Principles for state approaches to commercial cyber intrusion capabilities

The rapid growth of markets in which cyber intrusion capabilities can be bought and sold as products and services by states, companies and criminals raises thorny policy challenges that are not adequately addressed by existing concepts of legitimate and illegitimate use. This paper explores these challenges, and puts forward a set of principles to help governments and wider society navigate commercial markets for cyber intrusion.

Important policy interventions have been made over the past decade to counter the misuse of commercial cyber intrusion capabilities. These focus variously on governments, companies and individuals, but have been initiated by a relatively narrow group of like-minded actors. The principles recommended in this paper, underpinned by a fresh distinction between ‘permissioned’ and ‘unpermissioned’ intrusion, are intended to promote greater coherence and consistency of approaches, and to widen the scope for consensus.