Cyber intrusion – the ability to access and manipulate a digital device, system or network remotely and without proper authorization – has become commercialized. The scale at which cyber intrusion capabilities are now available is largely due to rapid growth of the markets in which such capabilities and their component parts can be bought and sold as products and services by states, companies and criminals.In addition to their use by cybercriminals, many states, including military and intelligence agencies, have turned to the commercial acquisition of such capabilities as an alternative to developing and maintaining them in-house. But states frequently use such capabilities in ways that violate international human rights law or otherwise undermine norms of responsible state behaviour.In recent years, civil society, industry and state actors have proposed a wide range of policy interventions to counter the proliferation and misuse of commercial cyber intrusion capabilities. However, existing interventions are focused mainly on a narrow group of states and specific issues. As a result, they risk incoherence and inconsistency, and are unlikely to encourage substantive change across the whole landscape.This paper suggests principles for state approaches to shaping the market for commercial cyber intrusion capabilities, both promoting their responsible use and countering their irresponsible use. Principles can help disparate interventions achieve consensus from multiple perspectives, from narrow national security objectives to broader concerns regarding human rights or the security of the internet architecture. They can also help to identify opportunities for high-level agreement on aims despite disagreement on specific use cases, moving beyond centres of existing regulation in the US and Europe.The principles are underpinned by a new distinction between ‘permissioned’ and ‘unpermissioned’ intrusion. Permissioned intrusion takes place with the permission of either the user, the owner or the operator of a targeted device, system or network. Unpermissioned intrusion, as the term suggests, takes place without at least one of these permissions.This distinction is important because it moves the focus of debate away from the contested application of concepts of ‘legitimacy’ and ‘dual use’, towards a clearer test of permission. The aim is to minimize concerns over the impact of regulation and policy on genuine cybersecurity research and testing practices – an issue that has stymied many previous high-profile interventions – as well as to reduce confusion between different kinds of legitimacy (such as that of a government intelligence agency versus that of a client of a security testing service).The principles are summarized as follows:States should align their approaches across markets for commercial cyber intrusion capabilities, including as customers and users, investors, detectors and defenders, and regulators.States should separate markets for permissioned cyber intrusion from markets for unpermissioned cyber intrusion as far as possible: administratively, legally and technologically.States should stimulate markets for permissioned use of commercial cyber intrusion capabilities.States should not engage commercial actors to independently conduct unpermissioned cyber intrusion on their behalf.States should be transparent in acknowledging unpermissioned cyber intrusion for military, national security and law enforcement purposes.States should integrate their practices of unpermissioned intrusion with their efforts to improve anti-corruption, security governance and rule of law.States should adopt OECD principles for government access to data, along with UN norms of responsible state behaviour, as minimum standards in their practices of unpermissioned intrusion.States should apply, at a minimum, equally high standards to internal development and interstate transfer as they do to commercial activities.Ultimately, widespread adoption of these principles by states would mean commercial cyber intrusion capabilities are sourced in a more restrained and responsible way. Such capabilities would be only used by states, and then only when meeting clear thresholds of necessity and proportionality and in ways compatible with international law – including international human rights law.
Authors
Mentioned Organizations
- DOI
- https://doi.org/10.55317/9781784136277
- ISBN
- 9781784136277
- Pages
- 41
- Published in
- United Kingdom