Cyber experts offer lukewarm praise for voluntary code governing use of commercial hacking tools

Cybersecurity professionals who participated in discussions over a code of conduct for nations to use commercial hacking tools said the final voluntary guidelines offer modest promise, even if they fall short of what some wanted.

The next step for the joint France/U.K.-led Pall Mall Process, which last week got 21 signatories to the code, is to establish parallel guidance for industry. Commercial spyware was the “catalyst” for the process, said Elina Castillo Jimenéz, who leads advocacy for Amnesty Tech’s Security Lab. But the process seeks to address a broader marketplace of what it calls “commercial cyber intrusion capabilities,” which could include, say, the phone-cracking services of a company like Cellebrite.

Evan Dornbush, a former National Security Agency computer network operator who has worked as an exploit broker in the private sector, said he was “optimistic” about the Pall Mall Process bringing the sector in as a partner.

“They definitely don’t want to return to an era where the vulnerability research community is demonized and ostracized,” Dornbush said, adding that the process acknowledges “there’s a strategic advantage to conducting offensive cyber, and they need to partner with the private sector to achieve those objectives.”

It’s helpful to someone who might sell a bug or exploit to a government to know that an enlistee to the code is unlikely to abuse it by going after dissidents or journalists, he said.

The most prominent spyware vendor, NSO Group, also participated in the process by attending virtual meetings, supplying recommendations and more, said a spokesman, Gil Lanier.

“Our input was clearly valuable, as demonstrated by the incorporation of our Recommendations and other inputs into the report, which directly reflects the compliance practices we have developed and advocated,” he said in an emailed statement.

Reviews of the final document, though, are mixed. Castillo Jimenéz said it has “positive elements,” but “there were some levels of disappointment” in the final text on the level of support it would offer to victims, its focus on human rights and other language.

Civil society groups have been skeptical of the process because it’s voluntary, said Natalia Krapiva, senior tech-legal counsel at Access Now. On the other hand, “it’s really the only sort of multilateral effort that we have,” she said, adding that at minimum, the format offers a platform to educate countries on the risks of spyware.

One key will be how nations implement the code, said Jen Ellis, founder of NextJenSecurity. 

“I am glad to see that there is a sort of acknowledgement of how these tools can be abused and are being abused, particularly as you look at the sort of humanitarian angle,” she said. “What will the Pall Mall Process do that goes beyond that, or changes that calculus? And I think there’s still a question mark over that.”

Ellis also said there was a fear that the code could create “a greater margin between those who behave responsibly and those who don’t.” She said that since last week, another country, Romania, has signed the code.

Katharina Sommer, head of public affairs at the cybersecurity consultancy NCC Group, said the code was a “huge step in the right direction,” but there were some notable absences among the list of supporting nations.

“The challenge is reaching beyond the ‘usual suspects,’ and encouraging the active participation of those ‘middle ground’ states (and other stakeholders) who might not naturally be considered ‘definitively responsible actors,’” she said in emailed remarks. “Widening the number and the kind of states that sign up to the Code will be crucial over the next months (as will be watching what happens in those Five Eyes countries that have forthcoming elections).

“It should also be noted (and in fact will not have gone unnoticed) that the United States have not signed up to the Code, a potential further indication of the fragmentation of the world order as we knew it, and of the US withdrawal from multilateral initiatives, to act in national interest,” she continued.

Sources confirmed to CyberScoop an account in The Record that JD Work — the director of cyber countering and enablement at the National Security Council — said at a workshop at the event last week that the United States would use lethal force against malicious cyber actors in the commercial space, raising eyebrows from participants. At least one participant took him to mean it literally.

An NSC spokesperson did not respond to requests for comment on why the United States hadn’t signed the document, or to clarify the meaning of Work’s comments. Work also did not respond to a request for comment about U.S. participation.