The UK has joined more than 35 other nations in an effort to target 'hackers for hire'.
At a conference yesterday (February 6), countries led by the UK, France, and the US joined companies including Google, Apple, BAE Systems, and Microsoft to sign a declaration dubbed the ‘Pall Mall Process’.
The aim is to establish guiding principles and policy options for states, industry, and civil society around the development and use of commercially-available cyber intrusion capabilities.
"As the threat from malicious use of cyber tools grows, working with like-minded partners is essential to tackle an issue which does not respect borders," said deputy prime minister Oliver Dowden.
"I am proud that the UK is building on its existing capabilities and taking action as a world leader on cyber threats and innovation."
According to the National Cyber Security Centre (NCSC), the commercial cyber intrusion sector is doubling every ten years, with thousands of individuals targeted globally by spyware each year.
And there's also the problem of hackers-for-hire carrying out corporate espionage, or of services and tools being accessed by hostile states and individuals who threaten UK national security.
"The proliferation of commercially available cyber intrusion tools is an enduring issue, with demand for capability to conduct malicious cyber operations growing all the time," said NCSC director of operations Paul Chichester.
"It’s powerful to see such a broad community come together to discuss how we can make the commercial intrusion sector work better for security and society."
The declaration states that spyware tools can be used for legitimate purposes, but states that they shouldn't be developed or used in ways that threaten the stability of cyberspace or human rights and fundamental freedoms. Nor should they conflict with international law, including humanitarian and human rights laws.
Nor should they be used without appropriate safeguards and oversight in place, with the signatories to the deal agreeing to explore the parameters of legitimate and responsible use by states, civil society, cyber security teams, and commercial firms.
Provide a secure way to access business-critical application
DOWNLOAD NOW
The declaration has four basic pillars: accountability, precision, oversight and transparency.
All activity should be carried out in a legal and responsible manner, in line with the framework for responsible state behaviour in cyberspace and existing international law, along with domestic frameworks. Where states or non-state actors fail to comply, action should be taken.
The development and use of cyber tools should be conducted with precision, to make sure that they avoid or mitigate unintended, illegal, or irresponsible consequences.
Assessment and due diligence mechanisms - by both users and vendors, including states - should be in place to make sure that activity is carried out legally and responsibly.
Similarly, business interactions should be conducted in such a way as to ensure that industry and users understand and have confidence in their supply chains.
"We need a thriving global cyber security sector to maintain the integrity of our digital society, and by working together to improve oversight and transparency in how this capability is being developed, sold and used, we can reduce the impact of the threat to us all," Chichester said.
There'll be a follow-up conference in France next year to take stock of the progress made and have further discussions.
