The UK and France introduced the Pall Mall Process in Feb 2024, establishing multistakeholder discussion on the rise of Commercial Cyber-Intrusion Capabilities (CCICs). This effort evolved from other collaborative endeavors like the CyberTech Accord and the Paris Call for Trust and Security in Cyberspace, originating from the Paris Peace Forum. Despite these initiatives, spyware is still a growing concern, as incidents of it are increasingly being reported worldwide. Coupled with a surge in vulnerability discoveries and a rise in fragmentation within disclosure reporting, policymakers are confronted with the need to translate their commitments into tangible actions. As the Second Pall Mall Process Conference approaches, it is crucial to assess how the current state of the threat landscape guides the most impactful measures to address the trade of CCICs.
The emphasis of the Pall Mall Process on spyware is rational considering the detrimental effects these malicious software have on individual privacy, human rights, and national security. Despite predictions of its decline, NSO Group’s Pegasus malware is still active in the cyber domain. Ongoing repercussions persist, with a US District Court ruling the group liable for violating US and California laws by targeting WhatsApp servers. Despite initial sanctions on spyware vendors, spyware proliferation continues, with recent implications in countries like Mexico and Italy for spying on their populations. Spyware fundamentally profits from exploiting users’ devices to extract sensitive data. Estimates by the New Yorker in 2021 valued the global spyware trade at approximately $12 billion. Since then, the spyware market has shown resilience and continuous adaptation, indicating no signs of deceleration.
The year 2024 surpassed expectations for those anticipating a surge in vulnerabilities and zero-day exploits. While there is no direct evidence that AI is accelerating the pace of discovery and exploitation, it is a technology steadily moving in that direction. Google researchers have showcased how Large Language Models (LLMs) are lowering the barriers for identifying vulnerabilities in open-source software. With the integration of agentic AI into tools like reverse engineering and generative fuzzing, AI is becoming more proficient in discovering vulnerabilities in complex closed-source software. The packaging of these discoveries into widely deployable exploits is still a work in progress, often requiring detailed descriptions not readily available to zero-day exploit developers. The perpetual pursuit to uncover and remedy vulnerabilities remains a constant in the cybersecurity domain, juxtaposing purple teams against the grey market involved in trading spyware, exploits, and vulnerabilities. Restricting a specific class of software like spyware may shift the issue to its origin – the trade of vulnerabilities and exploits.
While software exploit risks surge, the current threat intelligence ecosystem falls short in meeting this challenge. The US National Vulnerability Database (NVD), managed by NIST, is the primary authority on vulnerability severity and description. The NVD acknowledges their inability to keep pace with the rapid rate of vulnerability discoveries, with a mounting backlog in cybersecurity analysis. CISA maintains the Known Exploited Vulnerabilities (KEV) list to pinpoint vulnerabilities extracted from the NVD that are currently being exploited. When vendors address vulnerabilities in their software through internal assessments or bug bounty programs discreetly, and then issue patches declaring the issue resolved, vulnerabilities often remain unaddressed. This challenge also extends to vendors evaluating the security of their new AI technologies, illustrating a critical need for promoting third-party flaw disclosure mechanisms. While vendors benefit from these coordinated disclosures by enhancing their products proactively, the current market conditions are suboptimal for ethical vulnerability research and disclosure. The prevailing market scenario resembles an iterated prisoner’s dilemma where each entity opts to deviate from the ethical route to preserve their access to spyware, exploits, and vulnerabilities.
To address some of these gaps, reporting and analysis are becoming more fragmented. Recently, Wiz revealed an online vulnerability database that specifically targets consequential cloud vulnerabilities. As emerging AI software introduces new attack surfaces, novel reporting mechanisms have emerged to navigate the risks associated with evolving software capabilities and the incidents that arise. Corresponding to this progression, spyware monitoring has also intensified, with the CyberPeace Institute aggregating reports on spyware incidences affecting civil society, and Freedom House launching a tool to combat spyware and surveillance technology. Although these developments advance third-party bug reporting evaluations, the proliferation of reporting mechanisms alongside vulnerabilities underscores the need for coordination. Crucial inquiries in security posture management surround the sourcing of vulnerabilities and the assurance of their credibility.
Questions regarding the influence on my colleagues become more challenging when reporting mechanisms become fragmented. Enter building capabilities…
A multitude of solutions proposed in The Pall Mall Process: Consultation on Good Practices Summary Report will greatly contribute to addressing the proliferation of CCICs, except perhaps for export controls. There is a need for international collaboration to establish standards concerning the use and commerce of risky technology. The enactment of responsible government practices in procurement deals with aspects of the CCIC lifecycle. Coordinated reporting covers most sections of the CCIC lifecycle, encompassing not just the reporting of spyware use and trade, but also vulnerabilities, exploits, and incidents. Collaboration among defenders through secure sharing of information thwarts attackers. In the pursuit to discover and exploit software flaws, defenders utilize responsible vulnerability disclosure to counteract vulnerabilities even before they become zero-day threats. This requires research and encourages a robust market for coordinated disclosure, diverting research away from the ambiguous realm of CCICs. Enhanced export controls could impede this ethical red teaming, hindering responsible disclosure and proactive security. Furthermore, with evolving controls, the spyware market adapts and spawns new entities in different jurisdictions to circumvent these constraints. The Pall Mall Process should lead collaborative efforts, especially in reporting.
There is potential for enhanced information sharing, and this is where building capabilities is crucial. Encouraging bug bounty programs that are vendor-independent and involve a coordinated disclosure mechanism would enhance market conditions that encourage research away from the ambiguous market. These programs should be dedicated to collaborating with vendors such as HackerOne, BugCrowd, and Trend Micro’s Zero Day Initiative to rectify bugs. Failing this, vulnerabilities can be hoarded for potential exploitation or silenced by vendors who have no intention of releasing a meaningful patch. Moreover, investing in vulnerability analysis programs is necessary to keep pace with the increasing rate of discovering vulnerabilities. This year, there is a need to empower defenders with AI tools to prioritize AI-discovered vulnerabilities. Secure information sharing programs establish safeguards in advance of potential attacks, and more vendors could consider emulating Microsoft’s Advanced Protection Program (MAPP) in sharing information on vulnerability patches. These programs could be enhanced with coordinated analysis of vulnerabilities, equipping defenders with the necessary tools to remain a step ahead. Lastly, standardizing and coordinating incident reporting would bolster defenses by enhancing visibility into the threat landscape.
Vulnerabilities mark the inception point of every CCIC, and capacity building for disclosing and analyzing vulnerabilities delves into the core issue. There is also room for enhancement in incident coordination. While expecting uniform governance across borders or industries may be impractical, efforts can be intensified to promote secure information sharing. Implementing regulations is more intricate compared to developing secure collaborative research programs, and enhancing the cybersecurity intelligence ecosystem will benefit all defenders.
Governance commences with visibility; you cannot govern that which you are unable to perceive. Subsequently, policies should prioritize security above all else. Promoting coordinated disclosure of vulnerabilities strikes at the root of the spyware issue; vulnerabilities pave the way for exploits that exploit spyware. It is crucial to address the entire ecosystem rather than just a single symptom, making ethical disclosure of vulnerabilities the minimum requirement for all. With the rapid pace of discoveries and the diminishing capacity of current systems to cope, support for structures relating to vulnerability and incident reporting, analysis, and sharing is imperative.
About Author
