The initiation of the Pall Mall Process occurred in Feb 2024 by the UK and France, aiming to foster a cross-sector conversation on the expansion of Commercial Cyber-Intrusion Capabilities (CCICs). This effort stemmed from previous joint ventures such as CyberTech Accord and the Paris Call for Trust and Security in Cyberspace, originating from the Paris Peace Forum. Notwithstanding, the proliferation of spyware remains a pressing issue, with a surge in reported incidents worldwide. Coupled with an escalating rate of vulnerability discovery and a heightened disarray in disclosure reporting, policymakers are confronted with the imperative to translate their pledges into tangible actions. As the Second Pall Mall Process Conference looms, it becomes crucial to analyze how the prevailing threat landscape influences the measures that will have the most profound impact on the trading of CCICs.
The focus of the Pall Mall Process on spyware is justifiable, considering the detrimental effects these malicious softwares have on individual privacy, human rights, and national security. Despite predictions of their demise, NSO Group’s Pegasus malware continues to be spotted in the wild. The ramifications of its usage linger, as evidenced by a US District Court judgment holding them accountable for violating US and California laws while targeting WhatsApp servers. The anticipation of this ruling hampering the spyware market resembles the apprehensions arising from the initial censure of spyware providers. Spyware remains rampant, with recent implications of Mexico and Italy spying on their populace. Essentially, spyware capitalizes on the exploitation of target users’ devices to pilfer sensitive data. According to the New Yorker magazine, the global spyware trade was estimated to be approximately $12B in 2021, and since then, the spyware market has continued to evolve, indicating no signs of deceleration.
In 2024, the year surpassed expectations for those envisioning a robust year for vulnerabilities and zero-days. Although there is no evidence yet that AI is accelerating the pace of discovery and exploitation, the technology is progressing in that direction. Google researchers have showcased how LLMs on open-source software lower the threshold for identifying vulnerabilities. With AI tools facilitating actions like reverse engineering and generative fuzzing, AI will increasingly possess the capability to explore closed software of greater intricacy. The development of widely deployable exploits is still an ongoing research endeavor, often necessitating detailed explanations not easily accessible to zero-day exploit developers. The perpetual endeavor to unearth and rectify vulnerabilities has perpetually been a battlefield in cybersecurity, pitting purple teams against the gray market engaged in the trade of spyware, exploits, and vulnerabilities. Confining and regulating a particular type of software, such as spyware, will only shift the predicament to the origin of the issues – trading vulnerabilities and exploits.
While the risks of software exploits surge, our existing threat intelligence structure is failing to keep up with the challenge. The principal authority on vulnerability severity and description is the US National Vulnerability Database (NVD), managed by NIST. The NVD concedes its incapacity to match the pace of vulnerability discovery, with a growing backlog of analyses representing a recognized and escalating concern in cybersecurity. CISA upholds the Known Exploited Vulnerabilities (KEV) list, indicating which vulnerabilities recorded in NVD are being leveraged in the wild. When vendors independently evaluate vulnerabilities in their software or through their bug bounty programs discreetly and then release patches asserting everything is “all good,” much vulnerability remains unaddressed. This predicament extends to vendors assessing the security of their new AI, underlining the urgency for promoting third-party flaw disclosures. While vendors stand to gain from these coordinated disclosures by proactively enhancing their product, the current market presents suboptimal conditions for ethical vulnerability research and disclosure. Presently, the market mirrors an iterated prisoner’s dilemma where each nation has opted to defect to sustain their access to spyware, exploits, and vulnerabilities.
To partially address this void, reporting and analysis are gradually becoming more fragmented. Recently, Wiz introduced an online vulnerability database dedicated to critical cloud vulnerabilities. As we look at emerging AI software, innovative reporting mechanisms have materialized to tackle the evolving attack surface arising from incidents and the novel risks linked to new software capabilities. Consequently, spyware has its tracking system, with the CyberPeace Institute compiling reports on spyware’s impact on civil society, while Freedom House has designed a framework for reporting spyware usage. Evidently, the current level of reporting and information sharing has not entirely met the demands for more action, and these developments can be viewed as advancements in third-party bug reporting evaluations. Nevertheless, the proliferation of reporting mechanisms aligns with the surge in vulnerabilities, emphasizing the necessity for some level of coordination. Paramount inquiries in security stance management include sourcing vulnerabilities and determining what constitutes…Read More
Impacting my colleagues can be more challenging when reporting systems become fragmented. Let’s delve into enhancing capabilities…
Many of the solutions proposed by The Pall Mall Process: Consultation on Good Practices Summary Report will greatly contribute to mitigating the spread of CCICs, with the possible exception of export controls. International collaboration is essential to establish standards for the use and trade of risky technology. Defining responsible governmental use and procurement covers certain stages of the CCIC lifecycle. Synchronized reporting addresses most other aspects of the CCIC lifecycle, not only regarding the use and trade of spyware but also concerning vulnerabilities, exploits, and incidents. Collaborative reporting aids in addressing these various aspects, enabling defenders to take down attackers through secure information exchange. To outpace the race of discovering and exploiting software vulnerabilities, defenders utilize responsible disclosure of vulnerabilities to guard against threats before they are exploited. This process necessitates thorough research and depends on a thriving market for coordinated disclosure, diverting research away from the murky world of CCICs. Enhanced export controls could hinder this ethical red teaming, hindering responsible disclosure and proactive security. In response to evolving controls, the spyware market adjusts and establishes new entities in different jurisdictions to skirt these regulations. The Pall Mall Process should focus more on cooperative initiatives, particularly in the realm of reporting.
Enhancing information sharing efforts is crucial, and this is where capacity development becomes imperative. Encouraging bug bounty programs independent of vendors and employing a coordinated disclosure process would create better market conditions conducive to research moving away from the grey market. These initiatives must be dedicated to collaborating with entities like HackerOne, BugCrowd, and Trend Micro’s Zero Day Initiative to address vulnerabilities promptly. Otherwise, vulnerabilities might be hoarded for future exploitation or succumb to vendors who choose not to release substantial fixes. Additionally, funding for vulnerability analysis programs is essential to cope with the escalating pace of uncovering vulnerabilities. It is essential this year to arm defenders with AI tools for triaging bugs discovered by AI. Programs for secure information sharing help fortify defenses before attacks occur, and more companies could emulate Microsoft’s Advanced Protection Program (MAPP) by sharing information on vulnerability patches. These programs could be enriched with coordinated vulnerability assessments to provide defenders with the necessary resources to remain proactive. Lastly, adopting standards and cooperation in incident reporting would bolster defenses by providing deeper insight into the threat landscape.
Vulnerabilities are the genesis of every CCIC, and building capacity for disclosing and analyzing vulnerabilities strikes at the core of the issue. Improving incident coordination is also pivotal. While achieving universal governance across borders or industries may be unattainable, there are measures that can be taken to promote secure information sharing. Regulating poses more challenges than fostering secure collaborative research programs, and enhancing the cyber threat intelligence ecosystem will uplift all defenders.
Governance commences with visibility; you cannot oversee what you cannot perceive. Subsequent policies should prioritize enhancing security. Promoting coordinated disclosure of vulnerabilities tackles the heart of the spyware dilemma; vulnerabilities fuel the exploits that fuel spyware. Addressing the ecosystem, rather than a single symptom, and establishing ethical disclosure of vulnerabilities as the fundamental standard is imperative. With the rapid rate of discovery and the dwindling ability of current systems to keep pace, backing for structures that support vulnerability and incident reporting, analysis, and sharing is urgently required.
About Author
