Acting Responsibly in Cyberspace: Lessons from the Defence Industry

On 3-4 April, representatives from states, companies and civil society groups gathered in Paris for the second meeting of the Pall Mall Process, an initiative launched by the French and UK governments to ‘address the proliferation and irresponsible use of commercial cyber intrusion tools and services.’ The meeting resulted in a voluntary and non-binding Code of Practice for state action.

This conversation around responsible behaviour in cybersecurity is timely given the sector’s evolution over the past few years. The cyber sector has grown rapidly since the 1990s, comprising a myriad of small and medium sized businesses and a rising demand for digital services. Primarily focused on cybersecurity (including antivirus software and firewalls), it has evolved with technological advances to also include intrusive and offensive cyber capabilities. These tools have allowed states to enhance their knowledge about the global threat landscape while supporting foreign policy and national security interests.

One key driver of conversation for offensive and intrusive cyber capabilities is their interplay with the defence industry – which has historically dealt with dual use technologies. With the defence sector increasingly providing more cyber services and the cyber sector engaging more in defence, the strong parallels in the marketplace offer an opportunity for us to reflect on how applying lessons from the defence industry into cyber may help drive the conversation on responsibility and accountability in cyberspace.

The authors’ latest report, Lessons from the Defence industry: Responsible cyber behaviour, from BAE Systems and written as part of RUSI’s Global Partnership on Responsible Cyber Behaviour, outlines how the mechanisms that have defined responsible behaviour in the defence sector can support the responsible production and sale of cyber capabilities.

Applying Experience from the Defence Sector

Defence primes have historically had to deal with and reflect on many questions concerning the responsible and irresponsible use of military capabilities, embedded into international humanitarian and human rights laws, treaties and conventions.

Central to compliance with these internationally recognised codes of conduct is the need to minimise harm to civilians and civilian property, as well as the importance of necessity and proportionality in the use of technologies and military capabilities. As a result, the defence industry is bound by strong regulation across international and national jurisdictions – such as the Geneva Conventions and UN Resolutions – as well as defined parameters for meeting government requirements and strong penalties.

In terms of lessons that the cyber industry can learn from defence, a prominent point that emerged through engagement from interviewees for this paper is the effective use of export control regimes. As one of the most important legal tools to enforce corporate responsibility over the development and distribution of military capabilities, we found parallels that can be drawn upon for the cyber sector. Export control highlights the need for strong regulation that enforces accountability on contractors, with a key understanding of the potential misuse of capabilities. However, given that the cyber domain is still undergoing significant technological advancement, the export control model in cyber will have to operate differently to try and reflect that pace of change.

A further lesson is the importance of collaboration, with government, industry and academia. The defence industry has benefitted from a wide range of discourse from a multi-stakeholder landscape to build strong codes of conduct and ethical considerations. Recognising efforts from the Pall Mall process, this paper also supports the need for strong collaboration in determining responsible behaviour in cyber, particularly in shaping good practise and shared knowledge to build resilience.

And finally, the use of enforcement mechanisms marks a lesson for cyber that is embedded in compliance within the defence industry. The use of penalties – including fines, sanctions and consent agreements – has increased commercial understanding of irresponsibility and the risks associated while providing a deterrent effect. Strong penalties within the defence industry are also tied to the need for corporate transparency in the sale and use of military capabilities. This can help firms understand and reinforce commercial norms, creating distinct parameters for cyber on what constitutes irresponsible corporate practice or conduct.

These mechanisms can promote responsible behaviour across the cyber landscape, in turn creating greater synergies between cyber and defence and codifying concepts into positive business practices.

Responsible Behaviour in Practice

Our research has found that having responsible behaviour defined in business policies is not common to all cyber firms, despite increasing legislation outlining baseline requirements for services provision such as the upcoming Cyber Security and Resilience Bill. However, transforming responsible cyber behaviour into corporate best practice requires further action and our engagement with industry experts for this report shows that there are at least three factors that can be used to help drive best practice:

• Training and awareness: Corporate training should define acceptable behaviour for all staff, be scenario-based to resonate with real world changes, mandated to all employees, and be conducted, exercised, and practiced regularly to build a responsible culture.
• Pro-active and dynamic collaboration: Open dialogue and regular knowledge sharing across industry with trade bodies, government and international partners helps to strengthen understanding and build common standards, while allowing more experienced firms to help younger and smaller firms ensure they behave responsibly.
• Provision of internal and external reporting mechanisms: Organisations should enable staff to whistle blow on irresponsible behaviour by providing accessible, confidential channels for raising ethical and business conduct concerns. Similarly, simple self-referral mechanisms should be available to report irresponsible behaviour to regulators.

Ultimately, while progress is being made as the interaction between the defence and cyber industries continue to increase, there is still a long way to go on this journey. Current geopolitical tensions are certainly adding to the complexity, which is why it is so important to draw from other, more experienced industries in pursuit of enabling a cyber industry with a commitment to responsible behaviour at its core. Learning from each other will be critical to ensuring that responsible cyber behaviour is not just an international commitment, but an effective and applicable intra-organisational practice.

© Maria Aldea, David Edmunds and Darcey Page, 2025, published by RUSI with permission of the authors.

The views expressed in this Commentary are the authors', and do not represent those of RUSI or any other institution.

For terms of use, see Website Terms and Conditions of Use.

Have an idea for a Commentary you'd like to write for us? Send a short pitch to commentaries@rusi.org and we'll get back to you if it fits into our research interests. View full guidelines for contributors.