The market for commercial cyber intrusion capabilities (CCICs) is moving faster than the frameworks designed to govern it. What began as a niche ecosystem of surveillance vendors has evolved into a sprawling, fragmented industry. While CCICs have law enforcement and national security uses, they are also being misused, including by terrorist and criminal organisations. As both a major source of demand and an increasingly important production and transit hub, the Indo-Pacific is a key player influencing how this market evolves and is governed.
CCICs include products and services such as exploit and surveillance kits and a range of ‘as a service’ models. They are inherently dual-use, enabling legitimate security research and law enforcement as well as intrusive surveillance. This isn’t new, but the market’s structure has shifted.
The number of actors has expanded, with smaller firms and independent researchers contributing to exploit development and malware tooling. Capability production is no longer concentrated among a small group of firms able to build bespoke systems. Instead, new hubs in India are emerging, alongside established third-party suppliers in Malaysia and Singapore, positioning the region as an important node in global supply chains, brokerage and capability development. This diffusion is driven by growing demand and tighter regulation elsewhere, particularly in Europe.
Emerging technologies are accelerating proliferation. Advances in AI lower the cost of exploiting vulnerabilities, while online marketplaces make malicious tools easier to distribute. The distinction between state-grade spyware and criminal malware is blurring, expanding both the scale and accessibility of intrusion capabilities.
The risks are not confined to governments. Weak controls increase the likelihood that tools are leaked, repurposed or resold. Non-state actors are already taking advantage. Groups linked to Islamic State and transnational criminal networks such as Mexican cartels have demonstrated how commercially available tools can support surveillance. As the market grows, these dynamics will likely intensify.
Britain and France have launched a joint process to establish rules for states and the software industry, known as the Pall Mall Process, representing a serious attempt to impose structure on a rapidly evolving ecosystem. The 2025 Code of Practice for States sets out voluntary commitments across the development, export, procurement and use of CCICs. It encourages governments to establish rules for suppliers, clarify conditions for state use, strengthen oversight and provide remedies for victims. These measures are underpinned by principles of accountability, precision, oversight and transparency.
The process brings together governments, industry and civil society to address a cross-cutting problem. Unlike limited export controls regimes or overly broad UN processes, the Pall Mall Process creates a focal point for CCIC governance across security and human rights concerns.
But the code’s limitations are equally clear. It’s non-binding, with no formal enforcement or monitoring mechanisms. Much of the scrutiny of implementation is carried out by civil-society organisations on an ad hoc basis. The code also relies heavily on responsible use – an expectation that developers, providers and users follow ethical rules, safety standards and applicable legal regimes. While the code references international human-rights law, interpretations of what constitutes legitimate use of CCICs vary significantly across jurisdictions in ways that could affect digital rights.
Participation is another challenge. Many countries in South and Southeast Asia, where demand is growing, aren’t yet part of the process. Reasons vary, but a countervailing factor is that the issue hasn’t been fully contextualised regionally.
There are early signs of progress. Discussions are reportedly underway to establish working groups focused on implementation, threat research and impact assessment. The next phase of the process is turning to industry and developing guidelines on due diligence, vendor vetting and redress mechanisms, expected to culminate in a set of industry guidelines in 2026.
Whether these efforts succeed will depend on how they engage with the realities of the Indo-Pacific, given the geopolitical significance of the region and growing CCIC demand.
First, policy should engage directly with market dynamics. This includes understanding newer vendors, informal supply chains and emerging production hubs that sit outside traditional regulatory centres. Governance efforts should take non-state proliferation seriously. This means strengthening end-use monitoring, integrating spyware controls into counter-cybercrime strategies and recognising that the boundary between state and criminal use is increasingly porous.
Second, capacity-building should move beyond high-level commitments. Governments need practical tools such as procurement standards, licensing frameworks and technical expertise to assess and manage risk. Independent oversight bodies should also monitor CCIC use.
Third, spyware governance needs regional ownership. External frameworks will have limited traction unless they are championed by local actors who can translate global principles into regional priorities and domestic practice. Identifying and supporting such partners should be a priority.
As a demand centre, production hub and regulatory frontier, outcomes in the Indo-Pacific will determine whether global efforts can constrain spyware proliferation. Without stronger, locally grounded approaches, the spread of CCICs will continue to accelerate.
