Cyber intrusion capabilities have long been used to facilitate human rights abuses—like surveilling members of parliament, spying on opposition politicians, or tracking dissidents, journalists, and human rights defenders. The case of Jamal Khashoggi—whom the Saudi government spied on using NSO Group’s Pegasus spyware, and subsequently murdered during a Saudi embassy visit—shows the horrific consequences of unrestrained use of these capabilities. Beyond spyware, commercial cyber intrusion capabilities (CCICs) include vulnerabilities and exploit marketplaces like Zerodium, initial access brokers, and hackers for hire, among other things. What all these tools have in common is “the ability to access and manipulate a digital device, system, or network remotely without authorisation[.]”. In 2024, the British and French governments decided to foster policy action to regulate the market for these capabilities by launching the Pall Mall Process. This initiative brings together states and non-state actors to tackle the proliferation of CCICs. The objective of the Pall Mall Process is to identify policy options to ensure that the “development, facilitation, purchase, transfer and use of CCICs” does not lead to “irresponsible use” of these tools. Ultimately, the organizers of the Pall Mall Process hope to tame the market—that is, shape the behavior of the suppliers of CCICs.
Tackling the Proliferation of Cyber Intrusion Capabilities | Lawfare