- August 25, 2015
- Suggested Reading
The Hacking Team data leak shed light on the business of Zero-Days and intrusion software, notably in countries such as Ethiopia, Sudan, Russia or Kazakhstan. In numerous press declarations, the Hacking Team CEO argues that his company respects international law, and notably the Wassenaar Arrangement, triggering numerous debates on the topic. This info note describes the latter arrangement and its relation to cybersecurity.
What is the Wassenaar Arrangement?
The Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies is an export control framework created in 1996 and adopted by 41 countries, regulating the export of technologies which can be used both for peaceful and military purposes.
Although it has a full time secretariat in Vienna, it is just an arrangement and as such, it is not legally binding. The purpose of the Arrangement is two-fold: invite participants to transpose the arrangement in national law, and disclose to other members the export of specific technologies to non-Wassenaar countries.
How does it relate to cybersecurity?
Amongst the nine categories in this list of restricted technologies which range from lasers to nuclear power generation, several relate to information security. Categories 4 and 5 relate respectively to computers and telecommunications. In 2013, Intrusion Software was added in the former and IP Network Surveillance Systems in the latter. The concern that these new dispositions in the Wassenaar Arrangement attempt to address is the acquisition by non-Wassenaar governments of such technologies, to engage in mass surveillance of their citizens.
What are the challenges?
First of all, the claim that export control for these technologies is needed presupposes that Wassenaar countries have been "scrupulous" in deploying surveillance technologies; the Snowden revelations weakened this standpoint and the Arrangement itself.
Second, the broad definition related to Intrusion Software and IP Network Surveillance Systems in the transposition proposed by the US Department for Commerce in May 2015, generated much concerns from the American industry. It led the former to announce on 29 July that it would revise the proposed regulation. The main arguments were that on one side, it would result in increased bureaucracy, as it introduced a disposition to oblige companies to share their products code with the NSA prior to obtaining the export licence, which Google estimated would lead to tens of thousands of requests. Combined to severe penalties in case of wrongdoing, i.e. up to $1million fines and 20 years of jail time, experts warned that the transposition of the new Wassenaar dispositions would negatively impact the cybersecurity industry and most particularly SMEs and individual experts, starting with those in the business of vulnerability research and penetration testing.
Finally, the Wassenaar arrangement came under the spotlight following the Hacking Team data leak, for several parties highlighted its inefficiency in preventing the company from selling to non-Wassenaar countries despite the EU adopting the new dispositions in January 2015.Indeed, tracking code is much more difficult than tracking nuclear centrifuges. Nevertheless, intrusion software generally requires extensive training; in this regard, passenger records or visa requests can help governments enforce export control legislation.
Finding the right balance between regulating and promoting the development of security research, and between ensuring national security and protecting human rights, is a difficult but ongoing process. The next Wassenaar arrangement meeting in December 2015 will certainly be the theatre of many negotiations.
About “Suggested Reading” from ENISA
With the “Suggested Reading” series ENISA aims at giving the interested reader guidance on controversial and inscrutable NIS related discussions that are carried out in Media, by suggesting selected pre-reviewed articles that in our view explain the issue at hand and related circumstances in a reasonable and understandable manner. This view is derived from past experiences and common sense; in no way should “Suggested Reading” be understood as recommended course of action in a specific incident or investigation, or being a final conclusion. Feel free to get in touch with ENISA to discuss or inquire more information to the “Suggested Reading” series (firstname.lastname@example.org).