Following over a year of work on the agreement, twenty-one nations signed The Pall Mall Process in Paris to govern the use of spyware.
The Pall Mall Process is an international, multi-stakeholder initiative aimed at identifying and implementing political commitments to counter the proliferation and irresponsible use of commercially available cyber intrusion capabilities—which often manifest as cyber mercenary activity.
On 3 and 4 April 2025, France and the UK co-hosted the second Pall Mall Process conference in Paris. The event brought 45 States, international organizations, and a broad coalition of private sector actors, civil society representatives, and researchers together.
During the conference, a groundbreaking code of good practice, initially endorsed by 21 States, was adopted, outlining voluntary political commitments and practical recommendations to address the growing threat.
A few of the recommendations include:
- Finding ways to ban vendors who engaged in illicit behavior
- Developing regulations to make sure these technologies are used in necessary, lawful situations
- Creating policies that define the use of technology for cybersecurity purposes
- Encouraging vendors to publish coordinated vulnerability disclosure procedures
A Shared Understanding
The code of good practice reflects a shared understanding of the threat landscape among participating States, and reaffirms the relevance of existing international legal and normative frameworks. It also offers actionable guidance across various political domains.
The initiative also supports the implementation of the United Nations framework for responsible State behavior in cyberspace and aligns with the principles of the Paris Call for Trust and Security in Cyberspace.
The Pall Mall Process will continue to promote and disseminate these good practices, while monitoring their implementation over time.
Serving a Greater Good
“Many practitioners find spyware use by authorities to be controversial. Ultimately, technology has to serve a greater good purpose, otherwise what’s the point, right?” said Lawrence Pingree, VP of Dispersive.
“Software providers – whether they provide offense or defense solutions – should have to uphold sanctions on specific countries,” Pingree added. “To me this is a no-brainer. Software providers should also focus on safeguards in the use of and authorization of use of their applications. Application logic, authorizing and Know Your Customer (KYC) steps can really help in validating use, which can validate authorized actions. This initiative seems like a good start to bridging the historical controversy gaps by focusing on advancing disclosure – which is a multi-faceted issue due to the complexities of cybersecurity, especially at the code level.”
A Lack of Standardized Authorizations
Evan Dornbush, former NSA cybersecurity expert, commented that the biggest aspect of The Pall Mall Process (PMP) is that governments are, for the first time, openly acknowledging they conduct offensive cyber operations, that they see a strategic advantage to them, and that they are creating a framework as to how to partner with the private sector to ensure they have access to the global pool of talent and products required to operate at peak performance.
“The challenge here is that CCIC’s – a term that encompasses spyware – though legal to create and sell, may require certain authorizations to use that have never been standardized.
Dornbush said the PMP seeks to create that framework, but it’s not complete. “What was signed by a few dozen nations is a commitment to adhere to criteria. This phase only applies to government behaviors, and what member nations should or must do. The process is ongoing. The next phase will address industry criteria, which may shape up to create parallel and bifurcated markets.”If an industry player adheres to the criteria it can sell to the PMP Nations. If it does not, it cannot. Businesses will have to determine how valuable the PMP market is.
There’s Still a Lot to Process
“The obvious example here are those companies who sell to customers that target journalists. Continuing to sell in that manner locks out those vendors from selling to PMP Nations,” Dornbush added. “There’s still a lot to process. From the industry side, how can a vendor know what its customers are doing? It’s not like private sector can audit a classified user’s behavior. For example, what happens if a government user acts illegally? What happens if government user uses tech, as was the case with NotPetya, and ends up causing damage to a government’s citizens?”
Dornbush explained that the laws of one country may not perfectly overlap with the laws of all the others. “Meanwhile, there really is no universal definition of the word ‘responsible’ so determining ‘responsible use’ may continue to be problematic.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.