Concerted efforts to regulate cyber capabilities have borne little fruit, prompting policy makers to look to existing regulatory systems as a basis for action. Established export control systems are often viewed as providing one such mechanism for governing encryption and cyber capabilities. But these frameworks—rooted in post-Cold War arms control systems—may not be suited to the modern proliferation of cyber and encryption software and technologies, which grow more seamless, intangible and borderless by the day.
It is true that both advanced end-to-end encryption capabilities and advanced offensive cyber capacities could threaten national security if exported to foreign adversaries. However, there are also substantial threats that arise when these products are developed and used entirely domestically and exclusively by a country’s own nationals.
Presently, there is a limited toolkit of possible responses to lacunae concerning encryption and cyber regulation and well-established export controls are a natural starting point. But these systems should be viewed as only one, increasingly small, part of a sustainable regulatory framework for cyber capabilities. As one commentator put it, using export controls over cyber technologies is like “using an umbrella in a hurricane.”
The Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies (commonly referred to as the “Wassenaar Arrangement”) is one leading example of the possibilities of an export control approach. Broadly speaking, the Wassenaar Arrangement calls upon participating states to establish processes for governing export of a variety of products whose proliferation could threaten international peace and security. In December 2013, a Wassenaar Plenary Meeting agreed to accept French and U.K. proposals to extend Wassenaar’s control list to include “intrusion software” and “IP network communications surveillance systems,” as well as related software, systems, equipment and components.
However, by design, the Wassenaar Arrangement is not directly binding and offers participating states broad discretion regarding implementation. While the 2013 amendment became law in the EU last year, the implementation in the U.S. has faced significant hurdles and industry-push-back. Notably, Israel—which is not a formal member of the Wassenaar Arrangement—has legislation which adopts all Wassenaar controls automatically, without any form of domestic implementation. The 2013, amendments caught Israeli regulators by surprise and immediately became binding law, applicable to all Israeli software and technology exporters whose products aligned with the new Wassennar categories.
Earlier this year, Israel’s export control authority within the Israeli Ministry of Defense (MOD) released a proposed regulation elucidating its intention to not only continue enforcing the 2013 Wassenaar changes, but to also add several broad categories to the “intrusion software” language, for the purpose of establishing a broad export control regulatory framework for cyber products. The MOD has published the proposal and corresponding explanatory notes and issued a call for public comments. [The deadline for interested parties to comment to firstname.lastname@example.org is 4:00 pm, March 3, 2016.] In essence, the proposed regulation embeds MOD language into the Wassenaar definition of “intrusion software,” and related “software” and “systems, equipment and components.”
According to the MOD, the proposed regulation seeks to balance Israel’s national security needs with the country’s strategic economic interests in preserving a flourishing cyber industry. But in striking this balance, the MOD has elected to go beyond Wassenaar’s narrow control of cyber-related exports. For example, the Wassenaar arrangement focuses on software and ancillary equipment required for the development of “intrusion software,” but it does not seek to control products or devices upon which such software is running or stored. The logic for this, as discussed at the Wassenaar Plenary Meeting in 2013, was to avoid asserting control over an untold number of products passively infected by “intrusion software.” By contrast, the MOD proposed language casts a broader net, which ostensibly would apply to all devices contaminated by “intrusion software.”
Furthermore, the MOD expands the definition of “intrusion software” to include certain products capable of causing disruptions to systems’ functionality or any form of physical system damage. The regulation also proposes new categories of control related to computer vulnerabilities (exploits), hacking simulation tools, cyber products related to military defense and espionage, as well as devices for conducting advanced digital forensics.
Israel’s activist proposal is drastically more expansive than the 2015 E.U. implementation of Wassenaar’s “intrusion software” language and is in stark contrast to the U.S. resistance to the language. The Israeli proposal raises the question of whether traditional export control systems offer an appropriate environment for governing cyber security. And the likely answer is that, while export control may be one useful component of an effective regulatory system, it cannot replace a holistic approach that contends with challenges of intangible, indiscernible products and that also addresses internal, home-grown cyber threats.
For readers’ convenience, the original Wassenaar language is provided below, with the author’s unofficial English translations of the MOD’s proposals embedded in-line, in bold text.
Israeli MOD Cyber-Proposal "Intrusion software”
"Software" specially designed or modified to avoid detection by 'monitoring tools', or to defeat 'protective countermeasures', of a computer or network-capable device, and performing any of the following:
- The extraction of data or information, from a computer or network-capable device, or the modification of system or user data; or
- The modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions; or
- The disruption of functional capacity of the system or the causing of physical damages to a system.
- "Intrusion software" does not include any of the following: a. Hypervisors, debuggers or Software Reverse Engineering (SRE) tools; b. Digital Rights Management (DRM) "software"; or c. "Software" designed to be installed by manufacturers, administrators or users, for the purposes of asset tracking or recovery.
- Network-capable devices include mobile devices and smart meters.
- ‘Monitoring tools': "software" or hardware devices, that monitor system behaviours or processes running on a device. This includes antivirus (AV) products, end point security products, Personal Security Products (PSP), Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS) or firewalls
- 'Protective countermeasures': techniques designed to ensure the safe execution of code, such as Data Execution Prevention (DEP), Address Space Layout Randomisation (ASLR) or sandboxing.
“Exploits” – Lack of completeness in code or in a protocol that may be utilized for causing harm to a system or software.
“Digital Forensics” – Obtaining, analyzing, or reconstructing data through a physical interface with computer equipment or storage such as computers, cellular telephone devices, hard disks, satellite navigations devices, USB components, smart cards and SIM cards.
“Static Data” – Data stored on a hard disk or other storage equipment that does not require an electrical current source for saving the data.
“Dynamic Data” – Data stored on equipment, requiring electrical currents sources for the purpose of saving the data.
Systems, equipment and components
- “Intrusion software” and systems containing Intrusion Software.
- Systems, equipment, and components therefor, specially designed or modified for the generation, operation or delivery (contamination) of, or communication with, "intrusion software", including systems, equipment and components specially designed or modified to simulate use of, operation of or communication with “intrusion software” against another, but excluding the provision of services to test system strength against attacks (PT).
- Systems, equipment and components specially designed or modified for the protection of strategic defensive systems or for the protection of combat equipment from “intrusion software”.
- Systems, equipment and components specially designed or modified for defense or monitoring of national-level communication lines.
- Equipment, components and software for conducting “digital forensics” or simulations of “digital forensics”, that was:
- Specially designed to conduct or to utilize techniques for the prevention of the potential to change data, for the purpose of copying the data in its entirety; or
- Specially designed to conduct data analysis, for the purpose of:
- Restoring “static data” created by the system or user;
- Identification or analysis of “dynamic data” created by the system or user.
- Software" specially designed or modified for the generation, operation or delivery (contamination) of, or communication with, "intrusion software", including software specially designed or modified to simulate use of, operation of or communication with “intrusion software” against another, but excluding the provision of services to test system strength against attacks (PT)
- Software specially designed or modified for the protection of strategic defensive systems or for the protection of combat equipment from “intrusion software”.
- Software and components specially designed or modified for defense or monitoring of national-level communication lines.
Technology and Knowhow
- "Technology" for the "development" of "intrusion software".
- “Exploits”, to the exclusion of any of the following:
- “Exploits” exclusively transferred to the one that developed the code or protocol, or to someone on their behalf;
- “Exploits” in the “public domain”;
- “Exploits” intended exclusively for defensive products, generated in a company in possession of the “exploit” or company. In this section, “company” – including a company that is a subsidiary or that has a subsidiary as defined in the Securities Law, 5728-1968.
- Systems or software specially designed or modified for the purpose of automatically locating exploits, for the purpose of using them as “intrusion software” against another.