Dec

10

More Details Emerge on Multilateral Export Controls on Cybersecurity Items


Posted by Clif Burns at 8:11 pm on December 10, 2013
Category: BISCyber WeaponsWassenaar

Photo: Harland Quarrington/MOD [see page for license], via Wikimedia Commons http://commons.wikimedia.org/wiki/File%3ACyber_Security_at_the_Ministry_of_Defence_MOD_45153616.jpgLast week we posted on reports that the Wassenaar Plenary was considering adding certain cybersecurity hardware and software products to the list of items that members of the Wassenaar Arrangement, which includes the United States, have agreed to subject to export controls. A press release today from Privacy International purports to provide details and operative language for the new controls, the first control to be on certain types of intrusion software and the second on certain types of deep packet inspection (“DPI”). Both of the proposed new controls are somewhat narrower than we first thought might be the case before we saw this language.

The controls on intrusion software originate from a U.K. proposal. It would control software designed to bypass security and detection systems in order to collect data or modify the execution of software on the targeted device:

“Software” specially designed or modified to avoid detection by ‘monitoring tools’, or to defeat ‘protective countermeasures’, of a computer or network capable device, and performing any of the following:
a. The extraction of data or information, from a computer or network capable device, or the modification of system or user data; or
b. The modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions.

The target seems to be malware and rootkits used by government agencies to spy on its citizens, such as FinFisher software which we previously discussed here. Of course, the language is broad enough to cover exports of most malware and might give governments additional enforcement tools against domestic hackers and distributors of malware. Although I don’t believe that anti-virus software is the intended target, the language might wind up covering such software as well since it is designed to defeat the countermeasures of viruses and malware and to extract data about the malware from a computer or network.

The second new controls will target “IP network surveillance systems.” Specifically, the language, as proposed by France, is narrower than the title suggests and reads as follows:

5. A. 1. j. IP network communications surveillance systems or equipment, and specially designed components therefor, having all of the following:
1. Performing all of the following on a carrier class IP network (e.g., national grade IP backbone):
a. Analysis at the application layer (e.g., Layer 7 of Open Systems Interconnection (OSI) model (ISO/IEC 7498-1));
b. Extraction of selected metadata and application content (e.g., voice, video, messages, attachments); and
c. Indexing of extracted data; and
2. Being specially designed to carry out all of the following:
a. Execution of searches on the basis of ‘hard selectors’; and
b. Mapping of the relational network of an individual or of a group of people.

When I previously posted about possible added controls on DPI software and hardware, I noted that the “deep” in DPI could mean many things. This language clarifies that by only covering inspection at OSI Layer 7, the so-called application layer. Moreover, it only captures items that in addition to capturing the traffic contents also index that software and analyze it for relational data among individuals. The biggest ambiguity is what is meant by a “carrier class IP network,” a term likely to be defined differently by the various members of the Wassenaar arrangement.

Permalink

Bookmark and Share


One Comment:


> Although I don’t believe that anti-virus software is the intended target, the language might wind up covering such software as well since it is designed to defeat the countermeasures of viruses and malware and to extract data about the malware from a computer or network.

I think that is highly unlikely given that antivirus software likely themselves fall under the umbrella of ‘monitoring tools’ and ‘protective countermeasures,’ as well as the themes of non-consent under the two qualifications. That being said, I understand the concern and suspect that there needs to be a lot more clarity so the rules are not used as a power grab by less Internet-friendly states in order to exert stronger controls against anti-surveillance tools themselves. Which is to say, the majority of them.

Comment by cda on December 11th, 2013 @ 1:43 pm