This chapter presents eight principles for state approaches to commercial cyber intrusion capabilities, and draws further on observations offered by participants at the expert stakeholder workshop.
The principles for state approaches to commercial cyber intrusion capabilities are set out in five thematic sections (A–E). The principles themselves are interlinked, with each principle being logically necessary to establish the later principles. In line with the high-level approach of this paper, the discussion in this chapter provides only examples of specific actions that might fall under these principles, rather than detailing the implementation of each principle. In addition, there are many cases that pose conceptual or practical challenges to certain principles. Such cases are discussed where relevant in this chapter – often drawing further on comments from participants at the workshop summarized in Chapter 5 – especially because they help to sharpen the overall purpose of the principles and to clarify conceptual boundaries. Due to the complexity of such cases, their interpretation given here is not definitive; others may take different views.
A. Increasing internal coherence
Principle 1: States should align their approaches across markets for commercial cyber intrusion capabilities, including as customers and users, investors, detectors and defenders, and regulators.
Different state entities are likely to be responsible for these various roles. Importantly, however, states should work to prevent contradictions between their policies and actions in all of these areas: for example, they should take clear steps to avoid investment by one state body in a commercial cyber intrusion company that is subject to investigation or sanction by another entity of the same state. In some cases, there may be good reasons to maintain adversarial relationships between state entities – for instance, where a law enforcement agency seeks to use commercial cyber intrusion capabilities for legitimate criminal investigations, while a national cybersecurity centre seeks to detect and neutralize such capabilities. In such cases, states should ensure that there is an independent oversight mechanism to reconcile these different purposes.
One example of alignment is a vulnerabilities equities process (VEP), which governs state decisions to retain vulnerabilities for exploitation (unpermissioned use) or release them for patching. However, as participants in the workshop summarized in Chapter 5 emphasized, VEPs are not a straight choice between permissioned and unpermissioned uses. While the main purpose of release is patching, release will also lead to permissioned uses (as penetration testing companies incorporate that vulnerability into their services), as well as unpermissioned uses by actors other than the state involved (including cybercriminals as well as other states). In the case of the UK, therefore, its assertion that the ‘starting position [of a VEP] is always that disclosing a vulnerability will be in the national interest’ encapsulates a wide range of risks in an effort to align several – sometimes competing – state interests.
One example of alignment is a vulnerabilities equities process (VEP), which governs state decisions to retain vulnerabilities for exploitation (unpermissioned use) or release them for patching.
While the example of VEPs focuses on tactical alignment by addressing individual vulnerabilities on a case-by-case basis, states can also align different roles at the strategic level (for example, in state cybersecurity, data protection and computer misuse legislation). An example of misalignment at this level would be computer misuse legislation that criminalizes or fails to provide sufficient exemptions for ‘good faith’ cybersecurity research, while state cybersecurity strategies or data protection legislation recommend and support such research. Another example is when different state agencies independently procure identical capabilities from the same vendor, potentially increasing prices and resulting in inconsistent contractual obligations regarding use thresholds and abuse procedures.
Misalignment can be either unintentional or deliberate, resulting from divergent goals within different state bodies. In the former case, increasing internal coherence is a relatively straightforward matter of improving information flows and understanding of other positions. In the case of deliberate misalignment, increasing coherence requires far more substantial policy choices and political negotiation.
B. Supporting permissioned intrusion
Principle 2: States should separate markets for permissioned cyber intrusion from markets for unpermissioned cyber intrusion as far as possible: administratively, legally and technologically.
One source of complexity in the ecosystem for commercial cyber intrusion capabilities is an extensive overlap between markets for permissioned and unpermissioned intrusion. This overlap exists at the vulnerability discovery stage, where vulnerability researchers can sell a vulnerability to actors for permissioned or unpermissioned intrusion, or to actors where the researcher does not know what it will be used for. Indeed, economic incentives and market opacity encourage researchers to sell single vulnerabilities multiple times, often for different uses.
This overlap narrows as vulnerabilities are developed into sophisticated intrusion services. Workshop participants suggested that the resource investment needed to provide a proof-of-concept exploit for a bug bounty is much lower than that required to integrate that exploit into malware. As one participant put it: ‘No-one sells a proof of concept to a law enforcement agency.’ Similarly, no penetration testing service needs to use (or pay for) a whole spyware architecture, although it might make use of the same vulnerabilities. For less sophisticated and bespoke tools, however, the technological overlap is almost complete. A malware framework used for penetration testing could be exactly the same as one used for unpermissioned intrusion. And, of course, permissioned and unpermissioned intrusion also rely heavily on the same open-source tools.
Workshop participants emphasized these overlaps, with one noting: ‘You can’t separate [the two markets] at point of sale; it has to be at point of use.’ Others were even sceptical of any useful distinction at point of use. As one put it: ‘Would the customer really tell you what they would use it [i.e. the exploit] for?’ Despite these technological overlaps and challenges regarding user trust, participants recognized the possibility for a ‘legal and policy framework to help separate the market’, as ‘imposing separation between different activities isn’t new’ from an organizational perspective – as in banking or auditing, for instance. A further example from the financial services sector is the separation in banking activities between investment and customer banking: after the 2008 financial crash, banks in some countries were forced to administratively separate activities that had previously been tightly connected.
Other workshop participants pointed to successful examples of technological use conditions, such as watermarking certain exploits to trace particular end users, thereby ‘incentivizing the end user to be more responsible’ and ‘removing that blanket of deniability’. In one case discussed by participants, a watermark was applied to an exploit sold to a law enforcement agency, helping the seller identify that exploit if it was later transferred to other actors. However, the length of supply chains for cyber intrusion capabilities was a repeated concern, with resellers, distributors, brokers and system integrators all acting as intermediaries who would each need to verify from their customer the intended use of a particular tool.
Given such overlaps, states should look to create administrative and legal separation between government entities that are engaged in permissioned and unpermissioned cyber intrusion. Where the same government entity conducts both, states should introduce administrative separation within that entity, and also look to enforce a similar administrative separation for their commercial providers. For example, the same separation should be required of a defence contractor that develops tools for unpermissioned intrusion and also offers a commercial penetration testing service.
Separation should also apply to government entities that operate within the supply chain for cyber intrusion capabilities, such as vulnerability research. At one end of the spectrum, the UK government took extensive steps to ensure that its Huawei Cyber Security Evaluation Centre (HCSEC) would not be perceived as identifying vulnerabilities for exploitation rather than for security, demonstrating extensive separation. At the other, some reports have suggested that China’s new vulnerability disclosure law and independent hacker ecosystem offer opportunities for state unpermissioned intrusion, indicating very low levels of separation. Leaked data from Chinese cybersecurity company Isoon in February 2024 suggest that this company developed an ‘automated penetration testing platform’ to conduct unpermissioned intrusion for Chinese intelligence agencies, as well as pointing to discussions about the Chinese government obtaining zero-days (i.e. vulnerabilities unknown to the manufacturer and therefore without an available patch) from a public hacking competition.
From a more commercial perspective, the public-facing presentation of zero-day research brokers deliberately blurs the lines between cybersecurity research (permissioned) and government use of zero-day exploits (unpermissioned). While such organizations argue that this blurring is, as one puts it, ‘the only way to support the zero-day research community’, this is not a natural or inevitable outcome; rather, it is the outcome of market incentives shaped by states as users, buyers and regulators. State actions, then, can shift market incentives to make the separation recommended here commercially viable for companies on both sides.
States should also ensure that companies offering tools for permissioned cyber intrusion make best efforts – including via customer relations, due diligence and access control – to prevent use of these same tools for unpermissioned intrusion. Workshop participants offered some creative ideas in this regard, such as deciding on likelihood of permissioned or unpermissioned intrusion based on the type of contract in question. It was suggested that if a contract’s terms included payment or licence per successful intrusion, it was far more likely to be for unpermissioned use than permissioned. If such contractual or other bureaucratic characteristics could be reliably and efficiently assessed by states, they could be used to determine whether a particular sale should be governed by separate regulatory regimes for permissioned and unpermissioned uses.
Importantly, this principle is not intended as an immediate clean break between markets for permissioned and unpermissioned cyber intrusion. It is recognized that the current level of entanglement means a wholly clean break is likely to be impractical for most if not all states. Instead, as the examples above suggest, there are multiple steps states could take to move further away from highly overlapping markets (the current situation) to much lower levels of overlap, or at least to halt the movement towards less separation exemplified by China’s vulnerability disclosure law and opaque zero-day brokers.
States should ensure that companies offering tools for permissioned cyber intrusion make best efforts – including via customer relations, due diligence and access control – to prevent use of these same tools for unpermissioned intrusion.
As indicated at the start of this chapter, this principle is dependent on the first – i.e. achieving, as far as possible, internal coherence. Separating the administrative and regulatory architecture around markets oriented towards permissioned and unpermissioned intrusion is only helpful if a state can coordinate effectively
between them.
Principle 3: States should stimulate markets for permissioned use of commercial cyber intrusion capabilities.
Given that Principle 2 provides for increasing separation between markets for permissioned and unpermissioned cyber intrusion capabilities, this principle envisages that states should stimulate the former. Principle 3 also presumes some level of consistency in oversight and coherence across state capacities, as put forward in Principle 1.
Importantly, because different state entities are primary actors within markets for permissioned and unpermissioned cyber intrusion capabilities, stimulating one market does not necessarily imply prioritization of that market over the other. As already stated, the goal is not to remove the market for unpermissioned intrusion entirely; rather, the aim is to place it in a different regulatory environment from the wider market for permissioned intrusion.
That said, the discussion by workshop participants, summarized in Chapter 5, on the so-far limited size of the talent pool suggests that combining stimulation and separation (Principles 2 and 3) could – and should – lead individuals to move from unpermissioned markets towards permissioned ones. This could be encouraged by increasing incentives (financial, motivational and community) for vulnerability researchers and companies to sell for permissioned uses. If separation would create financial pressures on individuals and companies operating across both markets, then stimulation is intended to alleviate those pressures. As such, both principles are intended to work in tandem.
Some workshop participants questioned the feasibility of the combined principles of separation and stimulation by giving examples of companies that only sell to Five Eyes states (Australia, Canada, New Zealand, the UK and the US) – ‘so they can sleep at night’, as one put it – while also highlighting the financial incentives against such restrictions, mainly ‘the buying power of countries outside the Five Eyes that make it difficult to resist’. However, it is not clear that such companies already participate extensively in markets for permissioned intrusion, and so the principles of separation and stimulation do not significantly change their incentive structure. As stated above, this principle does not prevent states from investing in markets for unpermissioned intrusion (whether individually or within security alliances), but instead suggests they should – at least equally – stimulate markets for permissioned intrusion.
States can use multiple levers to stimulate markets for permissioned intrusion. At the broadest level, states could build capacity from the ground up through educational initiatives to explain the significance of permissioned intrusion, and differences from unpermissioned intrusion. This education could be made available to school or university students as well as via relevant professional courses. Accredited state schemes for permissioned intrusion can also stimulate and regulate these markets.
More directly, states could use government procurement processes to support permissioned intrusion, enhancing separation by favouring contractors with strict organizational and technological constraints on preventing unpermissioned use. Equally effective levers could be found at the individual level, such as recognition or certification programmes for cybersecurity professionals and companies engaged in permissioned intrusion, along the lines of existing ethical hacking certifications. States could also influence the career direction of personnel who leave government service, through financial or more value- and culture-based incentives. The aim would be to encourage outgoing or former employees into permissioned markets even when their work within state structures has focused on conducting unpermissioned intrusion, rather than moving to work on unpermissioned intrusion commercially.
C. Limiting end users for unpermissioned intrusion
Principle 4: States should not engage commercial actors to independently conduct unpermissioned cyber intrusion on their behalf.
This principle seeks to prevent all commercial actors from independently conducting unpermissioned cyber intrusion on behalf of states. A range of state actions could take place under this principle, including naming and shaming both commercial actors using such capabilities and their suppliers, as well as applying financial sanctions or export-control conditions. Importantly, this principle addresses only commercial actors involved in unpermissioned cyber intrusion on behalf of states; its purpose is not to tackle the wider issue of non-state actors engaging in unpermissioned cyber intrusion in other situations.
The other crucial word is independently. This principle does not seek to exclude commercial actors from the supply chain for state capabilities for unpermissioned cyber intrusion. Neither does it seek to prevent commercial actors from providing ‘turnkey’ or ‘access as a service’ products, such as spyware, to states. In such cases, states remain the end user of such capabilities, and intrusion is not conducted independently. In contrast, independently conducting cyber intrusion gives the commercial actor far more decision-making power in terms of how and when to conduct the intrusion – for example, if a state provides only a list of target names, devices, or even more general tasking instructions. This granular definition of independence contrasts with an alternative commonly dubbed ‘finger on the trigger’, which implies a relatively straightforward analogy with kinetic weapons. For cyber capabilities, the reality is a more nuanced spectrum of contributions, from provision of a user interface for ‘point and click’ intrusion at one end (not independent conduct, even if a commercial actor helps to train and troubleshoot state users of that interface) to full operational discretion at the other (independent conduct).
A key area of ambiguity lies in military cyber operations. In conventional spheres of military operation, national laws and international agreements (especially the Montreux Document, concerning the operations of private military and security companies during armed conflict) govern the role commercial actors can play in military operations. In line with the research that has informed this paper, it is suggested that if the relationship between states and commercial cyber intrusion companies meets standards for private military contractors set out in the Montreux Document Part 1A (Contracting States), then such companies can be excepted from the scope of this principle. Exempted companies should then be permitted to act on states’ behalf and treated equivalently to private military contractors, with the same standards and obligations.
Going beyond the Montreux Document, states should look to place commercial actors as far from the ‘front line’ of cyber operations as possible. Unlawful and unpermissioned cyber intrusion by non-exempted companies or other non-state actors (such as hacktivist organizations or unstructured ‘IT armies’) should still be prohibited. In the absence of a similar international mechanism, law enforcement and other national security applications of unpermissioned cyber intrusion capabilities should be reserved for state actors.
Because commercial intermediaries sell to other commercial entities before ultimate use by a state, a necessary precursor to implementation of Principle 4 would then be ‘know your customer’ requirements, for intermediaries to ensure sellers are aware of their ultimate recipient.
This principle was the subject of intense discussion in the workshop summarized in Chapter 5. One participant said plainly: ‘Some states won’t want to sign up to this principle because they like having [the] ability to give these tools [for unpermissioned intrusion] to non-state actors.’ Others questioned the distinction between private and public actors in this space, with one asking: ‘How much of a contractor do you have to be before becoming a state actor?’ This is a lively research area in cyber conflict studies, with scholars differing on the definition and appropriate response – legally and practically – to state ‘proxies’. Some workshop participants raised questions around specific countries. One asserted that ‘hacker for hire’ companies are engaged with no transparency, going as far as to say that some states are also ‘silencing reporting on this’. Some participants suggested that some of ‘the West’s’ adversaries have different appetites for contractors to work independently from state direction. However, others pointed out that in times of crisis (the example given was the war in Ukraine) ‘Western’ states and their allies might also wish to retain the option of co-opting or directing non-state actors.
Ultimately, the implementation of this principle raises many of the same issues as those noted in the discussion of Principle 2 with regard to transparency and knowledge in commercial transactions. Because commercial intermediaries sell to other commercial entities before ultimate use by a state, a necessary precursor to implementation of Principle 4 would then be ‘know your customer’ requirements, for intermediaries to ensure sellers are aware of their ultimate recipient. More indirectly, ‘know your supplier’ requirements, including knowledge of a supplier’s other customers, could help states to prevent companies that sell to non-state actors from access to their markets. Some workshop participants supported this approach, with one explaining: ‘We need to put the onus on the purchasers to understand the supply chain – knowing exactly who found it, where it is being sold, etc.’ However, participants were more sceptical of models of trusted or licensed suppliers. One asked: ‘What is trusted? A licensed company? Licensed researchers?’ Another noted: ‘If you have central, monopolized licences … this will kill creativity.’
A wider version of this principle would ask states to invest more in preventing and sanctioning actors who permit unpermissioned cyber intrusion on their territory, more akin to issues of due diligence. However, such expanded anti-hacking policies are beyond the scope of this paper, even though individuals (such as those using stalkerware in technology-facilitated abuse) or companies (such as private investigators or firms engaging in corporate espionage or aggressive public relations strategies involving hack-and-leak operations) are frequent users of unpermissioned cyber intrusion. Furthermore, such efforts would likely conflict with Principles 2 and 3 if national laws – or the implementation of treaties such as the UN Cybercrime Convention – do not sufficiently exclude permissioned cyber intrusion or good-faith security research from their scope.
Principle 5: States should be transparent in acknowledging unpermissioned cyber intrusion for military, national security and law enforcement purposes.
While the aim of Principle 4 is to limit end users of unpermissioned intrusion to states, this principle seeks to make state uses of such capabilities more transparent. Without acknowledgment by states that they use these capabilities, the next two principles (6 and 7), on how such capabilities should be used, are worth relatively little, as states cannot usefully discuss constraints on an activity they do not admit to conducting. Ideally, this acknowledgment would be made in the public domain, in the manner of general declarations of possession and use of offensive cyber capabilities by some militaries. Some workshop participants highlighted the distinction between different kinds of state users of unpermissioned cyber intrusion, expressing doubt that states would provide data on espionage, rather than military or law enforcement.
There if of course a tension here between the goal of state transparency and the risk of revealing detail about such capabilities that may compromise operations, and so this principle does not ask states to go beyond general declarations. Disclosures of other information, such as levels of spending, numbers of contractors or aggregate instances of use, would also contribute to overall transparency – again, to the extent that states can acknowledge these details without compromising their operations. States could also look to increase transparency in other areas, for example in disclosing their reasons for intervention against specific companies or individuals, tying them to specific contraventions of international law and norms, or principles such as those suggested here.
However, some recent reports have suggested that some states not only operate without transparency, but also seek to actively frustrate others’ efforts at increasing transparency. Overall, as one workshop participant suggested: ‘Getting them to admit to it does feel like a good first step.’ This principle therefore links closely to Principle 7, on adopting agreed minimum standards and being seen to do so.
D. Raising standards for unpermissioned intrusion
Principle 6: States should integrate their practices of unpermissioned intrusion with their efforts to improve anti-corruption, security governance and rule of law.
Some state abuses of commercial cyber intrusion capabilities occur as a result of wider issues of corruption (commercial cyber capabilities obtained by inappropriate state actors), security governance (use of such capabilities for purposes beyond legitimate law enforcement and national security goals, such as transnational repression or extrajudicial killings) or rule of law (data provided by such capabilities circumventing or undermining established judicial procedures). Many states have committed to international legal standards in these areas, as well as to initiatives by international organizations and non-governmental organizations to strengthen these fields. As one workshop participant noted: ‘What we’re missing is that the key underlying problem is that states themselves are not in compliance with human rights law … We need to ask what more can states do on their side to bring themselves more in line.’
Commercial suppliers of cyber intrusion capabilities to states, for unpermissioned uses, should integrate the use of these capabilities to initiatives on anti-corruption, good security governance and the rule of law. Other states can support this integration by working with suppliers to integrate minimum standards at the technological, contractual and interpersonal levels. Again, a prerequisite for implementation of Principle 6 is a robust ‘know your customer’ mechanism, without which suppliers cannot evaluate whether such sales adhere to this principle. Such a mechanism should ideally be more granular than lists of sanctioned or blacklisted countries: it should identify specific departments or institutions within countries that would require additional scrutiny, and – conversely – those that implement best practices. Overall, this principle requires commercial cyber intrusion suppliers to work closely with civil society organizations both in and beyond the field of cybersecurity.
Principle 7: States should adopt OECD principles for government access to data, along with UN norms of responsible state behaviour, as minimum standards in their practices of unpermissioned intrusion.
This principle seeks to place commercial cyber intrusion capabilities in their broader context. It does so in two ways:
First, it recognizes that state unpermissioned use of such capabilities, especially for national security or law enforcement purposes, is one means among many of acquiring data, also including cooperative or coerced data requests from the private sector. While the legal and regulatory environment surrounding such data requests is significantly different to that around cyber intrusion capabilities, these are separate routes to similar end goals: (enforced) cooperation with a technology company to obtain ‘passive’ collection or access to its users’ data; and adversarial access to users’ data by compromising devices or products of that technology company without it or its users’ permission (for example, using spyware). Although spyware can be more efficient at an individual level, providing a state with access to a wide range of data on applications run and managed by different companies for a single user, cooperative data requests can be more efficient at large scale, enabling data collection across multiple users.
In 2022, the Organisation for Economic Co-operation and Development (OECD) adopted a Declaration on Government Access to Data held by Private Sector Entities. The purpose of the declaration is to establish principles for governments to request data from companies, especially multinational technology companies. These principles include: sound legal basis, legitimate aims, appropriate approval and handling, transparency, oversight and redress. The OECD principles, subject to some changes to allow for the different context, should be adopted as minimum standards for government use of unpermissioned cyber intrusion capabilities for data collection. If adopted, these principles would prevent many of the high-profile cases of misuse and abuse seen to date.
The difficulty here is in implementation. The OECD principles, in their original context, can theoretically be turned to by companies that are the subject of data access requests, thereby asking states to demonstrate their compliance with these principles before granting access. In contrast, the unpermissioned nature of access to data via cyber intrusion means that such companies cannot, by definition, ascertain whether these principles are in place. As one workshop participant noted: ‘You could put all of the controls around [an exploit], but if someone doesn’t want to follow them, you can’t do anything about it.’ Another suggested that ‘end user licence agreements are hard to enforce in this space’. Instead, the burden is likely to fall on the multi-stakeholder coalition working on broader improvements in security governance discussed in Principle 6, with many of the same potential implementation routes.
There is now a much wider understanding of the potential for state offensive operations, beyond data collection, occurring also in peacetime and involving non-military actors.
The second way in which this principle places commercial cyber intrusion capabilities in their broader context is to recognize that states do not only use them for data collection. They also use them for ‘offensive’ purposes – i.e. data deletion or manipulation intended to produce effects on connected cyber-physical systems or wider organizations and societies. While such uses have predominantly been discussed in terms of military uses in conflict, there is now a much wider understanding of the potential for state offensive operations, beyond data collection, occurring also in peacetime and involving non-military actors. Norms for such activity, including accepted and out-of-bounds targets, have been adopted as part of a framework for responsible state behaviour in cyberspace, developed through various UN processes. State uses of commercial cyber intrusion capabilities for offensive uses should follow these principles, including their future elaboration. Some states, among them the UK, have already published documents detailing their interpretation of responsible state behaviour in the context of such operations.
E. Avoiding non-commercial loopholes
Principle 8: States should apply, at a minimum, equally high standards to internal development and interstate transfer as they do to commercial activities.
This principle encourages states to apply Principles 6 and 7 equally to internal development and use of cyber intrusion capabilities, as well as to non-commercial transfers between states. While these two areas – internal development and interstate transfer – are very different, they are both non-commercial spaces not governed by the market dynamics discussed in this paper. Many states develop cyber intrusion capabilities in-house (i.e. within military, intelligence or law enforcement bodies), and sometimes transfer those capabilities via training, personnel movement or technology transfer to other states without a financial transaction. Such transfers are governed largely by diplomatic considerations. The potential implementation of this principle is far less clear than the others, given the increased opacity of internal state activities compared with commercial ones. Nonetheless, it is crucial to mitigate the risks posed by misuse and abuse of cyber intrusion capabilities (commercial or otherwise), as the kind of interventions into the commercial market discussed in this paper potentially encourage states to take their development back in house and/or transfer capabilities bilaterally, outside market mechanisms. This principle seeks to pre-empt such unintended consequences.