International efforts to govern commercial cyber intrusion capabilities (CCICs) are not aligned with the structure of the spyware market, with 21 out of 31 high-risk vendors operating in jurisdictions outside existing frameworks, according to a study by the Economic Security Council of Ukraine (ESCU), “Spyware Bias: The Security Shortfall in Norms-Based Governance,” prepared in cooperation with the Trusted Tech Caucus at the Verkhovna Rada of Ukraine.
Although 27 states, including the United States, EU member states, the United Kingdom and Japan, have endorsed the Pall Mall Process, it engages only one major production hub — Italy. Participation remains concentrated among states already inclined toward restraint, while key supplier jurisdictions, including Russia, Israel and India, remain outside these frameworks.
At the same time, the CCIC market — projected to exceed $55 billion in 2025 — continues to expand, alongside documented cases of spyware use against journalists and civil society.
The full study is available in the attached file.
Authors:
Solomiia Vybranovska, Expert of the Economic Security Council of Ukraine (ESCU) — s.v@escu.ua
Dr. Ilona Khmeleva, Secretary of the Economic Security Council of Ukraine (ESCU) — khmeleva@escu.ua
