Do Son 
This week, Paris became the stage for intricate diplomatic negotiations aimed at curbing the unchecked proliferation and use of commercial hacking tools. France and the United Kingdom jointly unveiled the Pall Mall Process, an initiative seeking to establish new regulatory frameworks for the trade and deployment of commercial cyber intrusion capabilities (CCICs).
Despite its ambitious goals, the initiative has faced numerous hurdles. Many participating states remain reluctant to abandon entrenched practices, and skepticism persists regarding the efficacy of the proposed measures. Nevertheless, a draft agreement has now been prepared and distributed to governments, international organizations, academia, and technology firms. This document outlines a set of voluntary commitments.
Among the proposed measures are:
- Regulation of the development and export of hacking tools;
- Establishment of internal oversight mechanisms for their use;
- Implementation of vulnerability assessment frameworks;
- Refusal to procure from companies implicated in unlawful conduct;
- Sanctions against those who profit from the irresponsible deployment of CCICs.
The urgency of the issue is underscored by numerous cases in which such technologies have been deployed against journalists, human rights defenders, opposition figures, and even foreign government officials. Moreover, the unrestrained dissemination of CCICs undermines the cybersecurity economy by incentivizing the concealment of vulnerabilities for exploitative purposes.
However, finalizing the agreement is complicated by the absence of major CCIC-exporting nations, including Israel, India, Austria, Egypt, and North Macedonia. Israel’s absence is particularly conspicuous, given that two of the four companies sanctioned by the United States for peddling digital repression tools are based there.
Nevertheless, signs of progress have emerged. Sources indicate that Israel and NSO Group are engaging informally in the process, albeit at an early stage and without any current expectations of signing the agreement.
At the heart of the draft lies a voluntary Code of Practice, inspired by the Montreux Document and the Code of Conduct for Private Security Companies. The objective is to craft an international ethical framework for the hacking industry, rooted in respect for international humanitarian and human rights law.
