State Permissive Behaviours and Commercial Offensive-Cyber Proliferation

pdf
Read Full Report(PDF 1MB)
Computer algorithm with padlock and words cyber security

Aleksey Funtap / Alamy Stock Photo


This paper seeks to identify how state ‘permissive’ behaviours can contribute to the proliferation of offensive-cyber tools and services.

Commercial cyber tools and services have many legitimate applications, from corporate penetration testing (an authorised simulated cyber attack on an IT system) to law enforcement and national security operations. But they are also subject to misuse and abuse, when they are used in ways that are contrary to national or international law, violate the human rights of their targets, or pose risks to international security. Some states are currently grappling with this policy challenge. Meanwhile, collective international initiatives for action are underway.

For example, there is the US’s 2023 Joint Statement on Efforts to Counter the Proliferation and Misuse of Commercial Spyware and the UK- and France-led Pall Mall Process of 2024. Ultimately, one aim of these initiatives is to enable states to harmonise their policy interventions where possible.

To inform principles and policies for intervention at national and international levels, it is necessary to understand the dynamics that encourage or facilitate offensive-cyber proliferation. This paper identifies a range of ‘non-state proliferating factors’ (NPFs) and ‘state permissive behaviours’ (SPBs), and its findings draw on desk-based research on the international commercial offensive-cyber market. These findings were supplemented by a data validation and consultative workshop with industry stakeholders held in person at Chatham House in March 2024. This half-day validation workshop drew on the expertise and insights of 44 participants predominantly based in the UK, the US and Western Europe. To facilitate candid discussion, remarks made at the workshop are not attributable, and the identities of participants are not referenced here.

In this paper, NPFs and SPBs are categorised into five areas:

  1. Regulation of corporate structure and governance.
  2. Legal frameworks for product development, sale and transfer.
  3. Diplomatic support and engagement.
  4. Development of cyber-security ecosystem and workforce.
  5. Integration with defence and security industrial base.

Using these categories, this research analyses the roles of both state and non-state actors. It identifies critical inter-relationships between different SPBs and NPFs that serve to facilitate or enable potentially irresponsible offensive-cyber proliferation.

This is one of two papers. A second paper, authored by the researchers and published by Chatham House in October 2024, draws on the findings in this paper and identifies a range of ‘principles’ that could be used to build a code of conduct to counter irresponsible offensive-cyber proliferation.

Related content


Principles for state approaches to commercial cyber intrusion capabilities

Navigating the policy challenges of cyber intrusion markets - Dr James Shires, Chatham House, 18 October 2024

The Pall Mall Process on Cyber Intrusion Tools: Putting Words into Practice

WRITTEN BY

Dr Gareth Mott

Research Fellow

Cyber

View profile

James Shires

Co-Director of both the European Cyber Conflict Research Incubator (ECCRI CIC) and the European Cyber Conflict Research Initiative (ECCRI)

View profile

Jen Ellis

Associate Fellow, Founder of NextJenSecurity

View profile

James Sullivan

Director, Cyber Research

Cyber

View profile

Jamie MacColl

Research Fellow

Cyber

View profile


Footnotes


Explore our related content