STEPHEN DOUGHTY MP is the UK Minister of State for Europe, North America, and Overseas Territories.
In the 2015 film Spectre, James Bond takes on a shadowy organization offering sophisticated state-level espionage and surveillance services to the highest bidder – terrorist or tyrant.
Today, across cyberspace, we are seeing this happening in real life.
We know what irresponsible cyber behavior looks like, what its impacts are on our daily lives and the widespread disruption it can cause. From our banks to our electricity grid, from our defense to our hospitals, the online cyber world underpins every aspect of our society and economy. When it is attacked, it causes real damage to people’s lives and livelihoods.
There is no national security, and no economic security, without cyber security. It’s absolutely key to our prosperity and way of life. That’s why Prime Minister Keir Starmer has prioritized national security as a foundation for his Plan for Change. And it’s why the UK is focused on bringing together partners to meet these challenges head on and keep us all safe from these cyber threats.
In November 2024, we were proud to host the NATO Cyber Defence Conference, where Allies came together to discuss the importance of cyber security to our collective defense.
Cyberspace has no borders, and it is only by working with our international partners to uphold and strengthen the rule of law in cyberspace that we can ensure our security and ensure the perpetrators of malicious cyber activity are held to account.
With the Pall Mall Process, launched with our French partners, we are also bringing together states, industry and civil society to agree a way forward to tackle the proliferation and misuse of commercial spyware and other tools. These represent a new and emerging cyber threat.
This is a threat that has been featured on the big screen but that is fast becoming more fact than fiction.
A growing number of commercial entities, not always hiding in the shadows but selling their wares out in the open, offer their customers the chance to buy everything from individual holes in pieces of software to full-blown plug-and-play hacking services, including commercial spyware. This means that anyone – government, criminal, or non-state actor – can pay their way to advanced cyber intrusion capabilities.
Whilst there are clear and legitimate uses for many of these tools, if deployed responsibly, the rapid growth of this market has also been accompanied by an explosion in their misuse.
These unregulated products are already being used to target journalists and other civil society communities across the globe, violating human rights and undermining our free and open societies.
And because of the way these tools and services operate, it can be more difficult than ever to hold anyone accountable.
This is not just a problem for the U.K. These vendors, their customers, and the victims of the misuse of their tools, are found all over the world.
As domestic institutional oversight and safeguards have not kept pace with technological development, only a truly coordinated global approach can help us ensure this market functions in a more responsible way.
States have responsibility as customers of these tools and regulators of the market. But companies and individuals that operate in this space, such as vulnerability researchers, exploit brokers and software developers – and those investing in these areas – must share responsibility too. We must also recognize the vital role that threat researchers, such as those at Microsoft and other organizations, continue to play in helping to illuminate and track this threat.
Agreeing on the “rules of the road” across states, industry and civil society will be essential: what capabilities are so intrusive that access should be restricted and controlled, where irresponsible activity crosses a line, and how we can improve transparency to make it easier to understand the supply chains that underpin this all.
We also know that states must lead the charge. Through the Pall Mall Process, the UK and our partners are now working towards developing a Code of Practice for states operating in this market.
Action is urgently needed. The U.K. is committed to an inclusive, multi-stakeholder approach to address threats, identify weaknesses and promote responsible behavior in cyberspace. Because only then can we ensure our citizens, businesses and way of life continues to thrive.
Stephen Doughty MP is the UK Minister of State for Europe, North America, and Overseas Territories in the Foreign, Commonwealth & Development Office.
Amy Hogan Burney
Digital Weapons for Sale: Countering the Growing Cyber Mercenary Market
Industry partners and governments must work hand-in-hand to protect citizens and critical infrastructure from malicious actors.
Carine Kanimba and Dr. Ron Deibert
Spyware’s Human Toll: Cyber Mercenaries Inflict ‘Enormous Harms’ on Their Targets
Q&As with Dr. Ron Deibert and Carine Kanimba
Nathaniel Fick
‘Ground-Game Diplomacy’ Key to Fighting Misuse of Commercial Spyware Globally
A Q&A with Nathaniel Fick
Sophie in’t Veld
An Inquiry on Spyware in the EU Revealed Abuses by Member States. Now What?
Without binding action from the European Commission, recommendations to safeguard the use of spyware and regulate its trade will be ignored—at Europe’s peril.