On July 5, 2015, the Italy-based company Hacking Team, which sells technologies designed to access computer networks and collect data, was hacked. The intruders not only changed the firm’s Twitter account to “Hacked Team” but exposed some 400 gigabytes of proprietary data to the public. Subsequent media analysis shed light on Hacking Team’s client relationships with security agencies in over 20 countries, including some with dubious human rights records such as Sudan and Uzbekistan.
Yet, governments do not exclusively use technologies sold by Hacking Team and similar companies within their own borders. A federal court in Washington is currently weighing a lawsuit alleging that the Ethiopian government remotely spied on a U.S. citizen in Maryland. To do so, the Ethiopian government used commercial Internet-based technology sold by Gamma International, a company based in the United Kingdom and Germany. The surveillance was discovered not by the U.S. government, but by Citizen Lab, an academic research center based at the Munk School of Global Affairs at the University of Toronto, Canada, which has published several reports on how governments use these technologies for surveillance. That’s why, despite their often legitimate use by security agencies, these tools have become framed as “surveillance technologies.”
The two cases, and popular perceptions of them, underscore many of the complicated issues involved in recent efforts to regulate the export of digital surveillance technologies, especially to foreign governments with problematic human rights records. Now, what started out as a human rights issue flagged by academics and activists has since caught the attention of security professionals in the private sector and government, who have recognized that the same technologies can be used against a variety of targets for legitimate and illegitimate purposes, with varying outcomes.
Beginning in 2011, as the emerging market for digital surveillance technology began to attract more attention, it became clear that the relevant export controls, a potential regulatory tool, had become outdated and did not cover these technologies. Several countries have since taken steps to update the so-called Wassenaar Arrangement, a multilateral dual-use technologies export-control regime established in 1995, and are now incorporating these changes into their national export-control regimes. In the U.S., the government’s efforts on this front have led to a heated controversy that revived old wounds, alarmed companies over the future of their business models and raised questions about how best to address human rights issues in a digital world. Given the complexities involved, it is worth taking a step back to first review how this debate evolved.
The Emergence of a Difficult Problem
The stated mission of the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies is “to contribute to regional and international security and stability, by promoting transparency and greater responsibility in transfers of conventional arms and dual-use goods and technologies, thus preventing destabilizing accumulations.” Unlike its predecessor, the Cold War-era Coordinating Committee for Multilateral Export Controls (COCOM), the Wassenaar Arrangement does not target any state or group of states, nor can members exercise veto power over other members’ export decisions. Rather, the arrangement aims to create a framework for harmonizing national approaches to export controls and to offer a forum for information-sharing. The arrangement’s limits were brought into contrast by the emergence of new digital surveillance technologies.
In particular, over the past few years, there has been growing concern among human rights groups that repressive governments are using these new technologies to spy on their citizens. In the aftermath of the Arab Spring, for example, companies in North America and Europe were found to have exported technologies to security and intelligence agencies in countries ranging from Moammar Gadhafi’s Libya to Bahrain. In 2011, the Wall Street Journal published its “Surveillance Catalog,” which placed a spotlight on this burgeoning industry as it became increasingly clear that existing export controls had become outdated. France and the United Kingdom, in particular, were criticized for allowing the export of surveillance technologies to authoritarian governments, and eventually each submitted a proposal to amend the list of the Wassenaar Arrangement.
In December 2013, the 41 signatories to the arrangement agreed to take steps to control exports of certain surveillance technologies. Signatories, including the United States, the member states of the European Union, Japan and Russia, reached a consensus on adding “intrusion software” and “IP network surveillance systems” to the arrangement’s list of regulated technologies. These are technologies used to gain access and to monitor data. Some have described this addition as an attempt to bring cyberweapons into the fold of international arms-control agreements.
Over the nearly two years since the passage of the 2013 amendments, the 41 signatory states have focused on implementing the change. Because the Wassennaar Arrangement is voluntary and nonbinding, it has no direct effect on national or international law; states must integrate its terms into their respective national frameworks. So far, implementation across these 41 states remains uneven: All the member states of the European Union implemented the new language as a matter of course, while U.S. authorities have clashed with both the surveillance-technology industry and civil liberties groups on the final shape of new regulations.
Not So Simple: Proposed U.S. Export Controls
Because the Wassenaar Arrangement is updated annually, its signatories have generally well-established mechanisms to implement any amendments, and the United States is no exception. However, the U.S. government must have known that implementing the new export controls agreed to in December 2013 would be a controversial move. Usually, the interagency process takes six months to make changes to the multilateral Wassenaar dual-use-technologies export-control list. This time it took until May 2015, nearly three times longer than usual, for the U.S. Department of Commerce’s Bureau of Industry and Security to publish its decision.
Furthermore, the outcome was not, as it usually is, a final rule but a proposed rule, which enabled the public to provide feedback during a two-month period. Despite the administration’s long internal deliberations, the proposal was met with stiff resistance from major multinational companies such as Symantec and Google as well as from members of the cybersecurity research community once it was made public.
According to the bureau, the departments of Commerce, Defense and State, as well as other agencies, discussed the best way to add these items, which they call “cybersecurity items,” to the Commerce Control List (CCL), without negatively impacting national security and foreign policy. The government “proposes a license requirement for the export, reexport, or transfer (in-country) of these cybersecurity items to all destinations, except Canada.”
During the subsequent two-month public comment period, however, many businesses, industry groups and civil society argued that the bureau’s proposal could be interpreted too broadly, echoing more general concern over the wording added to the Wassenaar Arrangement itself. Companies including Google, Cisco and Symantec, and coalitions of cybersecurity firms under the umbrella Coalition for Responsible Cybersecurity, organized against the government’s formulation. Civil society organizations and individual researchers also voiced concern about the possible effects of the changes on cybersecurity research. It became clear that addressing the problem and updating the export-control regime would be complicated for both historical and technical reasons.
Historical reasons, because much of this debate is reminiscent of the heated discussions around the Computer Fraud and Abuse Act (CFAA) and encryption controls, known as the “Crypto Wars” of the 1990s, which left scars and informed entrenched positions among those involved. Moreover, in several cases over the past two decades, federal prosecutors have used the CFAA, at times stretching the law’s language, to pursue harsh court sentences, worrying cybersecurity researchers that an overly vague or broad regulation could be similarly used in the future.
It is therefore no surprise that the U.S. government’s proposed implementation of the new controls resurfaced old grievances. These were exacerbated by the fact that the proposed rule exceeded the original language of the 2013 amendment to the Wassenaar Arrangement. That wording had focused more narrowly on network-surveillance systems and intrusion software that are usually developed by companies for sale to governments, not by individual researchers. By contrast, the U.S. proposal outlines a policy of “presumptive denial,” that is, a default position inclined to deny rather than approve exports. It also specifically references “zero-day exploits,” or the vulnerabilities in software that remain undetected, or known for zero days, until they are exploited in an intrusion. Cyber researchers often seek out such vulnerabilities to test a system’s security and to alert developers to weaknesses. There are also so-called bug-bounty programs and an active market where such vulnerabilities are traded. As the Electronic Frontier Foundation argues, “the only difference between an academic proof of concept and a 0-day for sale is the existence of a price tag.” The risk, then, is that the new regulations could have a chilling effect on researchers fearful of being found in violation of the letter of the law, even though their objective is the exact opposite.
Moreover, the bureau’s proposal does not reflect sections of the Wassenaar Arrangement that would exempt from control those technologies and software that are “in the public domain,” part of “basic scientific research” or “generally available to the public.”
In the meantime, while yet to be finalized, the proposed rule is already having an effect. Netragard, a U.S.-based penetration-testing company that purchases zero-days, recently announced the termination of its Exploit Acquisition Program. While the proximate cause of Netragard’s decision was the revelation that it had sold a key zero-day vulnerability to Hacking Team, the Italy-based surveillance technology company mentioned earlier, the announcement also alluded to Wassenaar. “If and when the 0-day market is correctly regulated we will likely revive EAP,” writes CEO Adriel Desautels. “The market needs a framework (unlike Wassenaar) that holds the end buyers accountable for their use of the technology (similar to how guns are regulated in the US).”
Although Department of Commerce representatives have stated that the proposed controls are not intended to limit security research or even the legal trade in zero-day vulnerabilities, critics worry that a chilling effect will occur. In response, the Department of Commerce, in an unusual departure from its normal implementation process, indicated that it would revise its proposal.
A Survey of Global Implementation
Apart from the United States, several others of the arrangement’s signatories have already implemented the 2013 amendments, albeit to varying degrees. The following overview focuses on signatories whose implementation processes have garnered the most public attention, while also discussing the roles of the new controls in two important nonsignatory states, Israel and Singapore.
Japan and Canada
Complications have arisen among the states that have already finalized and implemented the amendments to the Wassenaar Arrangement nationally. Reports indicate, for instance, that Hewlett Packard (HP)—and specifically its security solutions unit, Tipping Point—withdrew its sponsorship of the annual Pwn2Own Mobile hacking conference in Japan, scheduled for November, “due to the complexity of obtaining real-time import/export licenses in countries that participate in the Wassenaar Arrangement.” The conference organizer, Dragos Ruiu, went further, criticizing Japan’s implementation as “vague and cumbersome.”
In competitions like Pwn2Own, contestants compete to exploit popular software and devices using zero-day vulnerabilities. The competition’s sponsor—in the case of Pwn2Own, HP/Tipping Point’s Zero Day Initiative—then offers to purchase the zero-day vulnerabilities used in the competitions, which it subsequently reports to the relevant vendor for patching. The vulnerabilities uncovered in the course of these competitions can command high cash rewards, sometimes upward of $100,000. As a result, these “bug bounties” draw talented hackers from around the world and incentivize them to share potentially dangerous vulnerabilities. The problem for Pwn2Own, in the aftermath of the Wassenaar Arrangement amendments, is that once these vulnerabilities are discovered, they might require export licenses from Japan’s Ministry of Economy, Trade and Industry in order to be transferred to the Zero Day Initiative in the United States or to any U.S.-based vendors.
Absent programs like Pwn2Own, hackers are more likely to turn to the black and gray markets for zero-day vulnerabilities, where they often can fetch even higher prices. In fact, Zerodium, a zero-day merchant, took note of HP’s withdrawal from Pwn2Own—and the likely reduction of bug bounties—and instead offered to buy contestants’ vulnerabilities directly. Unlike HP and the Zero Day Initiative, however, Zerodium is not necessarily committed to getting vulnerabilities patched. Rather, it provides them via its Security Research Feed to private clients, ranging from “major corporations in defense, technology, and finance” to “government organizations.”
While it is too soon to say whether this signals a larger trend, or simply reflects companies’ attempts to lobby for more lenient rules, the case of HP in Japan demonstrates what could be an unintended long-term effect of overbroad regulation. According to Ruiu, HP did not shy away from sponsoring a similar event in Canada, whose export-control implementation uses the same language contained in the Wassenaar Arrangement. This could have less to do with implementation, however, and more to do with Canada’s special trade relations with the U.S., which by default exempt the U.S. from export controls. The new proposed rule by the U.S. Department of Commerce similarly exempts Canada.
The European Union
The European Union implemented the Wassenaar amendments, applicable to all member states, as of Jan. 1, 2015, using the arrangement’s original language. Though the scope of the new controls is uniform across the EU, the precise mechanisms underlying the licensing of the relevant technologies will vary from country to country, as member states determine their own licensing policy. While the EU’s amended regulations have not faced the same degree of criticism as the U.S. proposal, stakeholders have identified several areas, including protections for legitimate security research, that could be reformed in the EU export-control regime.
Many practical complaints against the EU’s implementation have come from independent researchers. But a number of affected companies have made a point to declare their compliance with the arrangement. Hacking Team, for instance, issued a statement on Feb. 25 to declare that it was “the first in [the] industry to comply with these latest international laws,” and affirmed it would “request from the Italian Government export authorization for its technologies.” VUPEN, a French company specializing in zero-day vulnerabilities, has similarly acknowledged the new controls, noting that “access to this service is thus highly restricted, and is only available to approved government agencies (Intelligence, Law Enforcement, and Defense) in approved countries.” At the same time, the company is rumored to be considering relocation outside the EU.
Similar to the U.S. Department of Commerce, the European Commission has proved receptive to comments on its broader export-controls policy, issuing a call for public consultation on the “design of an effective EU response to the use of cyber-space for proliferation activities” and “mass surveillance, monitoring, tracking and interception.” Dutch Member of European Parliament Marietje Schaake, described by the Wall Street Journal as “Europe’s most wired politician” and an early advocate of updating exports controls, also stated at a September roundtable meeting that she and other lawmakers were committed to avoiding “some of the unintended consequences of the Wassenaar Arrangement.”
Israel and Singapore
Although it is not a formal signatory to the arrangement, Israel’s Defense Export Control Law makes reference to the arrangement’s lists of munitions and dual-use goods and technologies. It remains to be seen, however, whether and how it will implement the 2013 amendments. That question has taken on added significance, as in recent years evidence has surfaced that Israeli companies have exported surveillance technologies to countries with problematic human rights records. In 2014, Privacy International published a report on the role of Israeli security firms Nice Systems and Verint in providing surveillance technologies to governments in Central Asia. Earlier this year, the same two firms were referenced in the development and expansion of controversial surveillance systems in Colombia. It’s worth noting that neither report indicates that Israeli companies engaged in the sales post-Wassenaar.
Like Israel, Singapore also incorporates the Wassenaar Arrangement’s lists into its export-control regimes, though it is not a formal signatory itself. Singapore, a cybersecurity hub, has indicated its intention to incorporate updates to the arrangement’s Munitions List and the EU’s list of dual-use items, which itself incorporated the arrangement’s dual-use list as of Nov. 2.
Mixed Results: Measuring Regulatory Efficacy
So how have these amendments affected the companies they were designed to regulate? Thus far, the picture is mixed. As noted previously, Hacking Team was quick to declare itself in compliance with the arrangement. So far, none of the other companies that have made related news for similar controversial sales, such as Blue Coat and Gamma Group, have made public statements. However, Gamma, a British-German company, opened an office in Switzerland in 2013 and sought export licenses from the Swiss authorities. Although the company reportedly withdrew those requests recently, it is an interesting sign that regulation might prompt firms to locate outside the jurisdiction of signatory states to avoid its effect.
The activities of the French company VUPEN, best known for reportedly selling zero-day vulnerabilities to the U.S. National Security Agency and other government agencies, raises another critical issue. Strictly speaking, the Wassenaar Arrangement is not designed to regulate the sale of zero-day vulnerabilities, which are often components of intrusion software. In fact, intrusion software itself is not controlled under the arrangement; only components for its generation, operation and delivery are. Nonetheless, VUPEN appears to have determined it would be better off seeking export licenses than not doing so. Moreover, as mentioned earlier, the penetration-testing firm Netragard pulled out of the zero-day business, in large part due to the revelation of business dealings with Hacking Team, but notably with the proviso that it might revive the program “if and when the 0-day market is correctly regulated,” with a framework “unlike Wassenaar.”
The cases of both VUPEN and Netragard demonstrate that, for better or worse, much of the most publicized debate arising from the 2013 amendments has centered on the putative regulation of zero-day vulnerabilities. While zero-days were not the initial subject of the amendments—and indeed a close reading of the amendments indicates that, as intrusion software, they are not controlled items per se—they have been on the agenda of concerned policymakers. The challenge is how to protect legitimate uses of zero-days, including in the context of events like Pwn2Own and in general security research, lest overall cybersecurity suffer from poor flows of information.
Taking Stock and Next Steps
The events of the past few months offer several important takeaways. First, the fact that some companies have already announced intentions to change their behavior demonstrates that export controls remain an effective tool to influence corporate behavior. Second, Gamma’s actions in Switzerland are a powerful reminder that companies are likely to shop for favorable jurisdictions, and that the global impact of export controls will remain limited without a multilateral regime with uniform and global implementation. That said, countries such as the United States that have prioritized an open and free Internet must align their export-control regulations with those goals to practice what they preach.
Third, the robust response to Washington’s request for public feedback on proposed regulations is a novel way to solicit input and technical advice from external experts to implement Wassenaar Arrangement export-control regulations beyond the existing standing Technical Advisory Committees. It is worth considering institutionalizing this process in the future. Fourth, the strong criticism of the U.S. proposed rule makes clear that the implementation requires revision and closer interaction with companies and security researchers to minimize unintended consequences.
Last but not least, one of the main challenges in this specific area is the lack of empirical data. Governments currently have little visibility into the trade, especially which companies export what to whom. New export-control regulation could therefore focus on using notification requirements to, at first, get a more comprehensive picture and subsequently adjust the actual licensing requirements.
To be sure, the jury is still out on the Wassenaar amendments. Critics have cast doubt on the effectiveness of new export controls and raised awareness of potentially significant unintended negative consequences that could hurt companies and undermine cybersecurity. At the same time, surveillance technologies can be used by governments to violate human rights, so concerns over their export must be addressed. In many ways, the 2013 amendments, and signatories’ implementations of them, raise more questions than they answer. But they have also catalyzed an important dialogue with potentially far-reaching implications. Hopefully, this will lead to more empirical data shedding light on this secretive trade, and those who have pushed back against the new controls will push equally forcefully to find a solution to the underlying human rights problem they are trying to address.