Achieving all-stakeholder consensus on key concepts of legitimacy and responsibility for cyber intrusion capabilities remains highly challenging. The principles set out in this paper are both sensitive to nuanced market dynamics, and keenly aware of the urgent need to prevent misuse and abuse.
This paper has proposed eight new principles for state approaches to commercial cyber intrusion capabilities. The principles are rooted in a new distinction between permissioned and unpermissioned cyber intrusion, which – despite complexities around overlapping supply chains and the breadth of activity contained on each side – offers a fresh entry point into a high-profile but polarized policy debate. While it will always be necessary to define and enforce standards of legitimacy and responsibility (indeed, Principles 6 and 7 go in this direction), trying to do so while treating both permissioned and unpermissioned intrusion together has repeatedly failed in the past, and may well fail in the future.
The key principles, then, are those that seek to separate the markets underlying these two kinds of intrusion (Principle 2), therefore enabling the stimulation of one market and not the other (Principle 3). Principle 1, on internal coherence, is a necessary condition of this separation and stimulation. Principles 4–7 are viable only if based on this separation; without it, efforts to limit end users (Principle 4), increase transparency (Principle 5), or raise standards (Principles 6 and 7) for unpermissioned intrusion are likely to run up against persuasive arguments that their negative impact is not worth the benefit. That is to say, such measures would restrict or stifle markets for permissioned intrusion that are currently crucial to improving global cybersecurity. Principle 8 is more speculative, seeing the potential for a shift away from commercial provision of cyber intrusion capabilities and endeavouring to ensure that such a shift does not lead to greater misuse.
These principles do not fit neatly within any existing policy initiative on commercial cyber intrusion capabilities. Rather, they are of relevance across multiple processes. At the UN, the Open-Ended Working Group (OEWG) on security of and in the use of information and communications technologies is likely to include discussions on commercial cyber intrusion capabilities in the near future, while the use of such capabilities by law enforcement agencies makes them clearly relevant to the UN Ad Hoc Committee (AHC) on cybercrime. There are already linkage points with the OEWG in Principle 7, referencing norms of responsible state behaviour, as well as implications for discussions, within the AHC, on cybersecurity and cybercrime capacity-building – much of which takes place via commercial actors. The principles also offer avenues to strengthen export regulation while avoiding some of its negative impacts, thereby supporting signatories to the Wassenaar Arrangement and the EU Dual-Use regulation. And they provide high-level guidance and coherence for states that are already committed to substantial regulation and intervention, including via initiatives of the Summit for Democracy or the EU.
The principles’ focus on exclusively state approaches – albeit with significant indirect impact on industry and other actors – inevitably means that they represent only a partial contribution to global multi-stakeholder or industry processes such as the Cyber Tech Accord, the Paris Call or the Pall Mall Process. However, achieving consensus across all stakeholders on key concepts of legitimacy and responsibility remains a highly challenging task. Until such a consensus emerges, these principles provide a way forward that can not only catalyse all states towards this broader goal, but do so in a way that is sensitive to the nuanced market dynamics of this field, and keenly aware of the urgent need to prevent their misuse and abuse.