An international initiative is working to establish voluntary standards for the commercial cyber intrusion industry, focusing on how to define the scope, encourage adherence, and address companies with a history of questionable practices. The Pall Mall Process, which previously addressed government use of commercial hacking tools, is now turning its attention to industry-wide guidelines.
At the DistrictCon conference in Washington D.C. on Saturday, representatives from government, industry, and civil society explored factors that will shape these voluntary rules. The discussions, held under Chatham House rules, occur as nations grapple with the use and regulation of spyware and as the U.S. considers a more significant role for the private sector in cyber offense capabilities.
Navigating the Commercial Cyber Intrusion Industry Standards
A foreign government representative involved in the Pall Mall Process stated that the initiative aims not to eliminate commercial intrusion products, which can be valuable for legitimate purposes like law enforcement, but rather to establish clear guidelines for their responsible government acquisition and use from ethical vendors. The goal is to foster a responsible marketplace, not to halt operations.
Defining the Scope and Participants
A significant point of discussion on Saturday was the intended scope of the industry guidelines. Debates ensued regarding which entities the rules should cover. Participants considered whether reconnaissance tools should be included and how to differentiate legitimate academic research from illicit activities. The challenge lies in drawing clear lines within a rapidly evolving sector.
Other participants highlighted the importance of incentives and disincentives for adoption. Some vendors may resist voluntary rules if they perceive them as burdensome barriers to government sales. One expressed a lack of motivation to engage with the current proposals, suggesting that the perceived benefits are not yet compelling enough.
In contrast, another participant argued that while adhering to the guidelines might initially seem less profitable, especially if some nations do not adopt them, the long-term advantage lies in continuing operations ethically. This approach allows for sustained business without contributing to the persecution or harm of individuals targeted by intrusive technologies.
Incentivizing Compliance and Addressing Past Conduct
Streamlining government procurement processes across different nations could make adherence to the code of conduct more attractive, according to one attendee. This streamlining would enable vendors to engage with multiple governments simultaneously, potentially increasing their business opportunities while operating under a unified set of standards.
The issue of how to manage companies with a history of problematic behavior was also a key topic. The foreign government representative emphasized the need to prevent the standards from being used as a means to legitimize past irresponsible actions, effectively acting as a “launder for irresponsible behavior.”
Some proposed clear penalties for those who violate the rules after subscribing to them. Conversely, others suggested that the barrier to entry should not be prohibitively high and that the rules should not be overly punitive. This approach aims to encourage even those who have misbehaved to join the process and be guided toward better practices.
Furthermore, the voluntary standards could address vendor responsibilities regarding customer oversight, detecting and preventing abuse, and the potential need for companies to implement “kill switch” capabilities, as suggested by the foreign government representative. While these standards would be non-binding, governments could leverage them to favor compliant companies and discourage business with those who do not subscribe.
The next steps for the Pall Mall Process involve further refinement of these proposed guidelines. The timeline for their finalization and potential announcement remains uncertain, though continued dialogue among stakeholders is expected. Attention will be focused on how the voluntary standards are shaped and whether they can effectively balance the interests of governments, industry, and individual rights.