21 Countries Sign Onto Voluntary Pact to Stem the Proliferation of Spyware
After more than a year in the works, almost two dozen countries signed onto a voluntary accord to address the rising threat of commercial spyware used by some governments to track journalists, human rights workers, activists, lawyers and similar targets by hacking into their tech devices.
The 21 nations during a two-day meeting in Paris last week signed the Pall Mall Process – or Code of Practices for States – with the bulk of them from Europe, including the UK, France, Germany, Sweden, and members of the Baltic and Balkan regions. Other countries included Japan and Ghana.
The United States is not listed as a signatory, though the Biden Administration used sanctions, visa restrictions, and other tools to push back against commercial spyware makers and users. In 2023, the United States led an effort similar to the Pall Mall Process to push for the responsible use of spyware – the Joint Statement on Efforts to Counter the Proliferation and Misuse of Commercial Spyware – that 23 countries have since signed.
Laying the Groundwork
The nine-page document outlines how such technology – referred to as commercial cyber intrusion capabilities (CCICs) – can be used responsibly and how to address vendors and others that use the it illegally. That ranges from creating national frameworks to enforce responsible CCIC use and creating toolkits to deter the illegal use of the technology to ban vendors
The Pall Mall Process was launched by England and France in February 2024 and, according to the document, the countries expect to use it to “tackle the challenges posed by the proliferation and irresponsible use of commercial cyber intrusion capabilities. … Many of these tools and services can be developed or used for legitimate purposes. However, the proliferation of CCICs raises questions and concerns over the impact of their potential irresponsible use on national security, respect for human rights and fundamental freedoms, international peace and security, and an open, secure, stable, accessible, peaceful and interoperable cyberspace.”
‘A Huge Step’
Katharina Sommer, head of public affairs at cybersecurity consultancy NCC Group, called the document “a huge step in the right direction,” noting that while not legally binding, it lays out the expectations on countries for addressing the growing use of such intrusive cyber tools and creates a framework they can use to move forward in their efforts.
“It is interesting that the Code of Practices is targeted at states, accepting their crucial role as customers, users and regulators of commercial cyber intrusion capabilities, and the signals they are able to send to the rest of the market,” Sommer said. “Beyond that, it’s reassuring to see inclusions in the Code acknowledging the legitimate use of those capabilities, as well as of the crucial role that security researchers play in relation to improving cyber defenses and cyber defensive capabilities. … This is positive momentum.”
A challenge will be convincing other countries that might be active users of spyware to sign onto the document, she said. In a webinar in January, Michael Casey, at the time the head of the National Counterintelligence and Security Center, said that as many as 100 countries may be using spyware and warned that while vendors like NSO Group and its Pegasus spyware, there are many more such companies in operation.
The Dangers are Real
Such numbers back up what Google’s Threat Analysis Group found in a report it published in February 2024, in which it said it was tracking 40 commercial surveillance vendors (CSVs) and warned of the dangers of their software.
“The harm is not hypothetical,” the researchers wrote, noting that spyware vendors argue about its use by law enforcement and counterterrorism agencies. “While the number of users targeted by spyware is small compared to other types of cyber threat activity, the follow-on effects are much broader. This type of focused targeting threatens freedom of speech, a free press, and the integrity of elections worldwide.”
They also said that the use of spyware was feeding into the development of hacking tools used by threat actors, and that between mid-2014 and 2023, half of the know zero-day exploits used against Google products and Android devices were attributable to spyware.
Spyware also has been the target of lawsuits by device makers, including Apple, and victims.