Principles for state approaches to commercial cyber intrusion capabilities

Navigating the policy challenges of cyber intrusion markets
Research paper Updated 5 November 2024 ISBN: 978 1 78413 627 7 DOI: 10.55317/9781784136277
An iPhone held above a Mac keyboard displays an Apple alert saying state sponsored attackers may be targeting your iPhone

Dr James Shires

Former Senior Research Fellow, International Security Programme

The rapid growth of markets in which cyber intrusion capabilities can be bought and sold as products and services by states, companies and criminals raises thorny policy challenges that are not adequately addressed by existing concepts of legitimate and illegitimate use. This paper explores these challenges, and puts forward a set of principles to help governments and wider society navigate commercial markets for cyber intrusion.

Important policy interventions have been made over the past decade to counter the misuse of commercial cyber intrusion capabilities. These focus variously on governments, companies and individuals, but have been initiated by a relatively narrow group of like-minded actors. The principles recommended in this paper, underpinned by a fresh distinction between ‘permissioned’ and ‘unpermissioned’ intrusion, are intended to promote greater coherence and consistency of approaches, and to widen the scope for consensus.

A companion paper, published by RUSI in October 2024, examines how state ‘permissive’ behaviours can contribute to the proliferation of offensive-cyber tools and services.