The cyber policy team at Chatham House convened a workshop at which expert stakeholders from multiple disciplines discussed responsible approaches to commercial cyber proliferation. This chapter provides a summary of the discussions, including participants’ reactions to earlier versions of the principles presented in this paper.
On 22 March 2024, the Chatham House International Security Programme’s cyber policy team hosted a workshop on understanding and investigating responsible activity in commercial cyber proliferation. The workshop brought together stakeholders from multiple disciplines, including companies developing and using cyber intrusion capabilities, multinational technology companies, civil society representatives and relevant UK government entities. The research team presented an overview of existing interventions, as well as earlier versions of the principles set out in this research paper.
This chapter provides a summary of ideas and perspectives shared during the workshop discussion, including participants’ reactions to the draft principles. Specific comments from individual participants are quoted where relevant. As the workshop was held under the Chatham House Rule, no participant or organization represented is identified.
Three main themes emerged from the workshop:
- The need for a holistic approach to governance and regulation of commercial cyber intrusion capabilities, taking into account the interconnections between markets as well as their distinct characteristics, and recognizing that different states take substantially different views of a market’s benefits and risks.
- The importance of individual moral decisions in preventing misuse, recognizing that individuals operate within commercial and political structures that limit the impact of such decisions, and that resorting to ‘ethics’ can be an excuse rather than a policy.
- The global nature of the issue, meaning that regional efforts to regulate markets are likely to be only partially effective, and that even effective policies in one region may have unintended and diametrically opposed consequences in another.
Regarding the first theme, workshop participants emphasized the restrictions on scope discussed in the previous chapter. Some argued that policymakers ‘should look at the liability of software publishers’; as one participant put it: ‘If [technology companies] had software quality, [industry] wouldn’t have these problems.’ Others highlighted what they perceived to be an inevitability about the market, summarized by one participant as: ‘There’s always going to be some level of activity – it’s not an all or nothing situation.’ In contrast, however, one participant noted that ‘penetration testing has too much weight behind it’ as a component of cybersecurity, thereby implying that many industry players overstate the importance of permissioned intrusion to cyber defence. Some participants voiced concern regarding the different incentives for engaging in market restriction. As one put it: ‘Russia and China do not care about individuals – you have to show them the impact on national security.’ The irony was also highlighted that the ‘Western’ response to market problems is to introduce more bureaucracy (technical as well as organizational), while adversaries reduce theirs.
During the workshop, the research team clarified that ‘unpermissioned’ is not a synonym for ‘illegal’ or ‘undesirable’: rather, unpermissioned intrusion should trigger additional safeguards and thresholds.
Participants generally agreed with the project’s focus on state behaviours, with one suggesting: ‘The mission of a company is to sell things – there are rules, and the rest is the responsibility of the state.’ Another said: ‘We need to start with governments … they should be held accountable.’ However, some were sceptical regarding the potential for changing such behaviours, as well as about the robustness of any regulatory approach that was not global in scope, asking: ‘Do you not want to have a capability because you made a decision not to engage with that country? … Is there no access juicy enough that a friendly state wouldn’t bend their rules?’
Regarding the second theme, participants engaged in lengthy discussion about the relevance of and potential for individual ethics. Some argued that ‘self-governance’ is already prevalent, while others were more sceptical. Participants also challenged the distinction between permissioned and unpermissioned intrusion along ethical lines, instinctively categorizing responsible state cyber operations as fundamentally different to state abuse of commercial cyber intrusion capabilities. As one participant put it: ‘You’re either breaking the law or you’re not.’
During the workshop, the research team clarified that ‘unpermissioned’ is not a synonym for ‘illegal’ or ‘undesirable’: rather, unpermissioned intrusion should trigger additional safeguards and thresholds. Despite the inevitable crudeness of any binary distinction in this complex area, this paper introduces the distinction between permissioned and unpermissioned intrusion to prevent exactly this line of thought – i.e. that ‘responsible’ cyber operations are not a key part of the overall problem set. Instead, the paper sees all unpermissioned activity as requiring greater regulatory and industry scrutiny.
The third general theme highlighted by the workshop discussion concerned the scale of the market globally, in terms of companies and individuals. Some participants expressed the view that the number of people at the centre of supply chains for high-end commercial cyber intrusion capabilities is relatively small – in the hundreds, not thousands. They therefore considered that interventions should – like the US visa restrictions noted above – seek to change the incentive structure for this small pool. Other participants, however, highlighted the potential for the existing pool to grow, commenting that the ‘talent pool is truly global’, and ‘a lower-tier hacker is three months of study away from being a higher-tier hacker’. Consequently, participants identified that there is ‘some risk of governments overcompensating in controlling the market, pushing [individuals] to other states who are willing to pay’.
The workshop provided an important testing ground for the approach taken by the research project, with welcome challenges and creative ideas to further refine the work on this paper. Many of the ideas and themes discussed at the workshop are incorporated in the principles put forward in the next chapter.