Markets for commercial cyber intrusion capabilities are large and diverse, with different approaches required for different areas and problems. But existing interventions are unlikely to encourage substantive change across the whole landscape.
The overview of interventions given in the previous chapter shows how civil society, industry and state actors have proposed a wide range of policy interventions in recent years. This is a good start: markets for commercial cyber intrusion capabilities are large and diverse, with different approaches required for different areas and problems within this space. However, the multiple interventions that so far exist are unlikely to encourage substantive change across the whole landscape. To achieve such substantive change, this paper recommends a set of principles for state approaches to all markets for commercial cyber intrusion capabilities. It does so for two reasons:
First, more concrete actions, such as sanctions or export controls, are likely be attractive only to those states with the power to affect global markets unilaterally, such as the US, or to those with already high capacity and favourable contexts for regulation, such as the EU. Even then, the sheer range of actions summarized in Chapter 3 risks incoherence and inconsistency within this relatively like-minded group. In this context, a set of principles can help to link the interventions described to create a coherent package that can achieve consensus from multiple perspectives, from narrow national security objectives to broader concerns regarding human rights or the security of the internet architecture.
Second, many high-profile states accused of misusing commercial cyber intrusion capabilities are not party to the policies and commitments described, and in some cases are the direct target of the actions listed in the previous chapter – for example, to prevent a geopolitical competitor from gaining access to commercial cyber intrusion capabilities. There is a real possibility of a schism between two markets: a highly regulated, predominantly Western market with potentially lower profit margins, characterized by established internal trust and transparency mechanisms between allies; and a broader global market with higher profit margins and far less – or no – regulation. A set of principles can help to identify areas of common interest between these two sets of states, where there are opportunities for high-level agreement on aims even if certain countries disagree on specific ways to achieve those aims, or on the interpretation and treatment of specific cases.
There are, nonetheless, limits to the scope of change envisioned by the principles. Influential observers, such as UN special rapporteurs, have called for a moratorium or ban on some kinds of commercial cyber intrusion capabilities altogether – especially spyware – due to their ‘life-threatening’ impact on privacy, individual security and human rights. However, such a proposal may not be achievable: the demand for commercial cyber intrusion capabilities, primarily from states looking to expand their cyber military or intelligence capabilities, is probably too powerful. This paper assumes that states and other actors will continue to acquire and use commercial cyber intrusion capabilities in the short and medium term.
Influential observers, such as UN special rapporteurs, have called for a moratorium or ban on some kinds of commercial cyber intrusion capabilities altogether – especially spyware – due to their ‘life-threatening’ impact on privacy, individual security and human rights.
Conversely, potential changes in the technological environment could limit the relevance of commercial cyber intrusion capabilities. Software development could become significantly more secure, with prevalent vulnerability classes removed, or trends towards device compromise could be supplanted or replaced by system- or network-wide capabilities. This would be a reversal of the current trend, where the proliferation of cyber intrusion capabilities is in part a response to greater encryption adoption after major scandals relating to global intelligence collection, such as the Snowden revelations. Nonetheless, the paper assumes that, in the short and medium term, market incentives for insecure software will continue to generate the supply of, as well as demand for, commercial cyber intrusion capabilities.