Two researchers from the Center for Long-Term Cybersecurity recently attended the Pall Mall Process conference. Hosted by the UK and France Foreign Ministries, the multi-stakeholder conference brought together State officials, private companies, and civil society representatives at the historic Lancaster House in London to discuss growing concerns around the proliferation and irresponsible use of commercial cyber intrusion capabilities, including spyware.
Dr. Gil Baram chaired a panel discussion in which panelists explained what “responsible behavior” looks like when it comes to commercial cyber intrusion capabilities. “Of course, responsible behavior might look different if you are a government, a vendor, or a customer,” said Baram. “But we want discussion to be as specific as possible, so we will discuss the different elements of responsible behavior and provide examples of how responsible behavior looks – or should look – in practice.”
The conversation relates to Baram’s research on offensive cyber operations and states’ behavior patterns. “The conversation about responsible behavior in cyberspace is not just a legal or technical one; it is fundamentally about our values and the kind of digital world we want to create,” Baram said. “The Pall Mall Process is a significant step towards a future where commercial offensive cyber capabilities are developed and used responsibly, balancing the needs of national security with the imperatives of human rights in order to maintain global stability.”
Dr. Elaine Korzak was also in attendance at the conference. Her research focuses on the use of export controls, including two book chapters on the use of export controls in regulating spyware and cyber tools more broadly, as well as a forthcoming CLTC white paper identifying lessons learned from the implementation of multilateral export control in the US and the EU.
“The UK and France are giving this issue high-level political attention and visibility,” said Korzak. “This comes after international discussions had largely died down after a first attempt to regulate the transfer of spyware technologies with the Wassenaar Arrangement in 2013.” Korzak wrote extensively about the Wassenaar experience and its lessons for international regulation of cyber tools. “This effort has had limited success and caused great controversy in the U.S.”
Korzak lauded the London conference for raising awareness and helping to describe the policy problems, “but so far there is no comprehensive analysis of what those different policy levers can do and how they relate to each other.” A follow-up conference to get to the solutions stage is planned to take place in Paris in 2025.
“My research at CLTC is seeking to address that critical gap by examining possible policy solutions in more detail,” Korzak said. “This means we can expect and hope for some significant movement in the coming months and years.”