World Govs, Tech Giants Sign Spyware Responsibility Pledge
France, the UK, the US, and others will work on a framework for the responsible use of tools like NSO Group's Pegasus, and Shadowserver Foundation gains £1 million investment.
February 6, 2024
A coalition of dozens of countries including France, the UK, and the US, along with tech giants such as Google, Meta, and Microsoft, have signed a joint agreement to combat the use of commercial spyware in ways that violate human rights.
The news comes a day after the United States announced a visa restriction policy for those it deems to be abusing such tools.
Commercial spyware, such as NSO Group's Pegasus, is usually installed on iPhones or Android devices and can eavesdrop on phone calls; intercept messaging; take pictures with the cameras; exfiltrate app data, photos, and files; and take voice and video recordings. The tools usually make use of zero-day exploits for initial access and sell for millions of dollars, meaning that their target market tends to consist of global government clients and large commercial interests.
For their part, commercial spyware vendors (CSVs) usually position themselves as legitimate companies that aid law enforcement and other public-sector entities in apprehending criminals. Critics, on the other hand, argue that they simply sell cyber weapons to the highest bidders, including repressive regimes looking to surveil members of civil society — political opponents, dissidents, journalists, activists, and others. The victims are then targeted for further human-rights abuses, many have alleged, including Google, which today issued a detailed report on the rapidly proliferating CSV market.
Pall Mall: Commercial Spyware Under Scrutiny
At a speech at the UK-France Cyber Proliferation conference at Lancaster House in London today, UK Deputy Prime Minister Oliver Dowden announced the kickoff for the spyware initiative, dubbed the "Pall Mall Process," which will be a "multi-stakeholder initiative … to tackle the proliferation and irresponsible use of commercially available cyber-intrusion capabilities," he explained.
More specifically, the coalition will establish guidelines for developing, selling, facilitating, purchasing, and using these types of tools and services, including defining irresponsible behavior and creating a framework for their transparent and accountable use.
He also announced that the UK will invest £1 million into the nonprofit Shadowserver Foundation, to "help them expand the access they provide to early warning systems, and to cyber resilience support for those impacted by cyberattacks."
Dowden noted, "The scope [of our efforts] must be broad, not just looking at spyware, but also considering the 'hackers for hire' phenomenon, the exploit marketplace, alongside the broader range of 'off the shelf' intrusion capabilities, including tools for disruptive and destructive effect."
Ongoing Anti-Spyware Efforts by Government
According to Recorded Future, 24 of the 35 states and organizations attending the Lancaster House conference signed the pledge, agreeing to "engage in an ongoing and globally inclusive dialogue, complementary to other multilateral initiatives," with a follow-up meeting set for next year in France.
While the full accounting of attendees to the event has not been made public, Recorded Future reported that a range of countries — including Cyprus, Greece, Italy, and Singapore — all signed the pledge, while Hungary, Mexico, Spain, and Thailand, among others, did not. Israel, which is home to many CSVs, including NSO Group, did not attend the event.
This is not the first effort to combat malicious governmental use of commercial spyware; last March, the Biden administration issued an executive order imposing restrictions on its use by federal agencies.
"The United States remains concerned with the growing misuse of commercial spyware around the world to facilitate repression, restrict the free flow of information, and enable human rights abuses [which] threatens privacy and freedoms of expression, peaceful assembly, and association," US Secretary of State Anthony Blinken said in yesterday's announcement on the visa restrictions. "Such targeting has been linked to arbitrary detentions, forced disappearances, and extrajudicial killings in the most egregious of cases," likely referring to the Jamal Khashoggi killing in 2018.
About the Author
You May Also Like
Transform Your Security Operations And Move Beyond Legacy SIEM
Nov 6, 2024Unleashing AI to Assess Cyber Security Risk
Nov 12, 2024Securing Tomorrow, Today: How to Navigate Zero Trust
Nov 13, 2024The State of Attack Surface Management (ASM), Featuring Forrester
Nov 15, 2024Applying the Principle of Least Privilege to the Cloud
Nov 18, 2024