International code targets responsible cyber intrusion use

The UK, France, Japan, Italy, and 17 other countries have signed a Code of Practice concerning the development and use of commercial cyber intrusion capabilities (CCICs), marking an important effort towards the responsible regulation of this rapidly evolving sector.

The newly established Code of Practice outlines policy and regulatory recommendations designed to ensure that states manage CCICs responsibly. According to the UK government, these recommendations focus on states' roles as regulators, customers, and users of these technologies.

Katharina Sommer, Head of Public Affairs at the cybersecurity consultancy NCC Group, shared her insights following the launch of the Code of Practice during the second Pall Mall Process in France. She noted, "The Code is a huge step in the right direction. While it is not legally binding, it sets out clearly the best practices expected of states that commit to tackling the proliferation of commercial cyber intrusion capabilities, and crucially offers the framework for states to have conversations about the way forward with the multiple stakeholders in their own jurisdictions, and ways to legislate domestically to incorporate the Pall Mall provisions into their national laws. The states that signed the Code have likely seriously considered that step, which suggests they have also considered ways of implementing (at least some of) the different provisions. This is positive momentum."

Sommer addressed the significance of the Code as it pertains to state responsibilities, noting, "It is interesting that the Code of Practices is targeted at states, accepting their crucial role as customers, users and regulators of commercial cyber intrusion capabilities, and the signals they are able to send to the rest of the market. Beyond that, it's reassuring to see inclusions in the Code acknowledging the legitimate use of those capabilities, as well as of the crucial role that security researchers play in relation to improving cyber defences and cyber defensive capabilities."

She further commented on the process: "The Code creates a sense of momentum and offers a framework allowing states to have internal conversations and consider their national implementation. States are actively engaging - and that needs to be clearly acknowledged as a positive step."

Sommer pointed out the importance of expanding the participation beyond traditionally engaged countries, emphasising, "The challenge is reaching beyond the 'usual suspects', and encouraging the active participation of those 'middle ground' states (and other stakeholders) who might not naturally be considered 'definitively responsible actors'. Widening the number and the kind of states that sign up to the Code will be crucial over the next months (as will be watching what happens in those Five Eyes countries that have forthcoming elections)."

"It should also be noted (and in fact will not have gone unnoticed) that the United States have not signed up to the Code, a potential further indication of the fragmentation of the world order as we knew it, and of the US withdrawal from multilateral initiatives, to act in national interest."

The Pall Mall Process is structured to be a multi-stakeholder effort, intentionally including input from academia, civil society, and industry stakeholders in the CCIC ecosystem. Sommer remarked, "The Pall Mall Process has deliberately been structured as a multi-stakeholder process, focused not just on states but including academic, civil society and industry - across the commercial cyber intrusion capabilities ecosystem. This is significant, because it allows engagement, and input from across the ecosystem, and is likely to enhance the shared understanding of the threats, risks and challenges, form relationships between parts of the ecosystem that could create positive outcomes outside of the formal process, and, we hope, lead to practicable and implementable outputs, broad(er) buy-in, and more effective accountability."