A voluntary code of practice designed to tackle the proliferation and irresponsible use of surveillance tech has so far been adopted by 22 states.
The non-binding agreement (PDF) provides a framework for regulating the development, distribution, purchase and use of tools with commercial cyber intrusion capabilities (CCICs) – more commonly known as spyware.
Emerging from the ‘Pall Mall Process’, a British-French initiative kickstarted last year, the accord was adopted at a conference in Paris last week. YesWeHack’s CEO and co-founder, Guillaume Vassault-Houlière, attended the event, as well as workshops held last year to discuss the proposals, to advocate for the robust protection of good-faith use of CCICs for security research purposes.
The Paris conference, which took place on 3 and 4 April, brought together 39 states, four international organisations and a broad coalition of representatives from civil society and the private sector, including the cybersecurity industry.
“Without international and meaningful multi-stakeholder action, the growth, diversification, and insufficient oversight across this market raises the likelihood of increased irresponsible targeting of a range of public and private targets, including journalists, human rights defenders and government officials, as well as critical national infrastructure,” reads the code of practice. “It also risks facilitating the spread of potentially destructive or disruptive cyber capabilities to a wider range of actors, including cyber criminals.”
Signatory states have volunteered to, among other measures, establish processes for banning CCIC vendors that engage in irresponsible behaviour, encourage CCIC vendors to prevent and mitigate the adverse human rights impact of CCICs, and consider human rights impacts when making export control licensing decisions.
Protecting Bug Bounty Programs
However, the code of practice balances concerns about the risks posed by malicious use of these tools with an acknowledgement that their legitimate use must be protected. CCICs are used by security researchers, including in Bug Bounty Programs, in ways that – perhaps counterintuitively to those unfamiliar with ethical hacking – can help protect society from CCICs and other cyber threats.
Mindful of this, the code of practice urges governments to establish or define “clear national policies on what constitutes legitimate use of CCICs in the context of cybersecurity (for example for penetration testing, red teaming and in relation to coordinated vulnerability disclosure policies and bug bounty programmes) and research for cybersecurity activities, aligned to existing protections or safeguards for cybersecurity researchers.”
Governments are also advised to encourage “commercial entities to establish and publish their own coordinated vulnerability disclosure processes, informed by existing international standards”.
The accord’s recommendations fall into four core pillars:
- Accountability, such as applying export controls to prevent misuse and supporting victims of malicious use
- Precision, to clearly define lawful use of these tools, such as for national defence, cybersecurity or law enforcement; to coordinate internally across government bodies; and to train cybersecurity professionals to ensure responsible use and reporting
- Oversight, to implementmechanisms that ensure state activities involving CCICs are transparent and subject to review
- Transparency, includinginformation sharing among states, industry and civil society; establishing coordinated vulnerability disclosure practices; and implementing ‘Know Your Vendor/Customer’ requirements
Staying ahead of evolving threats
Far from concluding the Pall Mall Process, the voluntary accord apparently represents a milestone in ongoing efforts to keep abreast of evolving and emerging threats – not least the threat of artificial intelligence supercharging the capabilities of CCICs.
“We intend to regularly review progress on the implementation of these voluntary good practices and on improving accountability across the market,” the code reads. “We resolve to keep this Code of Practice up to date with developments in the threat landscape.”
Signatories to the accord include: Austria, Denmark, Estonia, France, Germany, Ghana, Greece, Hungary, Ireland, Italy, Japan, Kosovo, Luxembourg, Moldova, Netherlands, Poland, Romania, Slovakia, Slovenia, Sweden, Switzerland and the United Kingdom.
Another, United States-led voluntary agreement over the same issue was signed in 2023 by 11 countries.
Persuading a wide range of nations to attend such conferences, let alone agree to common policies and enforcement mechanisms, is not easy. Spyware offers valuable intelligence capabilities – whether for national security or tackling terror threats – that some governments are reluctant to surrender. More than 80 countries have purchased spyware over the past decade, Britain’s intelligence agency revealed in 2023.