This chapter summarizes policy interventions over the past decade to counter the misuse of commercial cyber intrusion capabilities. These focus variously on governments, companies and individuals, but have been initiated by a relatively narrow group of actors.
The best-known state-based attempt at regulating the market for commercial cyber intrusion capabilities is via the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies, which in 2013 added certain capabilities required for ‘intrusion software’ to its list of dual-use items requiring export controls from signatory states.
The inclusion of intrusion software in the Wassenaar Arrangement has encountered significant obstacles and resistance, both among its members and at the level of state implementation. Much of this resistance has been due to the potential for the Wassenaar Arrangement to unintentionally stifle legitimate security research, which deepened suspicion among cybersecurity communities of export regulation in general.
The US provides the most extreme example of this tension, reflecting both the extensive reach of its domestic export controls, and the lobbying strength of its technology and cybersecurity industry. The US Bureau of Industry and Security (BIS), in the Department of Commerce, approached implementation of the Wassenaar Arrangement’s initial addition of intrusion software through a proposed export-control rule, published in 2015. After extensive criticism from the cybersecurity industry, the US not only withdrew this rule, but successfully renegotiated the language of the Wassenaar Arrangement itself with the other participating countries in 2017, leading the US to finally adopt Wassenaar-aligned export controls for intrusion software in 2021.
Elsewhere, the EU incorporated intrusion software export controls into its Dual-Use regulation in 2021, as one element in a broader list of ‘cyber-surveillance’ items. Importantly, this regulation includes a ‘catch-all’ clause (Article 5.1–2), allowing for the control of items beyond those listed if EU states or exporters believe those items are intended for use ‘in connection with internal repression and/or the commission of serious violations of human rights and international humanitarian law’.
In addition to Wassenaar, over the last two years there have been many new initiatives to counter the misuse of commercial cyber intrusion capabilities, including:
- The EU Parliament’s PEGA Committee, formed in 2022 to investigate the use of the Israeli NSO Group’s Pegasus spyware by EU states and other countries in contravention of EU law, especially human rights law. The PEGA committee published its findings in 2023.
- US unilateral measures on companies and individuals involved in commercial cyber intrusion markets. These measures began with the imposition of export controls for US technologies, products and services to NSO Group and three other companies in 2021, and continued with an executive order preventing US government use of certain kinds of spyware in 2023. The most recent action by the US at the time of writing was financial sanctions on another consortium, Intellexa, in 2024. Also in 2024, the US introduced a new policy allowing visa restrictions on individuals involved in spyware misuse. It has several other proposed bills in motion.
- A joint statement on spyware adopted by 11 states at the US-hosted Summit for Democracy in 2023, committing to various measures to restrict the commercial market for cyber intrusion capabilities. These measures include strengthening internal human rights protections, more rigorous export controls, information-sharing and international coalition-building. The statement was updated at the 2024 summit, after six more states joined the commitment; and again in September, on the margins of the UN General Assembly, when four further states endorsed the statement.
- An Export Controls and Human Rights Initiative (ECHRI) code of conduct, released at the 2023 Summit for Democracy by the US and 24 other states. The code of conduct, originally proposed at the inaugural summit in 2021, lists voluntary actions to apply export controls to prevent the misuse of ‘surveillance tools’, whether or not states participate in other export-control groups like the Wassenaar Arrangement.
- A ‘blueprint’ on ‘taming the cyber mercenary market’, released in 2023 by the Paris Peace Forum, as part of its Call for Trust and Peace in Cyberspace. The blueprint is the result of a long-standing working group within the Peace Forum on cyber mercenaries, and includes both a restatement of the reasons for intervention and several specific suggestions for action.
- Industry principles to curb cyber mercenaries, put forward by the Cyber Tech Accord (CTA) in 2023. While these principles overlap in several areas with those set out in this paper – suggesting that the overall scope for intervention is not that wide – there is a crucial difference in that the CTA principles are focused solely on industry action, given that the CTA is an agreement between companies rather than governments.
- The Pall Mall Process, a multi-stakeholder initiative launched by the UK and French governments in 2024, including a declaration with four pillars of accountability, precision, oversight and transparency.
These initiatives range from high-level, abstract goals to very concrete steps against specific individuals or companies. The specific actions taken are summarized in Table 1. This table is not intended to be a complete list of all interventions, but a smaller selection based on their profile in public discourse and their specificity. The information given in the table summarizes highly complex policies in ways that necessarily omit some important details, so the original sources should be referred to for the full intervention. Table 1 also points to a clear geographic bias. The most international intervention is the Wassenaar Arrangement, established in the mid-1990s as the successor to the Cold War-era Coordinating Committee on Multilateral Export Controls (COCOM); it currently has 42 participating states. More recent interventions predominantly come from the US, Europe or their close allies. The Pall Mall Process has a deliberately wider scope, incorporating many countries outside the Wassenaar Arrangement, including in the Global South.