mall Process to-date has been that its industry participants are not the vendors who are causing concerns. Companies including NCC Group, YesWeHack and Thales don’t market the kinds of intrusion services that contribute to transnational repression.

Bringing the commercial hacking market to heel is expected to prove challenging partially because of its diversity. The companies range from secretive startups to large government contractors. “You can’t slap the same rules on spyware vendors as on exploit brokers,” said Alexandra Paulus, one of the conference’s participants from the German Institute for International and Security Affairs.

It is even unclear whether the Code of Practice, which moves towards a clear bifurcation of the market — distinguishing responsible and irresponsible companies — would prove beneficial or if it would simply drive some of the entities underground, added Paulus.

Another anonymous participant demurred, saying they thought some participants — particularly the United States — would welcome a clear division between compliant and noncompliant industry entities as it made it easier to decide where to apply countermeasures.

Some of the more controversial companies in the CICCs space, including NSO Group, have begun to engage with the Pall Mall Process, according to Recorded Future News’ sources, although these engagements remain at an early stage.

An expected Code of Practice for Industry is “when the discussions will get really intense,” said Paulus.

“A great outcome would be a document that could provide orientation for public procurement guidelines, compliance offices in companies, export control regimes, etc,” she added. “But I think that will take a few more iterations, I don’t see it happening by next year.”