Paris set to host difficult negotiations on tackling commercial hacking tools

A joint diplomatic initiative by the French and British governments to tackle “the proliferation and irresponsible use” of commercial hacking tools is hoping to announce its participants have agreed new rules on the technologies involved in Paris this week.

Formally known as the Pall Mall Process, the initiative has to-date struggled to convince all of its participants that it has the capability to actually change how commercial cyber intrusion capabilities (CCICs) are traded and used — partially because many countries do not want to voluntarily amend their own practices.

According to a final version of the draft agreement, seen by Recorded Future News — and circulated among the participating governments, international organizations, civil society and academic groups, as well as technology companies — participants will be asked to agree to:

• Regulating the development and sale/exports of CCICs.
• Establishing oversight mechanisms for domestic use of CCICs.
• Establishing domestic vulnerability equity processes.
• Banning procurements from vendors who commit illegal or irresponsible activity.
• Imposing costs on individuals and entities who benefit from irresponsible use of CCICs.

The abuse of CCICs is a major concern both in individual cases when they have been used “to target journalists, human rights activists, political dissidents and opponents and foreign government officials,” as British intelligence warned in 2023, and due to their economic effect that rewards the hoarding of cybersecurity vulnerabilities for exploitation.

Among the challenges facing the diplomatic effort is a lack of buy-in from some of the companies and countries involved in the most concerning uses and abuses of CCICs.

As Recorded Future News revealed at the time of the first Pall Mall Process conference in London last year, many of the most significant CCICs exporting states — particularly Israel, India, Austria, Egypt and North Macedonia — chose not to participate.

Israel’s absence was particularly significant, as it accounts for two of the four companies that have been sanctioned by the U.S. for trafficking cyber tools that had enabled “transnational repression” by authoritarian governments.

But progress is being made on that front, according to diplomatic sources. Both the Israeli government and one of the sanctioned companies, NSO Group, have been quietly engaging with the Pall Mall Process, although that engagement is considered to be at an early stage and neither party is expected to agree to the proposals in Paris.

Those proposals amount to a voluntary Code of Practice “inspired by the Montreux Document and the resulting International Code of Conduct for Private Security Service Providers,” as explained by think tank RUSI, ultimately creating a binding code for private military security companies “intended to promote respect for international humanitarian law and human rights law.”

It is not clear how many of the governments attending the Pall Mall Process in Paris will sign the document. Writing for RUSI, Pablo Rice of the Paris Peace Forum said the conference will be “decisive” adding: “Failing to make progress risks turning the upcoming gathering into a testament of collective fatigue.”