SPYWAREThe Indo-Pacific Could Shape Control of the Growing Spyware Market
The market for commercial cyber intrusion capabilities (CCICs) is moving faster than the frameworks designed to govern it. What began as a niche ecosystem of surveillance vendors has evolved into a sprawling, fragmented industry.
The market for commercial cyber intrusion capabilities (CCICs) is moving faster than the frameworks designed to govern it. What began as a niche ecosystem of surveillance vendors has evolved into a sprawling, fragmented industry. While CCICs have law enforcement and national security uses, they are also being misused, including by terrorist and criminal organizations. As both a major source of demand and an increasingly important production and transit hub, the Indo-Pacific is a key player influencing how this market evolves and is governed.
CCICs include products and services such as exploit and surveillance kits and a range of ‘as a service’ models. They are inherently dual-use, enabling legitimate security research and law enforcement as well as intrusive surveillance. This isn’t new, but the market’s structure has shifted.
The number of actors has expanded, with smaller firms and independent researchers contributing to exploit development and malware tooling. Capability production is no longer concentrated among a small group of firms able to build bespoke systems. Instead, new hubs in India are emerging, alongside established third-party suppliers in Malaysia and Singapore, positioning the region as an important node in global supply chains, brokerage and capability development. This diffusion is driven by growing demand and tighter regulation elsewhere, particularly in Europe.
Emerging technologies are accelerating proliferation. Advances in AI lower the cost of exploiting vulnerabilities, while online marketplaces make malicious tools easier to distribute. The distinction between state-grade spyware and criminal malware is blurring, expanding both the scale and accessibility of intrusion capabilities.
The risks are not confined to governments. Weak controls increase the likelihood that tools are leaked, repurposed or resold. Non-state actors are already taking advantage. Groups linked to Islamic State and transnational criminal networks such as Mexican cartels have demonstrated how commercially available tools can support surveillance. As the market grows, these dynamics will likely intensify.
Britain and France have launched a joint process to establish rules for states and the software industry, known as the Pall Mall Process, representing a serious attempt to impose structure on a rapidly evolving ecosystem. The 2025 Code of Practice for States sets out voluntary commitments across the development, export, procurement and use of CCICs. It encourages governments to establish rules for suppliers, clarify conditions for state use, strengthen oversight and provide remedies for victims. These measures are underpinned by principles of accountability, precision, oversight and transparency.
