Industry, government, nonprofits weigh voluntary rules for commercial hacking tools | CyberScoop<\/title> <meta name=\"description\" content=\"An international effort to create voluntary standards for the commercial cyber intrusion industry is wrestling with questions like who they should apply to, how to incentivize and measure compliance and what to do with companies with a checkered past.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/industry-government-nonprofits-weigh-voluntary-rules-for-commercial-hacking-tools\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Industry, government, nonprofits weigh voluntary rules for commercial hacking tools\"> <meta property=\"og:description\" content=\"An international effort to create voluntary standards for the commercial cyber intrusion industry is wrestling with questions like who they should apply to, how to incentivize and measure compliance and what to do with companies with a checkered past.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/industry-government-nonprofits-weigh-voluntary-rules-for-commercial-hacking-tools\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2026-01-26T14:11:22+00:00\"> <meta property=\"article:modified_time\" content=\"2026-01-26T14:11:25+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/industry-government-nonprofits-weigh-voluntary-rules-for-commercial-hacking-tools-2.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1280\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Tim Starks\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@timstarks\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1765909325g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1767719924g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1767808656g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=13897d660a0ac2c9c7d1\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/87536\"><meta name=\"generator\" content=\"WordPress 6.8.3\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=87536\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Findustry-government-nonprofits-weigh-voluntary-rules-for-commercial-hacking-tools%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Findustry-government-nonprofits-weigh-voluntary-rules-for-commercial-hacking-tools%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"wp-singular post-template-default single single-post postid-87536 single-format-standard wp-theme-scoopnewsgroup wp-child-theme-cyberscoop\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/industry-government-nonprofits-weigh-voluntary-rules-for-commercial-hacking-tools\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.457175925926\">\n<div class=\"single-article__header-content\" readability=\"34.492610837438\">\n<p> The weekend discussion about the next step of the Pall Mall Process revealed some of the topics rules-writers will have to weigh. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/87536\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"426\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/industry-government-nonprofits-weigh-voluntary-rules-for-commercial-hacking-tools.jpg?resize=640%2C426&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/industry-government-nonprofits-weigh-voluntary-rules-for-commercial-hacking-tools-2.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/industry-government-nonprofits-weigh-voluntary-rules-for-commercial-hacking-tools-2.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/industry-government-nonprofits-weigh-voluntary-rules-for-commercial-hacking-tools-2.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/industry-government-nonprofits-weigh-voluntary-rules-for-commercial-hacking-tools-2.jpg?resize=1024,683 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/industry-government-nonprofits-weigh-voluntary-rules-for-commercial-hacking-tools-2.jpg?resize=1536,1024 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/industry-government-nonprofits-weigh-voluntary-rules-for-commercial-hacking-tools-2.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/industry-government-nonprofits-weigh-voluntary-rules-for-commercial-hacking-tools-2.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/industry-government-nonprofits-weigh-voluntary-rules-for-commercial-hacking-tools-2.jpg?resize=506,337 506w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/industry-government-nonprofits-weigh-voluntary-rules-for-commercial-hacking-tools-2.jpg?resize=1013,675 1013w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/industry-government-nonprofits-weigh-voluntary-rules-for-commercial-hacking-tools-2.jpg?resize=1265,843 1265w\" sizes=\"(max-width: 1013px) 100vw, 1013px\"><figcaption> Curly_photo, Getty Images <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"36.817269076305\"><body readability=\"74.936333699232\"><\/p>\n<p>An international effort to create voluntary standards for the commercial cyber intrusion industry is wrestling with questions like who they should apply to, how to incentivize and measure compliance and what to do with companies with a checkered past.<\/p>\n<p><a href=\"https:\/\/cyberscoop.com\/pall-mall-process-global-cybersecurity-code-conduct-commercial-hacking-tools\/\">The first round<\/a> of the Pall Mall Process focused on a code of conduct for government use of commercial hacking tools. This year, participants are turning their attention to industry guidelines. At the DistrictCon conference in Washington D.C. Saturday, representatives from the government, industry and civil society organizations weighed some of the factors that will go into deciding those voluntary rules.<\/p>\n<p>The discussion under Chatham House rules that forbids disclosure of the identity of the participants comes as nations look <a href=\"https:\/\/cyberscoop.com\/house-dems-seek-info-about-ice-spyware-contract-wary-of-potential-abuses\/\">to use<\/a> or <a href=\"https:\/\/techcrunch.com\/2026\/01\/22\/ireland-proposes-new-law-allowing-police-to-use-spyware\/\">regulate spyware<\/a> or both, and as the Trump administration and Congress are considering <a href=\"https:\/\/cyberscoop.com\/us-offensive-cyber-operations-defense-cisa-workforce-house-homeland-security-committee\/\">a broader role<\/a> for the private sector in stepping up cyber offense.<\/p>\n<p>A foreign government representative at the event said the goal of the Pall Mall Process isn\u2019t to eliminate commercial intrusion products that can help in legitimate pursuits like law enforcement, but to establish rules of the road for their responsible government use and purchase from responsible vendors.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cWe do want that marketplace,\u201d they said. \u201cIt\u2019s not about trying to stop it.\u201d<\/p>\n<p>The scope of the industry guidelines was a big question for Saturday\u2019s discussion. It included debates and speculation about who the rules would apply to: Would the rules include things like reconnaissance tools, and how would they draw the line between academic research and illegitimate goals?<\/p>\n<p>Some participants were more focused on the incentives and disincentives for participation. It\u2019s possible some vendors would reject the voluntary rules if they turned into nettlesome barriers to selling products to governments, some said.<\/p>\n<p>\u201cRight now I haven\u2019t heard anything that makes me want to do any of this,\u201d one said.<\/p>\n<p>A different participant argued that while the rules could mean vendors might find it more profitable to do business with nations that don\u2019t adhere to the guidelines, the upside is that they can stay in their field of work and make money without contributing to the persecution or even deaths of victims of their technology.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Another participant said streamlining the procurement process across governments could make the code of conduct more inviting, if it would allow vendors to do business with multiple nations simultaneously.<\/p>\n<p>Another topic was how to handle companies that have been shady in the past, if they want to enlist with the code of conduct going forward. As the foreign government representative noted, the question is how to avoid the rules being used to \u201claunder irresponsible behavior.\u201d<\/p>\n<p>One participant added for clear punishment for those who show disregard for the rules after subscribing to them. Another said that the rules shouldn\u2019t have too high of a barrier, and they \u201ccan\u2019t be punitive,\u201d so as to invite those who misbehave back into the fold to steer them on a better path.<\/p>\n<p>The standards could also address what kind of guidelines vendors should follow about keeping up with their customers and knowing whether they\u2019re fostering abuse, and whether companies should have \u201cresponsibility for a kill switch,\u201d as the foreign government representative phrased it.<\/p>\n<p>While the rules wouldn\u2019t be binding, they still could be used by governments to shun companies that don\u2019t subscribe to them and do what they can to discourage others from buying from them, the foreign government representative said.<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\">\n<div class=\"author-card\" readability=\"7.7216117216117\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/industry-government-nonprofits-weigh-voluntary-rules-for-commercial-hacking-tools-1.jpg?w=640&ssl=1\" alt=\"Tim Starks\"> <\/figure>\n<\/p><\/div>\n<div class=\"author-card__details\" readability=\"10.901098901099\">\n<h4 class=\"author-card__name\">Written by Tim Starks<\/h4>\n<p> Tim Starks is senior reporter at CyberScoop. His previous stops include working at The Washington Post, POLITICO and Congressional Quarterly. An Evansville, Ind. native, he’s covered cybersecurity since 2003. Email Tim here: <a href=\"mailto:tim.starks@cyberscoop.com\">tim.starks@cyberscoop.com<\/a>. <\/div>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/industry-government-nonprofits-weigh-voluntary-rules-for-commercial-hacking-tools\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Industry, government, nonprofits weigh voluntary rules for commercial hacking tools<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[4885,3741,302,4075,268,482],"tags":[4890,3747,306,4083,274,484],"class_list":["post-8296","post","type-post","status-publish","format-standard","hentry","category-cyber-offense","category-districtcon","category-geopolitics","category-pall-mall-process","category-privacy","category-spyware","tag-cyber-offense","tag-districtcon","tag-geopolitics","tag-pall-mall-process","tag-privacy","tag-spyware"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cyber-offense\/\" rel=\"category tag\">cyber offense<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/districtcon\/\" rel=\"category tag\">DistrictCon<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/geopolitics\/\" rel=\"category tag\">Geopolitics<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/pall-mall-process\/\" rel=\"category tag\">Pall Mall Process<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/privacy\/\" rel=\"category tag\">Privacy<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/spyware\/\" rel=\"category tag\">spyware<\/a>","tag_info":"spyware","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8296","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=8296"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8296\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=8296"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=8296"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=8296"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":8296,"date":"2026-01-26T08:11:22","date_gmt":"2026-01-26T14:11:22","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=87536"},"modified":"2026-01-26T08:11:22","modified_gmt":"2026-01-26T14:11:22","slug":"industry-government-nonprofits-weigh-voluntary-rules-for-commercial-hacking-tools","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2026\/01\/26\/industry-government-nonprofits-weigh-voluntary-rules-for-commercial-hacking-tools\/","title":{"rendered":"Industry, government, nonprofits weigh voluntary rules for commercial hacking tools"},"content":{"rendered":"