By Gareth Mott, James Shires, Jen Ellis, James Sullivan and Jamie MacColl
Commercial cyber tools and services have many legitimate applications, from corporate penetration testing (an authorised simulated cyber attack on an IT system) to law enforcement and national security operations. But they are also subject to misuse and abuse, when they are used in ways that are contrary to national or international law, violate the human rights of their targets, or pose risks to international security. Some states are currently grappling with this policy challenge. Meanwhile, collective international initiatives for action are underway. For example, there is the US’s 2023 Joint Statement on Efforts to Counter the Proliferation and Misuse of Commercial Spyware and the UK- and France-led Pall Mall Process of 2024. Ultimately, one aim of these initiatives is to enable states to harmonise their policy interventions where possible. To inform principles and policies for intervention at national and international levels, it is necessary to understand the dynamics that encourage or facilitate offensive-cyber proliferation. This paper identifies a range of ‘non-state proliferating factors’ (NPFs) and ‘state permissive behaviours’ (SPBs), and its findings draw on desk-based research on the international commercial offensive-cyber market. These findings were supplemented by a data validation and consultative workshop with industry stakeholders held in person at Chatham House in March 2024. This half-day validation workshop drew on the expertise and insights of 44 participants predominantly based in the UK, the US and Western Europe. To facilitate candid discussion, remarks made at the workshop are not attributable, and the identities of participants are not referenced here.
In this paper, NPFs and SPBs are categorised into five areas:
Regulation of corporate structure and governance.
Legal frameworks for product development, sale and transfer.
Diplomatic support and engagement.
Development of cyber-security ecosystem and workforce.
Integration with defence and security industrial base.
Using these categories, this research analyses the roles of both state and non-state actors. It identifies critical inter-relationships between different SPBs and NPFs that serve to facilitate or enable potentially irresponsible offensive-cyber proliferation. This is one of two papers. A second paper, authored by the researchers and published by Chatham House in October 2024, draws on the findings in this paper and identifies a range of ‘principles’ that could be used to build a code of conduct to counter irresponsible offensive-cyber proliferation.
London: Royal United Services Institute for Defence and Security Studies - RUSI and The Royal Institute of International Affairs, 2024. 39p.