On September 18th, the US imposed sanctions on individuals and an entity associated with the Intellexa Consortium for their role in developing, operating and distributing commercial spyware. These sanctions followed the March 5thaction of designating five entities associated with the Intellexa Consortium. These measures are part of an emerging diplomatic, regulatory and standards framework aiming to establish rules of the road for the development and permissible use of cyber tools. While early in the process, the goal is to craft a comprehensive, global strategy that addresses the dynamic nature of cyber threats, and businesses have much to learn from these first steps.
Cybercrime and spyware are top risks to individuals, businesses, NGOs and governments. The FBI received 2,825 ransomware complaints in 2023 that resulted in $59.6 million in financial losses. According to Chainalysis, global ransomware payments in 2023 surpassed the $1 billion mark, the highest number ever observed. Cybersecurity Ventures expects global cybercrime costs to grow by 15 percent per year, reaching $10.5 trillion USD annually by 2025. Estimating the losses from spyware is more difficult, as the targets go beyond businesses, from targeting intellectual property to collecting personal information and surveilling movement and activities of business leaders, journalists, human rights activists, dissidents and government officials. According to UK cyber agency GCHQ, more than 80 countries have purchased spyware over the past decade.
Outright outlawing cyber hacking toolkits and cyber spyware might seem a step in the right direction, but this blunt instrument would ignore the fact that these technologies have legitimate uses by governments for national security and businesses for penetration testing and other defensive cybersecurity practices. A far more nuanced approach is required in order to gain the support of diverse stakeholders if there is any hope of creating international guardrails and norms for use that governments adopt and enforce within their jurisdictions.
US Focus on Government Action to Limit Misuse of Spyware
The US government is setting a standard of behavior to constrain the use of commercial spyware by restricting the US government's procurement and use of spyware tools that pose risks to national security, rule of law and human rights. In March 2023, the Biden administration issued Executive Order 14093 which outlines the prohibitions and establishes robust protections against the misuse of commercial surveillance tools. The US has also led a diplomatic effort as part of initiatives such as the Summit for Democracy, the Joint Statement on Efforts to Counter the Proliferation and Misuse of Commercial Spyware. Current signatories, Australia, Canada, Costa Rica, Denmark, France, Finland, Germany, Japan, New Zealand, Norway, Poland, Ireland, Republic of Korea, Sweden, Switzerland, the United Kingdom, and the US, recognize the threat posed by the misuse of commercial spyware and the need for strict domestic and international controls on the proliferation and use of such technology. The signatories commit to establishing domestic guardrails, preventing the export of software, technology and equipment to end-users who are likely to use them for malicious cyber activities, to robust information sharing and engaging with additional partner governments to better align policies and export controls.
The US approach is to limit demand and impose export restrictions and sanctions on suppliers selling to governments misusing the technology. Intellexa Consortium is a marketing label for a variety of offensive cyber companies that offer tools to enable targeted and mass surveillance campaigns. According to the US government, the tools are packaged under the brand name of Predator and can infiltrate a range of electronic devices through zero click attacks that require no user action for the spyware to infect the device. The spyware can extract data, geolocation tracking and access a variety of applications and personal information on the compromised device. Sanctioned Intellexa Consortium entities and individuals are based in the British Virgin Islands, Cyprus, Greece, Hungary, Ireland and North Macedonia. The US previously imposed sanctions on the NSO Group, based in Israel, which sold Pegasus spyware.
Pall Mall Declaration Focus on Creating a Normative Framework
Launched in February 2024 by the United Kingdom and France, the Pall Mall Declaration is a separate initiative focused on proliferation and irresponsible uses of commercial cyber intrusion capabilities. This is a big tent initiative, seeking to establish guiding principles and highlight policy options for governments, industry and civil society in relation to the development, facilitation, purchase, and use of commercially available cyber intrusion capabilities. This process builds on the whole of society approach to cyberspace and acknowledges the importance of public-private partnership and multi-stakeholder collaboration in the pursuit of a more secure cyberspace.
The process seeks to set standards and norms by defining what is legitimate use and by extension what is misuse, a system for (voluntary) accountability, creating due diligence mechanisms for users and vendors and a standard for transparency. The Pall Mall Declaration is not limited to commercial spyware, but also includes the wider ecosystem of spyware, hacking-for-hire, hacking as a service and vulnerability and zero-day exploits. The process is also working on developing precision of language, defining the emerging lexicon, which will be necessary to align legal and regulatory frameworks.
The declaration was signed by 27 states, multinational companies and civil society groups and the parties have agreed to meet again in Paris in 2025.
Moving Forward
Building consensus among stakeholders is a necessary but difficult process. Notably, some of the signatory countries for the Pall Mall Declaration serve as the base of commercial spyware companies sanctioned by the US. Other commercial spyware companies are located in European countries, normally considered political and economic allies among Western governments, but are not signatories of either international initiative. Then, there are countries such as Russia, China, Iran and North Korea, whose governments actively support the development and deployment of spyware tools, and are engaged in activities that would be considered misuse under both initiatives.
Private sector businesses face growing risks from malign cyber activity and are important stakeholders in defining norms and standards. Technology companies in particular will be viewed as the pointy end of the spear on developing specific actions for accountability and transparency and may wish to engage with regulatory and legislative bodies to communicate their interests and concerns.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.