Tackling the Proliferation of Cyber Intrusion Capabilities

The Pall Mall Process Code of Practice paves the way for strong action against cyber intrusion, but it still has a long way to go.
Tackling the Proliferation of Cyber Intrusion Capabilities
Oliver Dowden speaking at the Paul Mall Process conference on Feb. 6, 2024. (Source: U.K. Cabinet Office official account, https://x.com/cabinetofficeuk/status/1754921653199401316)

Cyber intrusion capabilities have long been used to facilitate human rights abuses—like surveilling members of parliament, spying on opposition politicians, or tracking dissidents, journalists, and human rights defenders. The case of Jamal Khashoggi—whom the Saudi government spied on using NSO Group’s Pegasus spyware, and subsequently murdered during a Saudi embassy visit—shows the horrific consequences of unrestrained use of these capabilities. Beyond spyware, commercial cyber intrusion capabilities (CCICs) include vulnerabilities and exploit marketplaces like Zerodium, initial access brokers, and hackers for hire, among other things. What all these tools have in common is “the ability to access and manipulate a digital device, system, or network remotely without authorisation[.]”

In 2024, the British and French governments decided to foster policy action to regulate the market for these capabilities by launching the Pall Mall Process. This initiative brings together states and non-state actors to tackle the proliferation of CCICs. The objective of the Pall Mall Process is to identify policy options to ensure that the “development, facilitation, purchase, transfer and use of CCICs” does not lead to “irresponsible use” of these tools. Ultimately, the organizers of the Pall Mall Process hope to tame the market—that is, shape the behavior of the suppliers of CCICs.

In April 2025, the Pall Mall Process produced a Code of Practice for States (CoP), endorsed by 25 states, in which they committed to a number of policy actions. As a first step, they addressed the role of states, which play a crucial role in shaping the market as buyers and users of CCICs. The CoP outlines five ways in which governments can shape the CCIC market and details policy action to this end: setting up rules for CCIC suppliers, establishing rules for government use of CCICs, shaping the national ecosystem in which the CCIC market operates, providing support to victims, and coordinating and cooperating internationally.

At the same time, the framing of the Pall Mall Process remains problematic. While organizers have focused on the “responsible use” of CCICs, the metrics for responsible use remain unclear. Additionally, this approach may, paradoxically, facilitate proliferation (explained below). Finally, it is unclear to what extent government action can meaningfully shape the formal market rather than push it underground.

Moving forward, the Pall Mall Process should focus on three things: broadening its scope to include state-developed and noncommercial cyber intrusion capabilities, ensuring implementation of the CoP by states through follow-up and the establishment of an accountability mechanism, and developing a code of practice for industry to translate diplomatic commitments to business practices.

The Pall Mall Process

France and the United Kingdom jointly launched the Pall Mall Process with the publication of the Pall Mall Process declaration in February 2024. Twenty-five states, two international organizations, and several stakeholders endorsed this document to tackle the problem and agreed to a set of principles to guide this endeavor: accountability, precision, oversight, and transparency. This first output of the Pall Mall Process did not go beyond a declaration of intent and contained little actionable language. After the first conference, France and the U.K. launched a consultation process, which led to cross-governmental coordination and facilitated meaningful stakeholder involvement.

As a basis for drafting the 2025 CoP, the organizers asked states to fill out a survey on existing government practices. As part of the survey, ministries of foreign affairs consulted with their colleagues from other ministries and government agencies to take stock of existing practices, establishing a domestic cross-governmental information-sharing exercise. Throughout the drafting process of the CoP, the organizers made an effort to include stakeholders from industry, civil society organizations, and academia. As a result, several stakeholders saw their input reflected in the final CoP, demonstrating meaningful stakeholder inclusion.

In total, 25 states have endorsed the CoP so far (it remains open for endorsement), most of them like-minded across a variety of diplomatic issues. Among these are the U.S.; 17 EU member states; Ghana; Japan; Kosovo; Moldova; South Korea; Switzerland; and the United Kingdom. Some of these endorsements have come from states that have previously committed governmental spyware abuses (including GhanaGreeceHungaryItaly, and Poland) and several that are or were home to spyware vendors (including AustriaGermanyHungary, Ireland, and Luxembourg).

The list of endorsers of the CoP is a smaller and less diverse group than the supporters of the 2024 Pall Mall Process declaration. Among others, Cyprus and the United Arab Emirates—which have been criticized for their involvement with spyware—did not endorse the CoP. Other governments notorious for their spyware history, like Spain and Israel, endorsed neither the initial Pall Mall Process declaration nor the CoP. However, several countries that have not endorsed the CoP took part in the consultations and the conferences, demonstrating interest in and engagement with the process.

The Code of Practice for States

As the title suggests, the CoP addresses governments, not industry. To analyze the different levers policymakers have at their disposal, I outline five mechanisms in the CoP by which governments can shape the market for CCICs.

First, among the rules governments can set up for the CCIC market, the CoP includes both punitive measures and regulations, and nonbinding, more aspirational proposals. The punitive measures and regulations include domestic regulation and frameworks, such as oversight mechanisms for the CCIC market; establishing or updating and enforcing export controls for CCICs; imposing financial sanctions, travel restrictions, and indictments of individuals and entities “carrying out, facilitating, or benefiting from the irresponsible use of CCICs”; and establishing rules that limit public procurement of irresponsible CCIC suppliers, combined with compliance assessments of CCIC vendors by governments.

The nonbinding proposals mentioned in the document, which states do not commit to and which lack specific policy actions, include know-your-customer and know-your-vendor requirements for industry, the implementation of human rights due diligence by CCIC vendors, and “act[ing] against the development, purchase, facilitation, transfer of CCICs to and use of CCICs by irresponsible and illegitimate non-state actors, such as criminals.”

Second, the states endorsing the CoP commit to setting up rules for their own use of CCICs. This includes developing and articulating a policy for government use of CCICs, creating or strengthening independent oversight of government use of CCICs, enhancing cross-government information sharing on the use of CCICs, and training government employees responsible for CCICs in line with established good practice.

Third, governments can shape the national ecosystem in which the CCIC market operates. While the document refrains from mandating legal protections for security researchers, states commit to protecting them from “intimidatory litigation.” In addition, states aim to include CCICs in the education and training of cybersecurity professionals and encourage companies to develop and publish coordinated vulnerability disclosure policies, in which they lay out the process of addressing a software vulnerability—for instance through a patch—after a security researcher has reported a vulnerability. Relatedly, states seek to implement “controls for researchers contracting with Governments” and for cybersecurity professionals with CCIC expertise to prevent the irresponsible proliferation of skills.

Fourth, the CoP outlines how governments can provide support to victims. Governments commit to ensuring that victims of CCIC abuse have access to legal means, providing awareness-raising activities and cybersecurity advice to groups at risk, and establishing or strengthening abuse reporting mechanisms.

Fifth, the endorsing states pledge to coordinate and cooperate internationally on all of the above issues. They seek to harmonize export control regimes, coordinate sanctions and indictments, and share information about responsible government use of CCICs and the structure of the CCIC market. Furthermore, they strive to use cyber capacity-building as a tool for fostering responsible behavior, building capacity for export controls, strengthening resilience, and ensuring that the use of CCICs for cyber capacity-building purposes follows the ideas of responsibility laid out in the CoP.

Challenges for Establishing Use of CCICs

While Pall Mall Process signatories are united in their objective of ensuring responsible use of CCICs, the question of implementation remains controversial. There are three main issues at play: defining responsible use,consequences for the proliferation of CCICs, and whether governments can meaningfully shape the formal market rather than push it underground.

The first controversy arises from how to define “responsible use.” The CoP mentions “responsible” alongside other qualifiers like “legal,” “lawful,” and “legitimate” use of CCICs, all of which are “open to interpretation and are not necessarily synonymous.” More specifically, the CoP defines irresponsible CCIC use by state and non-state actors as “use in ways that threaten security, respect for human rights and fundamental freedoms or the stability of cyberspace, without appropriate safeguards and oversight in place or in a manner inconsistent with applicable international law or the consensus United Nations framework on responsible State behaviour in cyberspace, with due regard to domestic law where relevant.”

This list of actions constituting irresponsible use is diverse, and it is unclear whether a practice should be considered irresponsible if, for example, it is in line with domestic law, but violates internationally recognized human rights, or how to resolve contradictions. In addition, several of the listed frameworks—such as the UN framework of responsible state behavior or the stability of cyberspace—lack clear operationalization, so it is hard to determine whether a given practice violates them. In short, this definition of responsible use of CCICs does not always provide a clear yardstick.

As an alternative to the “responsible” framing, cybersecurity researcher James Shires suggests distinguishing between “permissioned” and “unpermissioned” intrusion. This distinction would avoid policy action affecting unproblematic uses of intrusion capabilities—for example, when export controls are applied to penetration testing tools that are routinely used for cybersecurity purposes. This approach may also be easier to operationalize than the morally charged discussion about responsibility.

Second, the Pall Mall Process could, somewhat counterintuitively, contribute to the proliferation of cyber intrusion capabilities. There is an inherent tension in the approach of the process: On the one hand, the 2024 and 2025 documents state that CCICs can be used for legitimate purposes like law enforcement, intelligence, and military objectives. On the other hand, concerns about the proliferation of these tools are the key driver of the initiative. The process seeks to square this circle not by eliminating the market’s or government’s use of these tools, but by distinguishing responsible from irresponsible practices.

From a classical proliferation perspective, more actors having access to and the expertise to use a given tool raises the probability of this tool being abused. In response, the Pall Mall Process might suggest that the problem is not proliferation itself, but irresponsible proliferation—hence the focus on ensuring responsible use. Accordingly, it matters which states and non-state actors have access to CCICs and how they use these capabilities. The blind spot of this approach is that governments are in flux, and new leadership may not align with CoP rules. Furthermore, from a commercial perspective, increased demand will bolster the market. In the absence of a code of practice for industry, it is hard to ensure that only responsible companies will benefit.

The third controversy about responsible use lies in the potential of governments to effectively shape the CCIC market. Currently, there exists both a formal market for CCICs as well as a black or underground market—with a gray market in between. Pall Mall is seeking to bring more companies into the formal market while setting meaningful guardrails and regulation for it. This is a challenge, especially when developing a code of practice for industry: Companies will need to choose whether they want to operate in the open and comply with the rules or, if not, operate in an informal manner. If the rules are not very ambitious, more companies may adhere to them, but their effect may be small. In contrast, if the rules are very ambitious, few companies may choose to comply—so the net impact on the market may be just as minor. In resolving this trade-off, states and stakeholders will need to walk a fine line.

The Process Should Broaden Its Scope

One of the Pall Mall Process’s strengths is its ambitious scope. Even though much of the discourse at the 2025 Pall Mall conference was spyware focused, it is essential to shine a light on other actors in the CCIC ecosystem as well. Visibility is crucial, so researchers will have an important role to play—but policy action is equally important. Given that spyware vendors have proved themselves capable of adapting to an adversarial climate, more decisive policy action may drive the people behind the spyware to explore other business sectors that have so far seen less policy action than spyware, such as hackers-for-hire or exploit marketplaces—making an inclusive understanding of CCICs critical.

At the same time, Pall Mall’s understanding of CCICs is overly narrow in some areas—specifically, it does not include cyber intrusion capabilities (CICs) developed by governments and other noncommercial tools, as Sven Herpig and I criticized following the publication of the 2024 declaration. Some of the actions for policies on government use of CCICs may have spillover effects on their development, such as oversight mechanisms or cross-government information sharing. In sum, the actions outlined by the CoP are important first steps for governments becoming more aware of the role they play in the ecosystem and shaping the market through their own actions. 

While it could be argued that CICs developed by governments would fall under the remit of the UN Open-Ended Working Group on Security of and in the Use of Information and Communications Technologies (OEWG), the group is not currently well positioned to address CCIC proliferation. Given the current international political constellation of entrenched conflict between Russia and China on the one hand and Western states on the other, it is unlikely that the OEWG or its likely successor, a to-be-established permanent cybersecurity mechanism at the UN, will produce substantial progress on the CCICs issue. Rather, there is precedent for states referring to and building on initiatives outside of the UN in OEWG sessions, thereby bringing them into the discussion.

In the future, the organizers should include CICs developed by governments in the process. The policy actions orienting government use of CCICs may provide a valuable basis for these conversations. To this end, the organizers should strive to involve in the conversation the government officials responsible for developing CICs—depending on states’ political setup, these will be law enforcement, intelligence, and military. If militaries have been involved in the Pall Mall Process so far, it happened behind the scenes. Nevertheless, it will be important to bring them into the conversation—especially regarding government development of CICs. A practical outcome of including government-developed tools in the process could be a code of conduct for government developers of CICs.

Moreover, the exclusion of noncommercial tools (for example, freemium tools like Metasploit), freely available known exploits, or dual-intent tools that are not primarily designed for intrusive purposes but can be used to that end (such as Cobalt Strike) is detrimental to the success of the Pall Mall initiative. The objective of mapping and analyzing CCIC supply chains will require explicitly discussing noncommercial tools. Broadening Pall Mall’s scope to include noncommercial tools would allow states and stakeholders to discuss with more nuance the particularities of CCICs and their supply chains. 

Implementation and Accountability

Beyond these ideas for widening the scope of the process, there are two immediate action items now that states have agreed on in the CoP: following up on states’ implementation and establishing an accountability mechanism for states. In the Pall Mall context, there is some confusion between accountability for states versus companies. Effectively taming the market will require both—but an accountability mechanism requires a baseline against which actors can be assessed. Currently, such a baseline exists only for states (through the CoP), so the present accountability discussion should focus on whether states that have endorsed the CoP can be held accountable when they do not implement the political self-commitments outlined in the document.

To this end, the first step is tracking implementation of the commitments laid out in the CoP by states. A three-pronged approach would be sensible for tracking implementation. First, a consortium of civil society and academia, jointly funded by industry and government supporters of the Pall Mall Process, should record violations of the CoP by states and states’ implementation efforts, leveraging the experience gained through many other tracking initiatives and reporting templates. Second, individual governments or groups of states should produce national implementation reports and share these with other states or, ideally, with the consortium for inclusion in the implementation tracker. Third, states and stakeholders involved in the Pall Mall Process should jointly develop a national survey of implementation, similar to the survey the UN Institute for Disarmament Research developed for the implementation of the UN cyber norms, for completion by states. The standardized format would facilitate comparison across states’ responses. Moreover, the supporters should discuss whether they want to aim for setting up a secretariat for future coordination and spearheading implementation and accountability efforts. This body should receive states’ completed surveys and then publish anonymized evaluations. In the absence of a secretariat, the consortium of civil society and academia could fulfill this task.

Once there is data on states’ implementation of the CoP, the following iterations of the Pall Mall conference should explore whether states that fail to implement the CoP should be held accountable. The CoP is not a legal document but rather a set of “voluntary, non-binding” political self-commitments. Nevertheless, it seeks to establish political norms that can, over time, become politically binding when states that endorse the norms expect their fellow endorsing states to follow through and establish policy actions. Supporters of the CoP should consider whether they want to pursue this route.

If they do, states and stakeholders should establish a timeline for implementation of CoP policy actions. Subsequently, they could consider what actions to take when states fail to comply. Since the states that have endorsed the CoP tend to be like minded, it is extremely unlikely that they would resort to the public attribution of noncompliance or even measures with more teeth, like sanctions, against other states. However, as is the case for governmental spyware abuses, civil society organizations can play an important role in naming and shaming governments for irresponsible CCIC practices.

A Code of Practice for Industry

The Pall Mall Process is among the most promising cyber diplomacy initiatives currently underway, as alternatives—such as the Counter Ransomware Initiative and cybersecurity discussions at the UN—face considerable challenges in the current geopolitical climate. The Pall Mall Process’s potential for success rests in its concrete focus on one—albeit challenging—topic and the meaningful involvement of stakeholders, who hold invaluable expertise. The approach of building consensus first among a small, like-minded group before disseminating among other states and stakeholders is a sensible one in the current political constellation.

But it is never too early to look ahead, even beyond the question of implementation and accountability. The discussion about these topics will be just a prelude to another thorny issue: the code of practice for industry. Such a document would outline responsible CCIC practices for companies. It would also serve as a baseline to implement some of the policy actions outlined in the CoP for states, like export controls, sanctions, or public procurement of CCICs. In the field of cybersecurity, there is precedent for such rules for industry practices shaped in multi-stakeholder setups. A secretariat could also track industry accountability once a code of practice for industry has been developed.

At the same time, a code of practice for industry can be used as a basis for investor engagement, especially of venture capital firms, to shape the market not through regulation but through financing. Pall Mall organizers and participants should therefore actively reach out to venture capital and private equity firms to bring them into the conversation from the start, place the topic of irresponsible use of CCICs on their agenda, and make sure they can implement the CoP for industry.

The CoP for industry may therefore be the most important document to shape the market for CCICs—and it will be crucial that the organizers and participants of the Pall Mall Process maintain their momentum until then.

– Dr. Alexandra Paulus is a researcher for cybersecurity policy and emerging technologies at the German Institute for International and Security Affairs (SWP), where she also co-leads the research cluster on cybersecurity and digital policy. Her expertise covers cybersecurity policy, cyber diplomacy, and software supply chain risk. Previously, she led the cyber diplomacy workstream at interface, a Berlin-based tech policy think tank, and completed her Ph.D. on how Brazil shaped global cyber norms. Published courtesy of Lawfare

No Comments Yet

Leave a Reply

Your email address will not be published.

©2025 Global Security Wire. Use Our Intel. All Rights Reserved. Washington, D.C.