8 November 2024

State Permissive Behaviours and Commercial Offensive-Cyber Proliferation

Dr Gareth Mott, James Shires, Jen Ellis, James Sullivan and Jamie MacColl

Commercial cyber tools and services have many legitimate applications, from corporate penetration testing (an authorised simulated cyber attack on an IT system) to law enforcement and national security operations. But they are also subject to misuse and abuse, when they are used in ways that are contrary to national or international law, violate the human rights of their targets, or pose risks to international security. Some states are currently grappling with this policy challenge. Meanwhile, collective international initiatives for action are underway.

For example, there is the US’s 2023 Joint Statement on Efforts to Counter the Proliferation and Misuse of Commercial Spyware and the UK- and France-led Pall Mall Process of 2024. Ultimately, one aim of these initiatives is to enable states to harmonise their policy interventions where possible.

To inform principles and policies for intervention at national and international levels, it is necessary to understand the dynamics that encourage or facilitate offensive-cyber proliferation. This paper identifies a range of ‘non-state proliferating factors’ (NPFs) and ‘state permissive behaviours’ (SPBs), and its findings draw on desk-based research on the international commercial offensive-cyber market. These findings were supplemented by a data validation and consultative workshop with industry stakeholders held in person at Chatham House in March 2024. This half-day validation workshop drew on the expertise and insights of 44 participants predominantly based in the UK, the US and Western Europe. To facilitate candid discussion, remarks made at the workshop are not attributable, and the identities of participants are not referenced here.

No comments: