The weekend discussion about the next step of the Pall Mall Process revealed some of the topics rules-writers will have to weigh.
The post Industry, government, nonprofits weigh voluntary rules for commercial hacking tools appeared first on CyberScoop.
An international effort to create voluntary standards for the commercial cyber intrusion industry is wrestling with questions like who they should apply to, how to incentivize and measure compliance and what to do with companies with a checkered past.
The first round of the Pall Mall Process focused on a code of conduct for government use of commercial hacking tools. This year, participants are turning their attention to industry guidelines. At the DistrictCon conference in Washington D.C. Saturday, representatives from the government, industry and civil society organizations weighed some of the factors that will go into deciding those voluntary rules.
The discussion under Chatham House rules that forbids disclosure of the identity of the participants comes as nations look to use or regulate spyware or both, and as the Trump administration and Congress are considering a broader role for the private sector in stepping up cyber offense.
A foreign government representative at the event said the goal of the Pall Mall Process isn’t to eliminate commercial intrusion products that can help in legitimate pursuits like law enforcement, but to establish rules of the road for their responsible government use and purchase from responsible vendors.
“We do want that marketplace,” they said. “It’s not about trying to stop it.”
The scope of the industry guidelines was a big question for Saturday’s discussion. It included debates and speculation about who the rules would apply to: Would the rules include things like reconnaissance tools, and how would they draw the line between academic research and illegitimate goals?
Some participants were more focused on the incentives and disincentives for participation. It’s possible some vendors would reject the voluntary rules if they turned into nettlesome barriers to selling products to governments, some said.
“Right now I haven’t heard anything that makes me want to do any of this,” one said.
A different participant argued that while the rules could mean vendors might find it more profitable to do business with nations that don’t adhere to the guidelines, the upside is that they can stay in their field of work and make money without contributing to the persecution or even deaths of victims of their technology.
Another participant said streamlining the procurement process across governments could make the code of conduct more inviting, if it would allow vendors to do business with multiple nations simultaneously.
Another topic was how to handle companies that have been shady in the past, if they want to enlist with the code of conduct going forward. As the foreign government representative noted, the question is how to avoid the rules being used to “launder irresponsible behavior.”
One participant added for clear punishment for those who show disregard for the rules after subscribing to them. Another said that the rules shouldn’t have too high of a barrier, and they “can’t be punitive,” so as to invite those who misbehave back into the fold to steer them on a better path.
The standards could also address what kind of guidelines vendors should follow about keeping up with their customers and knowing whether they’re fostering abuse, and whether companies should have “responsibility for a kill switch,” as the foreign government representative phrased it.
While the rules wouldn’t be binding, they still could be used by governments to shun companies that don’t subscribe to them and do what they can to discourage others from buying from them, the foreign government representative said.
The post Industry, government, nonprofits weigh voluntary rules for commercial hacking tools appeared first on CyberScoop.
Source: CyberScoop
Source Link: https://cyberscoop.com/industry-government-nonprofits-weigh-voluntary-rules-for-commercial-hacking-tools/