Many computer security experts have celebrated the development of Wassenaar Arrangement (WA) in which it revised and added new export control rules for computer network intrusion software in its export control list. In the same plenary meeting in 2017, WA, a voluntary arrangement which governs the trade of conventional weapons and technologies for its group members, accepted India as its 42nd member of the arrangement.
In a theoretical sense, the step to include computer network intrusion software in its export control list is a significant step forward for computer security practitioners but we need to objectively assess the real impact of this development.
Export controls have been an important tool in computer security or cyber world. Firewall and web server software were frequently vended in domestic and export versions with various cryptographic key lengths in the 90s. More recently, regulators in several countries have scrutinized offensive network intrusion tools such as exploit toolkits etc.
"If all kinds of software are part of the export control list, even then the limitation persists. Cybersecurity tools, especially software, are intangible. These are unlike conventional weapons and also different in its usage."
These toolkits are or could be used for offensive purposes. However, people who defend and protect computer networks need access to the same tools and information that attackers use. An export control that restricts the sharing of these tools across borders can obstruct a legitimate activity that is necessary to protect networks.
WA revised rules have made exemptions for computer network defenders, engaged in the international coordination of information about security vulnerabilities and malware. These rules have also created clear definitions for software update mechanisms that have nothing to do with the system and network intrusion. These changes are important and eliminate many obstacles in the way of industry collaboration in the fight against cyber threats.
Nevertheless, major concerns remain. To promote transparency, WA calls on states to make a series of voluntary information exchanges and notifications on their export activities related to weapons and technologies in its control list which includes data about conventional weapons and dual-use goods and technologies. But sharing of information by member states is voluntary.
The group has no regulatory authority for implementation of those rules. After twenty-two years of its establishment, the member states remain divided over Arrangement’s scope, whether it should take a step forward and become more than just a body for collection and exchange of information. The reason behind this difficulty is that WA functions by consensus and a single country such as Slovakia or Croatia, being part of the group, can block any proposal or major countries like the US and UK can easily politicize a decision.
Furthermore, member states could not agree upon definitions of significant terms such as countries that are states of concern and destabilizing transfer. Moreover, there is another limiting factor. Some countries such as China and Israel which extensively work on cybersecurity items and software are not members of the Wassenaar Arrangement.
Issue of interpretation also constrains the functionality and importance of WA. If member states of WA extend the rules to their domestic legislation, each country may interpret it differently. For example, in the case of computer network intrusion, some states might interpret the rules in a way that prohibits network penetration testers.
"Export control of cybersecurity tools and software is the need of the hour, but it needs multilateral and collaborated efforts in which all states and other stakeholders should participate."
On the other hand, security experts of some other country which has developed their own custom offensive toolkits would bring those toolkits along on their personal laptops when they travel to other countries and share them with foreign coworkers at the same company.
An expert in cybersecurity and vulnerability research, Tom Cross, raises the question if the whole practice of network penetration testing can be understood to fit within the new exception for vulnerability disclosure? Also, many cybersecurity conferences offer training courses where practitioners can learn new vulnerability exploitation techniques from experts.
Prevalence of such practices how different countries could separate open training sessions and courses, protected by the right to freedom of speech and prohibit technology transfers which still require an export license under the new rules.
The negotiation of WA rules is a closed-door process which creates another concern. Computer security or network intrusion is a highly technical subject. Without proper technical know-how, policymakers may create blind spots while crafting rules governing a complex area like computer security.
Most problematic part of up-to-date export control list is that it does not control certain types of software which are generally available to the public or being commonly used in public domain and also, which need minimum necessary object code for installation, operation, maintenance or repair of the items whose export has been authorized.
If all kinds of software are part of the export control list, even then the limitation persists. Cybersecurity tools, especially software, are intangible. These are unlike conventional weapons and also different in its usage. Putting software technologies in export control lists by states may therefore not be a foul-proof measure for controlling the export and limiting the use of these items.
Export control of cybersecurity tools and software is the need of the hour, but it needs multilateral and collaborated efforts in which all states and other stakeholders should participate. Voluntary groups like Wassenaar Arrangement are serving a limited purpose. In fact, they are adding to the problem by excluding certain software or technologies.
This article was published in the South Asian Voices on January 1, 2019.
Afeera Firdous is a Research Assistant at the Center for International Strategic Studies (CISS) Islamabad. She holds a Masters degree in Strategic and Nuclear Studies from National Defence University (NDU), Islamabad. Currently, she is enrolled in the M.Phil program at the Department of Strategic Studies, NDU Islamabad. Her M.Phil thesis is on "Counter-terrorism in Cyberspace: Comparative Analysis of Pakistan and India". Her research interests includes counter-extremism, counter-terrorism, cyber and strategic issues.