The Trump administration is "noticeably absent" from this year's Pall Mall conference in France, where 21 nations signed a pact vowing responsible government use of spyware, surveillance, and other commercially available cyber intrusion tools.
Hosted by France and the UK, the second annual Pall Mall conference was held at the Ministry for Europe and Foreign Affairs in Paris on April 3rd and 4th, and attended by at least 45 nations.
The gathering marks a continuation of the 2024 Pall Mall Process, an international initiative aimed at addressing the threats posed by the proliferation and irresponsible use of commercial cyber intrusion capabilities. (CCICs).
Bringing together a “broad community of representatives from governments, the private sector and civil society,” this year’s agenda centered around the Pall Mall Process “Code of Practice.”
"The 2nd Pall Mall Process Conference concludes today with the publication of a groundbreaking code of practice, supported to date by 21 states, aimed at addressing the challenges posed by the proliferation and irresponsible use of cyber intrusion capabilities," the French Ministry posted on X.
#Cybersécurité | La 2e conférence du processus de Pall Mall 🇫🇷 🇬🇧 s’achève aujourd’hui avec la publication d’un code de bonnes pratiques inédit soutenu à ce jour par 21 États, visant à faire face aux défis posés par la prolifération et l’usage irresponsable des capacités… pic.twitter.com/PEOdEmFJCV
undefined France Diplomatie 🇫🇷🇪🇺 (@francediplo) April 4, 2025
CCICs best practices
Signed by France, the UK, Japan, and 18 other EU member states, the Code of Practice is a voluntary non-binding agreement establishing “best practices” among governments in relation to the development, facilitation, purchase, transfer, and use of commercial cyber intrusion tools and services.
Katharina Sommer, head of Public Affairs at cybersecurity consultancy, NCC Group, attended this year's conference, and said “the Code is a huge step in the right direction.”
While not legally binding, Sommer explains that the Code “creates a sense of momentum and offers a framework allowing states to have internal conversations and consider their national implementation.”
“The states that signed the Code have likely seriously considered ways of implementing (at least some of) the different provisions. This is positive momentum,” she said.
Not just spyware and surveillance tools, CCICs can include "hackers for hire,” hacking-as-a-service, and zero-day exploit marketplaces.
Besides nation-state threat actors and corporate espionage, these tools and services in the wrong hands (and rogue governments) can and have been used against journalists, human rights activists, political dissidents and opponents, and foreign government officials.
According to the UK’s National Cyber Security Centre, over the last ten years, at least 80 countries have purchased commercial cyber intrusion software, or spyware.
Thanks to @francediplo 🇫🇷 for hosting a lively & productive 2nd conference of the Pall Mall Process, bringing together states, industry and civil society to tackle the proliferation and irresponsible use of commercial cyber intrusion capabilitieshttps://t.co/nqDogdn6FQ pic.twitter.com/LFawzUHUGR
undefined LondonCyber (@LondonCyber) April 4, 2025
Upcoming challenges
Sommer pointed out that "the challenge is reaching beyond the ‘usual suspects’, and encouraging the active participation of those ‘middle ground’ states (and other stakeholders) who might not naturally be considered ‘definitively responsible actors’.
Increasing the number of states that sign onto the Code will be paramount over the coming months, she said, especially in the lead-up to national elections taking place in the Five Eyes countries, which include the UK, Canada, Australia, New Zealand, and the US, who did not attend this year's conference.
“It should be noted (and in fact will not have gone unnoticed) that the United States have not signed up to the Code,” said Sommers.
Sommers believes the absence of the Trump administration further underscores the potential fragmentation of “the world order as we knew it,” and highlights “the US withdrawal from multilateral initiatives, to act in national interest.”
Drawing on the four pillars of the Code – accountability, precision, oversight, and transparency – the UK’s Ministry of Foreign Affairs says Friday's signing represents "a significant step forward towards the implementation of the United Nations framework on responsible State behaviour in cyberspace."
“It allows engagement, and input from across the ecosystem, and is likely to enhance the shared understanding of the threats, risks and challenges, and form relationships that will hopefully lead to practicable and implementable outputs, broad(er) buy-in, and more effective accountability,” Sommers added.
Your email address will not be published. Required fields are markedmarked