An international effort is underway to draw up guidelines for commercial spyware and similar providers, in an attempt to stamp out “irresponsible” behavior.
The Pall Mall Process was launched in 2024 by the UK and France – with 27 governments and tech giants including Google, Microsoft, Apple and Meta signing up to limit the fast-growing trade in commercial spyware and zero-day exploits.
As part of its crucial second phase, the initiative is looking to canvas opinion from the “offensive cyber” industry on what responsible behavior by private sector firms looks like. The resulting guidelines will complement its Code of Practice for States, which was signed by those 27 nations last year, according to the National Cyber Security Centre (NCSC).
“Commercial cyber intrusion capabilities (CCICs) are an essential part of many countries’ toolkits for tackling serious crime, countering national security threats, and protecting citizens,” the NCSC said. “But without the necessary safeguards, their use can be dangerous and destabilising. The Pall Mall process seeks to maximise the positive use made of CCICs while striving to eradicate their harmful use.”
Read more on the Pall Mall Process: Governments and Tech Giants Unite Against Commercial Spyware.
The NCSC explained in a blog post yesterday that it considers CCICs to include vulnerability research and exploit development (VRED), malware creation, command and control (C2), hacking-as-a-service, and access-as-a-service.
“The market for CCICs encompasses a wide variety of cyber intrusion companies offering products and services that are continually evolving and diversifying,” the NCSC added.
“It includes an interconnected ecosystem of researchers, developers, brokers, resellers, investors, corporate entities, operators, and customers, including states. Everyone in this ecosystem has a part to play in encouraging/advocating responsible use of CCICs.”
The UK and French governments are particularly keen to hear from anyone working in the CCIC market, to understand their motivations and get their thoughts on how the industry can move forward in a responsible way.
The idea behind the guidelines is not only to agree on what responsible behavior looks like, but also to enable the community to tackle irresponsible use of CCICs.
Commercial Spyware Goes from Strength to Strength
The move comes as the market for CCICs continues to grow. New zero-day vulnerabilities are being discovered and patched on a monthly basis by the likes of Google and Apple.
In early November, the US Cybersecurity and Infrastructure Security Agency (CISA) ordered federal agencies to patch a zero-day flaw that had been used by threat actors since mid-2024 in attacks on WhatsApp users with Samsung devices.
A month previously, Google patched a zero-day in Chrome linked to a targeted espionage campaign dubbed “Operation ForumTroll,” which involved tools developed by Italian spyware vendor Memento Labs.
Some unscrupulous individuals are also looking to cash in on the demand for CCICs. In October, it emerged that the boss of a US defense contractor had pleaded guilty to selling zero-day exploits developed by the firm to a Russian broker who counts the Kremlin among his clients.
The consultation is set to close on December 22.