A New Code for Cyber Intrusion Capabilities: Pall Mall

By: Elsa Debargue and Jeffrey D. Bean

Three months ago, to little fanfare, 25 countries — including the United States, many European Union member states, Japan, and South Korea — agreed in Paris to a code to tackle the proliferation and irresponsible use of commercial cyber intrusion capabilities. This effort, part of the Pall Mall Process (PMP) initiated by France and the United Kingdom in 2024 in London, is a multistakeholder dialogue that addresses the market for commercial cyber intrusion capabilities (CCICs). These tools range from PhoneSpy, Predator, and NSO Group’s Pegasus, to other intrusion technologies which are increasingly unregulated and growing in popularity. For instance, a malicious individual or organization could hire a private firm that uses CCICs to remotely access and compromise a journalist’s phone, extracting messages and tracking their location without detection. The Pall Mall Process aims to ensure the responsible use of CCICs through the adaptation of four pillars: accountability (establishing clear responsibility for misuse), precision (limiting use to clearly defined targets), transparency (making practices and policies publicly understandable), and oversight (implementing independent review and enforcement mechanisms).

The recent code of practice agreement and the process at large is significant for three major reasons. First, the PMP goes beyond spyware to encompass the entire ecosystem of CCICs, including malware-as-a-service, access-as-a-service, and hacking-as-a-service. Pall Mall intends to define ethical boundaries, develop guiding principles, and establish this code of practice for states to mitigate the misuse of CCICs and ensure proper cybersecurity resilience efforts. Formulating the code of practice has drawn from previous efforts in international law, including the Montreaux Document to regulate private military and security service providers.

Second, the PMP not only incorporates multistakeholder actors including civil society, academia, and the private sector, but the process is also developing a voluntary code of industry. This code of industry will serve to provide a baseline of behavior that private sector vendors can commit to, which will be formalized in the future. The PMP has been working closely with the intrusion industry, bringing together a controversial community in a constructive way to develop tools to improve practices, accountability, and transparency among both states and industry. The multistakeholder aspect cannot be overstated, as the ability of experts to contribute to state-led processes in cyber is necessary to ensure comprehensive understanding of problems and solutions.

Third, the agreement is flexible, ad hoc, and embeds the United Nations Charter and the UN norms of responsible state behavior in cyberspace in its language, meaning that the dialogue is complementary to existing UN processes, such as the United Nations Open-Ended Working Group  (OEWG) on security of and in the use of information and communications technologies. In this way, the PMP buttresses the broad effort to incorporate norms from international law into practical cyber governance.

Taking a step back, the PMP reflects a shift in the landscape of cyber governance by offering a complementary track to United Nations cyber processes. This is crucial since UN processes, like the OEWG, have often been stymied by political deadlock, where progress has been impeded and the future of current mechanisms will be shaped by lowest common denominator state-based consensus. Yet findings from the PMP and similar processes, such as the Counter Ransomware Initiative are still ultimately often fed back into the United Nations.

That said, the process still reflects certain imperfections of multilateral engagements broadly and in cyber governance specifically. This is mainly noticeable in its lack of a binding enforcement mechanism. Attribution and accountability concerns also abound. Implementation in cyber space remains an outstanding challenge, and this process is no different. Since the PMP exists on a voluntary basis, there is no assurance that problematic actors that leverage CCICs will comply. Likewise, the process focuses on commercial intrusion tools, yet this fosters a lack of attention on governments who operate and develop their own intrusion tools for espionage. Because the process attempts to cover a vast ecosystem, some experts argue that this may make it too complex to govern coherently.

The Pall Mall Process is a work in progress, and only time will tell if it proves durable and successful. However, it does hint at a potential turning point in current cyber governance efforts by adapting to the realities of a decentralized, privatized, and often invisible marketplace of digital intrusion. Its success will depend on the political will of participants, especially those who need to uphold accountability and impose restraint on the use of CCICs. If the PMP can define clear and ethical boundaries while keeping diverse participants meaningfully engaged, it could become the precedent for collaborative, coherent, and impactful cyber governance. It could demonstrate that states can make tangible progress on challenging issues, reflecting the spirit of the UN processes without their constraints.

Elsa Debargue is a former intern with Cyberspace Cooperation Initiative at ORF America and Jeffrey D. Bean is the Program Manager for Technology Policy and Editor at ORF America.

Observer Research Foundation America, 1100 17th St. NW, Suite 501, Washington DC 20036 USA