A United Kingdom and France hosted conference in London discussing the proliferation and use of spyware has resulted in a declaration to establish guiding principles for legitimate "commercial cyber intrusion capabilities" for nation states, including New Zealand and Australia.
Called the Pall Mall Process, the declaration intends to tackle problematic use of spyware, which as the name implies is software that can be implanted on victims' devices, so as to spy on them surreptitiously.
Spyware has grown into a cyber security threat in recent years, with a plethora of companies offering a wide range of products that are evolving and diversifying.
The countries stated that multi-stakeholder action is needed for the spyware market, which otherwise risks raising the likelihood of increased targeting for profit.
This includes journalists, human rights defenders, activists, and government officials.
Spyware could also fall into the hands of cyber criminals, facilitating the spread of potentially destructive and disruptive capabilities, the Pall Mall Process declaration stated.
There are companies offering hacking-as-a-service for commercial purposes, and individuals hired by states as hackers-for-hire, acting as capability providers for spyware customers.
The Pall Mall Process makes it clear that there is international law that applies to how nation states should conduct themselves in cyberspace; United Nations member states have also committed to act in accordance with the framework for responsible state behaviour in cyber space.
Security researchers got a nod of approval in the Pall Mall Process: "We acknowledge the benefit that good faith security research, vulnerability disclosure, bug bounties for cyber defensive purposes and penetration testing can have on cyber security defences. We recognise the vital role that industry plays in strengthening cyber security and supporting victims in responding to malicious cyber activity," the declaration said.
Europe, Africa, North America are represented in the Pall Mall Process, along with Singapore, Malaysia, Japan, and South Korea in Asia.
Microsoft, Google, Meta, anti-virus vendor ESET are some of the industry organisations represented, with the Atlantic Council, the ShadowServer Foundation, and University of London's Royal Holloway also joining in.
A notable absentee from the declaration is Israel, which is home to controversial spyware vendor NSO Group. Its flagship spyware, Pegasus, is classified as a weapon by Israel. All export licence sales of Pegasus must be approved by the Israeli government.
Pegasus has been used against human rights activists, researchers said, and it was deployed to entrap and murder American journalist Jamal Khashoggi by a Saudi-Arabian hit squad.
NSO Group has been sued by Apple and Facebook-WhatsApp parent company Meta for its role in developing Pegasus.
Update The United States has announced a new policy, which places visa restrictions on those who abuse commercial spyware. Citing support for human rights and fundamental freedoms, the US will restrict visas for individuals involved in spyware misuse, including their immediate family members such as spouses and children.
We welcome your comments below. If you are not already registered, please register to comment.
Remember we welcome robust, respectful and insightful debate. We don't welcome abusive or defamatory comments and will de-register those repeatedly making such comments. Our current comment policy is here.