The Pall Mall Process [1] [2] [3] [5] [6] [7] [8] [9] [11], an international initiative aimed at addressing the proliferation of commercial cyber intrusion tools [1], will be launched at a diplomatic conference in London [3]. This initiative seeks to combat the misuse of these tools, particularly spyware, which raises concerns for national security and the safety of government personnel [3], information [3], and systems [3] [6]. The conference will involve representatives from 35 nations [10], including big tech leaders like Apple [2], BAE Systems [3] [5] [11], Google [2] [3] [5] [7] [8] [9] [10] [11], and Microsoft [2] [3] [8] [11], as well as legal experts, human rights defenders [3] [7] [8] [11], and vendors involved in developing and selling cyber intrusion tools and services [3].

Description

The misuse of commercial cyber intrusion tools [1] [3] [5], specifically spyware [1], has become a significant concern for national security and the protection of government personnel [3], information [3], and systems [3] [6]. In response to these security risks, the US government has already banned the use of commercial spyware. The Pall Mall Process builds upon the principles and policies established during the UK-France Cyber Proliferation conference, emphasizing the urgent need to combat the abuse of spyware for human rights violations and the importance of multi-stakeholder action. It also recognizes the risk of spyware falling into the hands of cyber criminals [8].

The conference will involve signing a declaration and committing to joint action on the issue [3]. Notably, the declaration does not include Israel, home to the controversial spyware vendor NSO Group [8], which has been implicated in human rights abuses and the murder of journalist Jamal Khashoggi. The collaboration aims to address the proliferation and irresponsible use of commercially available cyber intrusion capabilities [5] [6]. The industry has faced scrutiny following revelations of the NSO Group’s Pegasus spyware infiltrating devices globally [10], and other firms enabling the proliferation of spy technology for malicious purposes have been identified by Google researchers. The National Cyber Security Centre estimates that thousands of individuals are targeted by spyware campaigns annually [7]. Efforts to combat the spyware ecosystem face challenges as new players emerge and exploit vulnerabilities [7].

Google’s Threat Analysis Group tracks commercial spyware companies that exploit zero-day vulnerabilities in various platforms [7]. In 2023, Variston [7], a Barcelona-based company [7], exploited three iOS flaws to infect victims with spyware [7], which Apple subsequently patched. Variston also weaponized a security flaw in Qualcomm chips [7]. Additionally, private sector firms offer turnkey espionage solutions that bundle exploit chains to collect data from targeted devices [7].

The Pall Mall Process will be followed up with a conference in France next year to assess progress and continue discussions on the topic. As part of the initiative’s efforts to address the proliferation and irresponsible use of commercially available cyber-intrusion capabilities [6], the UK will invest £1 million into the nonprofit Shadowserver Foundation to expand access to early warning systems and cyber resilience support [6]. The initiative also considers the “hackers for hire” phenomenon [6], exploit marketplace [6], and off-the-shelf intrusion capabilities for disruptive and destructive effects [6].

In light of concerns about human rights abuses and threats to privacy and freedoms of expression [4], the US has introduced new visa and travel restrictions on individuals associated with commercial spyware development [4]. The UK and France are calling for an international agreement on the use of commercial spyware and surveillance tools [2]. The conference in London will bring together delegates from 35 countries [2], including big tech companies like Apple [2], Google [2] [3] [5] [7] [8] [9] [10] [11], and Microsoft [2] [3] [8] [11], as well as human rights groups and legal experts [2]. The conference will launch the Pall Mall process [2], an international declaration aimed at developing safeguards and oversight for spyware and other intrusive technologies [2]. The deputy prime minister of the UK [2], Oliver Dowden [2], emphasized the need for collaboration to address the growing threat of cyber tools [2]. The conference is expected to lead to further international meetings [2].

The White House has also announced measures to combat spyware [2], including global visa restrictions on individuals involved in its misuse [1] [2]. The US State Department has implemented a new policy to impose visa restrictions on individuals involved in the misuse of commercial spyware [1]. This policy aims to combat the global misuse of spyware [1], which is used for repression [1], violating privacy [1], and enabling human rights abuses [1]. It specifically targets those who use spyware to target or intimidate individuals [1], including journalists and activists [1], as well as those who financially benefit from such misuse and their immediate family members [1]. This policy will pose challenges for individuals associated with spyware vendors such as Candiru [1], NSO Group [1] [8] [10], Intellexa [1], and Cytrox [1], all of which have been added to trade blacklists in recent years [1].

Interestingly [1], this coincided with the launch of an initiative called the Pall Mall Process [1], which was hosted by the UK and France [1]. The Pall Mall Process aims to address the proliferation of commercial cyber intrusion tools through joint-action commitments by attendees [1]. However, notable absences from the conference were Israel [1], Austria [1], Egypt [1], and North Macedonia [1]. Israel’s absence is particularly significant as it is the source country for two of the four companies that have been sanctioned by the US (Candiru and NSO) for trafficking cyber tools that enable “transnational repression” by authoritarian governments [1].

Conclusion

The Pall Mall Process and the conference in London mark significant steps in addressing the proliferation and misuse of commercial cyber intrusion tools. The collaboration between nations, tech leaders [3], legal experts [2] [3], and human rights defenders highlights the urgency and importance of combating the abuse of spyware for human rights violations and national security risks. Efforts to combat the spyware ecosystem face challenges as new players emerge and exploit vulnerabilities [7], but the international community is committed to joint action and continued discussions on the topic. The introduction of visa and travel restrictions by the US and the call for an international agreement on the use of commercial spyware and surveillance tools by the UK and France demonstrate a global commitment to mitigating the risks posed by these technologies. The future implications of these initiatives will be assessed in the follow-up conference in France next year, which will evaluate progress and further strengthen international cooperation in addressing the proliferation and irresponsible use of commercially available cyber intrusion capabilities.

References

[1] https://www.munrobotic.com/p/briefly-briefed-newsletter-22-070224
[2] https://www.computerweekly.com/news/366569073/UK-and-France-push-for-international-agreement-on-spyware
[3] https://securitydive.in/2024/02/07/britain-france-gathers-diplomats-for-international-agreement-on-spyware/
[4] https://www.computerweekly.com/news/366569152/UKs-McPartland-Cyber-Review-to-probe-trust-in-technology
[5] https://www.infosecurity-magazine.com/news/governments-tech-giants-against/
[6] https://www.darkreading.com/endpoint-security/world-govs-sign-spyware-responsibility-pledge
[7] https://thehackernews.com/2024/02/global-coalition-and-tech-giants-unite.html
[8] https://www.interest.co.nz/technology/126250/new-zealand-part-international-pall-mall-process-tackle-spyware-and-hackers-hire
[9] https://www.computerweekly.com/news/366569276/Dozens-of-surveillance-companies-are-supplying-spyware-to-governments-says-Google
[10] https://dig.watch/updates/the-pall-mall-process-tackles-spyware
[11] https://www.itpro.com/security/uk-leads-international-efforts-to-tackle-hackers-for-hire