In February 2024, the United Kingdom and France hosted a conference to address concerns over the proliferation and irresponsible use of Commercial Cyber Intrusion Capabilities (CCICS), and subsequently launched the international multi-stakeholder Pall Mall Process to address it. The Pall Mall Process aims to set out key principles and explore policy options for governments, businesses, and civil society regarding the development, deployment, acquisition, and use of CCICS. Through this initiative, the UK and France will collaborate with the global community to explore policy solutions and practices for ensuring a free, open, and secure cyberspace.

To discuss the progress of the Pall Mall Process and challenges controlling the proliferation of CCICS, join the Cybersecurity Coalition and Cyber Threat Alliance in Brussels for the second annual CyberNext BRU conference on 5 March at the Stanhope Hotel. The event offers a range of sessions addressing today’s most pressing cybersecurity challenges, including a panel entitled Stemming the Proliferation and Irresponsible Use of Commercial Cyber Intrusion Capabilities: An Update on the Pall Mall Process.

What are CCICS?

Commercial Cyber Intrusion Capabilities (CCICS) refer to tools and services created by cyber intrusion companies or other entities, often offered through "as-a-service" models. These services include Access-as-a-Service, where providers give unauthorized access to systems, and Malware-as-a-Service, where malware is offered for use against specific targets. 

Typically, these services are provided by commercial cyber intrusion companies, which sell "off-the-shelf" products or services designed to penetrate or disrupt computer systems for financial gain. These companies may include developers or sellers of vulnerabilities and exploits, businesses that create and sell cyber intrusion tools, or those offering hacker-for-hire services. Commercial intrusive surveillance software – often called spyware – enables users to remotely access and manipulate computer systems without consent. These tools can extract or alter data, monitor communications, and track locations, making them powerful and dangerous in the wrong hands. 

The commercial market for cyber intrusion tools has been expanding, which raises significant concerns about its effects on national security, human rights, and global peace. While many of these tools can serve legitimate purposes, such as enhancing cybersecurity or supporting lawful investigations, their easy availability and potential misuse can threaten the stability of cyberspace. 

It's crucial that these capabilities are developed and used responsibly, in line with international laws, including human rights and humanitarian standards. To address these risks, the Pall Mall Process aims to define what constitutes legitimate use and ensure proper safeguards are in place to prevent abuse.

The Pall Mall process also aims to address the role of governments in sustaining the CCICS marketplace. The United States issued an executive order in March 2023 titled Prohibition on Use by the United States Government on Commercial Spyware That Poses Risks to National Security which prevents federal agencies from making operational use of commercial spyware that could pose counterintelligence and security risks or pose significant risks of improper use by a foreign government. 

The panel will further explore the responsibility of national governments to reduce their demand for CCICS. As governments increasingly procure and use such technologies, it’s essential to examine how they can mitigate potential counterintelligence and security risks, as well as prevent the improper use of these tools by foreign governments. The discussion will also focus on how nations can hold one another accountable in reducing the demand for and misuse of CCICS, especially in light of the growing commercial market for these technologies.

Looking Forward

From August to October 2024 the UK and France held a consultation inviting views on good practices relating to commercial cyber intrusion capabilities, and published a summary of the recommendations received. The responses to the consultation focused on three main stakeholder groups including:

• The role of States in setting national and international policy and regulatory frameworks, controlling exports, leveraging procurement power and targeting irresponsible behavior. 
• The role of the intrusion industry in fostering responsible behavior, managing vulnerabilities, suppliers, and customers.
• The role of other key players, including threat researchers, victims of misuse of CCICS, and the investor community. 

The panel will explore the good practices shared in the consultation, as well as challenges raised for certain stakeholder groups. The panelists' discussion will also extend to how the Pall Mall Process should consider existing legal frameworks, such as the UN Cybercrime Convention, the Budapest Convention, and national laws on cybersecurity, to guide states in their approach to CCICS. 

They will also look ahead to the next steps for the Pall Mall Process, with a focus on the upcoming annual meeting in April, and discuss how EU institutions, member states, and private industry can get involved to further the initiative’s goals.  

‍