The rapid growth of markets in which cyber intrusion capabilities can be bought and sold as products and services by states, companies and criminals raises thorny policy challenges. This paper explores these challenges, and puts forward a set of principles to help governments and wider society navigate commercial markets for cyber intrusion technologies.
Cyber intrusion capabilities – the ability to access and manipulate a digital device, system or network remotely and without authorization – are becoming globally and easily available to state and many non-state actors. These capabilities are, simultaneously, a crucial means of testing and improving digital defences, a troubling new vector for fraud, ransom demands and other criminal activity, and an integral aspect of contemporary statecraft and military power. For example, cyber intrusion capabilities help law enforcement agencies to track criminals, but also help criminals obtain their victims’ data; and they help states to conduct cyber espionage while also helping organizations bolster their digital defences against such espionage.
The scale at which cyber intrusion capabilities are available is largely due to rapid growth of the markets in which such capabilities – and their component parts – can be bought and sold as products and services by states, companies and criminals. Simply put, cyber intrusion has become commercialized.
The commercialization of cyber intrusion capabilities raises thorny policy challenges. Market-driven efficiencies emerging organically from an increasing division of labour and role specialization in cybercriminal groups have greatly increased the threat of ransomware attacks, hack-and-leak operations and digital fraud for individuals, organizations and countries worldwide. At the same time, the wealth of information now contained on people’s devices, collected by companies and governments, and stored in cloud data centres, makes cyber intrusion a highly attractive vector for state intelligence collection. Many countries have turned to the commercial acquisition of cyber intrusion capabilities as an alternative to developing and maintaining them in-house (i.e. within their own military, intelligence or law enforcement bodies). But many states have used such capabilities in ways that violate international human rights law – including by targeting journalists, political opposition and civil society activists without meeting legal requirements such as necessity and proportionality – or that otherwise undermine norms of responsible state behaviour in cyberspace.
This paper puts forward principles for state approaches to commercial cyber intrusion capabilities. It is aimed primarily at government policymakers in this area, but is intended also for the use of other critical stakeholders, from civil society organizations to government practitioners, and from the cybersecurity industry to individual hackers.
The wealth of information now contained on people’s devices, collected by companies and governments, and stored in cloud data centres, makes cyber intrusion a highly attractive vector for state intelligence collection.
The research that has informed the paper is funded by the UK Foreign, Commonwealth and Development Office, in parallel with the Pall Mall Process led by the UK and France. Importantly, however, the principles set out in the paper are offered to the debate on commercial cyber intrusion capabilities as an independent product of research conducted by the cyber policy team within the Chatham House International Security Programme. The views expressed are solely those of the author, and not of any governments or other stakeholders supporting or otherwise involved in the research. The principles are intended to contribute to existing thinking among governments and wider society about how to shape the market for commercial cyber intrusion capabilities; and through this contribution also constitute an argument for a multi-stakeholder approach to governance in this area.
Next, Chapter 2 introduces the key distinction, which underpins the paper, between permissioned and unpermissioned uses of commercial cyber intrusion capabilities. Chapter 3 provides a summary of relevant existing interventions. Chapter 4 explains why the paper focuses on principles rather than other kinds of intervention such as regulation. Chapter 5 summarizes key themes emerging from a workshop at which stakeholders from multiple disciplines discussed an earlier draft of the principles introduced in this paper. Chapter 6 sets out the principles themselves. In conclusion, Chapter 7 offers a prognosis regarding the future development of the markets underlying permissioned and unpermissioned intrusion.