Paris, Pall Mall and a Code of Practice for Cyber Capabilities

In February 2024, governments, civil society organisations, academic institutions and private sector companies gathered at Lancaster House for the launch of the Pall Mall Process (PMP) – an initiative convened by the United Kingdom and France to discuss the proliferation and irresponsible use of commercial cyber intrusion capabilities (CCIC).

The concern: private companies have been developing cyber tools and services that have helped governments break into systems and networks. Despite legitimate applications such as penetration testing services (testing security by trying to break into a system) or law enforcement investigations, many countries have used tools such as the NSO Group’s Pegasus spyware to violate human rights.

To curb an unrestricted proliferation of CCICs, the PMP meeting focussed on bringing governments and companies together for a dialogue. The meeting resulted in a multi-stakeholder declaration outlining four principles to inform future discussion: accountability, precision, oversight, and transparency – which, at the time of writing, has been signed by 26 governments, two regional organisations (African Union and the Gulf Cooperation Council) and other non-governmental representatives.

States and non-governmental entities will be heading to Paris for the second meeting of the Pall Mall Process in early April. The question that remains is: one year on, what has been achieved and what can be expected of the process?

Following the launch of the PMP in February 2024, RUSI gathered non-governmental participants to reflect on the challenges at an informal workshop. This was followed by a commentary authored by some of the participants. As we approach the April Summit, we bring these experts –who have continued to closely participate in the PMP intersessional work – to assess the effectiveness and expectations concerning the process.

The centrepiece of April’s deliberations is the negotiation of a Code of Practice that will guide states in a collective effort to mitigate against potential misuse and unchecked proliferation of CCICs. The proposal of a code is inspired by the Montreux Document and the resulting International Code of Conduct for Private Security Service Providers. The former is a non-binding intergovernmental document intended to promote respect for international humanitarian law and human rights law, especially when Private Military Security Companies (PMSCs) are present in armed conflicts. The latter a code that binds member companies.

A draft version of the Code of Practice has been shared with vested state and non-state stakeholders and revised on the basis of feedback during the intersessional period. The draft Code of Practice draws on the results of consultation on ‘best practices’.

We must remember that this is, first and foremost a diplomatic process, and success is primarily measured in those terms. Bringing countries beyond ‘usual suspects’ to the table – including some that have consistently been at the centre of Pegasus-use scandals – was a political win. Non-governmental stakeholders move at a different pace and have a different vision of success that need to be equally managed to ensure progress results in a compromise. It might have delivered a political win at the end of the first year but what comes next and how will a diplomatic process balance different expectations while still keeping the door open for ‘others’ – mostly governments – to join?

Despite ‘bumper’ election year of 2024 – which has drained many governments’ attention – the road since Lancaster House has seen growing international recognition of commitments to non-proliferation of CCICs. Of particular note is the Joint Statement on countering proliferation of commercial spyware from 23 governments during the 3rd Summit for Democracy and the UN Open Ended Working Group on cybersecurity, where all UN member states recognised that CCICs can threaten international peace and security. The summit also does not occur in vacuum, but instead builds on intergovernmental dialogue that CCICs.

As PMP stakeholders approach Paris, many questions remain regarding how it will float in against the backdrop of a turbulent start of 2025. It is still unclear how big players such as the US will engage in the dialogue, however, this does not preclude – and could be an opportunity – for the PMP to concentrate in speaking to developing and smaller countries.

Mixed Results Equals Compromise?

Pablo Rice

A year ago, the Paris Peace Forum called for defining a clear roadmap toward the second Pall Mall conference in 2025. This framework was structured around three pillars spanning different layers of governance: precision, oversight, and accountability.

However, the progress made under each pillar remains somewhat unclear, as do the criteria for assessing success. The most tangible deliverable to date has been a report stemming from a multi-stakeholder consultation on best practices to curb the proliferation and irresponsible use of cyber intrusion capabilities. With input from a cohort of 73 respondents – roughly evenly distributed among the public sector, industry, and civil society – the report serves as a valuable resource for future negotiations. It also represented a low-hanging fruit, sustaining momentum throughout 2024 at minimal cost and within a tight timeline, further complicated by electoral deadlines on both sides of the Channel.

The intermediate Pall Mall meeting, held during the 7th edition of the Paris Peace Forum in November, provided an opportunity to present and discuss the report on stakeholders’ best practices. More significantly, however, it underscored that the most challenging work remains in structuring the initiative.

Key stakeholders emphasized the need to urgently ground the Pall Mall Process in agreed working definitions to delineate the phenomenon it seeks to address. The meeting also revealed that civil society had largely exhausted what it could contribute in the absence of substantive material to build upon. Neither a mere collection of existing efforts nor a work focused on interpreting applicable international law would suffice to circumvent these challenges.

The Pall Mall conference in Paris will therefore be decisive. Failing to make progress risks turning the upcoming gathering into a testament of collective fatigue.

Enlarging the Tent During a Time of Uncertainty

Kat Sommer

We must acknowledge how much the world has changed since the Pall Mall Process began at Lancaster House 12 months ago. As we approach the next Pall Mall Process Conference in Paris, we face two major challenges. The first challenge is reaching the ‘unengaged’ minority of the CCIC ecosystem. The second challenge is maintaining momentum at a time of shifting geopolitics.

The Pall Mall Process consultation summary report was a welcome milestone. It highlighted good practices like well-structured vulnerability disclosure policies and due diligence procedures, while emphasising the importance of safeguarding the legitimate use of commercial cyber intrusion capabilities (CCICs). This issue is crucial for those who believe in legal protections for the cybersecurity community, which plays a vital role in global cyber defence and resilience efforts.

The summary report also identified key areas of contention to focus efforts on:

• The role of governments in shaping responsible markets.
• The need to clearly define responsible activities.
• The importance of predictability amid new and emerging technologies.

However, the report and preceding conversations revealed a significant challenge: How will the Pall Mall Process, which aims to include and engage the majority of the CCIC ecosystem, reach those whose behaviours and conduct need to change to make a real difference?

While the Franco-British leadership on tackling the proliferation of capabilities is commendable, the outcome of 2024’s elections has left us with a more complex and less predictable landscape. This raises several hard questions:

• Amidst numerous domestic economic and security challenges, will governments remain committed to the international dialogue and agreement necessary for a successful Pall Mall Process?
• As rhetoric about over-regulation and barriers to innovation grows louder, how will this impact participants' willingness to agree to a voluntary code of conduct to shape a responsible marketplace?
• With the US Administration reducing investment in cyber diplomacy and related programmes, which country will step up to take its place?

Irrespective of these challenges I am optimistic of what we can achieve through the Pall Mall process. Safeguarding the legitimate use of CCICs and establishing agreed codes of conduct are goals that the engaged cyber security ecosystem is passionate about achieving.

They say that ‘nothing that matters ever comes easy’ - for our own sanity, we would do well to remember this in the coming weeks!

Mustering the Will to Change

Allison Pytlak

The Pall Mall Process is approaching an important milestone with the likely adoption of a code of practice in April. Depending on the code’s content and the breadth of endorsement, it could constitute an important new component in the growing patchwork of efforts to target a notoriously harmful offensive cyber tool.

That patchwork includes obligations under existing international law including international human rights law; a United States-led Joint Statement, national sanctioning, and industry-led efforts. It also includes the UN Framework for Responsible Cyber Behaviour. These frameworks and efforts are invoked in multiple places throughout the draft code in an effort to ensure complementarity and avoid undermining existing commitments and responsibility.

Underpinning the draft code is the principle of accountability. Yet accountability in cyber governance has often been elusive. As the Stimson Center’s research in this area demonstrates, cyber accountability needs to be understood in its positive and negative forms (incentives and consequences) and in relation to transparency and responsibility, in order to be effective. The draft code includes guidance and suggestions for both. It suggests actions to incentivize responsible behavior such as through more selective engagement with vendors in line with established frameworks like the UN Guiding Principles on Business and Human Rights or establishing baseline vendor requirements. The draft also suggests that states could look to develop a toolkit of potential measures to deter irresponsible behavior, such as policy levers that target and impose costs for irresponsible use of CCICs.

Some of this is in relation to the application of controls on the export of CCICs. Export control approaches for digital tools have long been controversial or uncertain, given the unique characteristics of the market and the tools. While it is neither practical or possible to attempt to copy export control frameworks or methodologies used in conventional weapons export control, there are approaches and lessons which can be instructive, as other of our research has shown.

It is commendable that the draft code has been explicit in calling for accountability and outlining specific measures for doing so. Ultimately though, the key consideration will be political will – political will to not only constrain the behaviour of others but also for capable actors – governments and private actors alike – to exercise mutual restraint in their uses of such technologies.

One Step at a Time

Jen Ellis

One year on from the launch of the Pall Mall Process declaration and we find ourselves in uncertain times. In the current political landscape, the availability and use of commercial cyber intrusion capabilities (CCICs) is arguably more important than ever. The potential for their abuse is perhaps more likely and more terrifying. Fortunately, the process continues under the ongoing leadership and commitment of the British and French governments, and with the active participation of many other governments, industry stakeholders, and civil society.

This multi-stakeholder approach is essential for pushing us forward to action and accord that is both pragmatic and meaningful. The current focus is on developing a Code of Practice for States, which we expect to see presented at the next PMP meeting in Paris in early April. The expectation is that this will be followed with a complimentary code for the industry that provides CCICs. I strongly encourage entities in this industry to participate in the creation of that code to ensure it is practical and relevant to their business. And similarly, civil society and governments must continue to voice their own concerns and priorities to ensure they are adequately addressed in the industry’s code.

Despite the continued engagement on this issue, there are many questioning whether codes of practice are the right approach. I view the codes as stepping stones, a means of achieving alignment on what the models should be before we move to the much tougher task of how to enforce them. That for me is the sticking point: given we already have international humanitarian law and various UN or other international covenants, yet human rights violations abound, how will the PMP drive broader adoption or adherence? It is certainly not an easy question to answer, so I am grateful that the commitment to addressing this difficult and critical issue is still strong. I look forward to seeing what the steps will be after the codes have been finalised.

© RUSI, 2025.

The views expressed in this Commentary are the authors’, and do not represent those of RUSI or any other institution.

For terms of use, see Website Ts&Cs of Use.

Have an idea for a Commentary you’d like to write for us? Send a short pitch to commentaries@rusi.org and we’ll get back to you if it fits into our research interests. View full guidelines for contributors.