Archive for the ‘Wassenaar’ Category


Dec

10

More Details Emerge on Multilateral Export Controls on Cybersecurity Items


Posted by Clif Burns at 8:11 pm on December 10, 2013
Category: BISCyber WeaponsWassenaar

Photo: Harland Quarrington/MOD [see page for license], via Wikimedia Commons http://commons.wikimedia.org/wiki/File%3ACyber_Security_at_the_Ministry_of_Defence_MOD_45153616.jpgLast week we posted on reports that the Wassenaar Plenary was considering adding certain cybersecurity hardware and software products to the list of items that members of the Wassenaar Arrangement, which includes the United States, have agreed to subject to export controls. A press release today from Privacy International purports to provide details and operative language for the new controls, the first control to be on certain types of intrusion software and the second on certain types of deep packet inspection (“DPI”). Both of the proposed new controls are somewhat narrower than we first thought might be the case before we saw this language.

The controls on intrusion software originate from a U.K. proposal. It would control software designed to bypass security and detection systems in order to collect data or modify the execution of software on the targeted device:

“Software” specially designed or modified to avoid detection by ‘monitoring tools’, or to defeat ‘protective countermeasures’, of a computer or network capable device, and performing any of the following:
a. The extraction of data or information, from a computer or network capable device, or the modification of system or user data; or
b. The modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions.

The target seems to be malware and rootkits used by government agencies to spy on its citizens, such as FinFisher software which we previously discussed here. Of course, the language is broad enough to cover exports of most malware and might give governments additional enforcement tools against domestic hackers and distributors of malware. Although I don’t believe that anti-virus software is the intended target, the language might wind up covering such software as well since it is designed to defeat the countermeasures of viruses and malware and to extract data about the malware from a computer or network.

The second new controls will target “IP network surveillance systems.” Specifically, the language, as proposed by France, is narrower than the title suggests and reads as follows:

5. A. 1. j. IP network communications surveillance systems or equipment, and specially designed components therefor, having all of the following:
1. Performing all of the following on a carrier class IP network (e.g., national grade IP backbone):
a. Analysis at the application layer (e.g., Layer 7 of Open Systems Interconnection (OSI) model (ISO/IEC 7498-1));
b. Extraction of selected metadata and application content (e.g., voice, video, messages, attachments); and
c. Indexing of extracted data; and
2. Being specially designed to carry out all of the following:
a. Execution of searches on the basis of ‘hard selectors’; and
b. Mapping of the relational network of an individual or of a group of people.

When I previously posted about possible added controls on DPI software and hardware, I noted that the “deep” in DPI could mean many things. This language clarifies that by only covering inspection at OSI Layer 7, the so-called application layer. Moreover, it only captures items that in addition to capturing the traffic contents also index that software and analyze it for relational data among individuals. The biggest ambiguity is what is meant by a “carrier class IP network,” a term likely to be defined differently by the various members of the Wassenaar arrangement.

Permalink Comments (1)

Bookmark and Share



Dec

4

U.S. and Allies Mull Export Licenses for Network Equipment and Software


Posted by Clif Burns at 6:55 pm on December 4, 2013
Category: BISCyber WeaponsWassenaar

Photo: Harland Quarrington/MOD [see page for license], via Wikimedia Commons http://commons.wikimedia.org/wiki/File%3ACyber_Security_at_the_Ministry_of_Defence_MOD_45153616.jpgWe can only assume that exporters have been very bad this year because they may find a big lump of coal left in their export reform stocking by jolly old St. Nick or, perhaps more accurately, Good King Wassenaar (to continue torturing this extended metaphor.) The jolly old elves who negotiate the Wassenaar Agreement are meeting in Vienna this week, and according to this Financial Times article, they are likely to impose new controls on cybersecurity hardware and software. When the U.S. implements these changes, it means that some network equipment and software that did not previously require licenses will now require them.

The details of the changes are still not fully known. Obviously, many things could be classified as “cybersecurity” software and/or hardware, so the scope of these controls could be significant. The Financial Times article singles out deep packet inspection as one area of cybersecurity likely to be subject to export controls:

Particularly sensitive areas include so-called “deep package inspection” technologies which allow users to screen data for hidden viruses, malware or surveillance programmes. Western intelligence agencies are particularly concerned about such technologies falling into enemy hands, because they could enable them to foil cyber attacks or gain an intimate understanding of Western screening systems and their fallibilities.

Deep packet inspection is commonly used to refer to network software and hardware that looks beyond the headers of IP packet transiting a network to examine the data payload in the packet. DPI technologies vary in the degree to which the data payload is inspected, particularly given constraints on inline processing as the data streams through the network. Some DPI may look for patterns or signatures indicating viruses or attacks (to block the packet), the type of traffic , e.g., (P2P vs VOIP ( to prioritize the traffic), or even the actual content of unencrypted traffic for censorship or law enforcement purposes. Given that there are varieties of “deep” in Deep Packet Inspection and varieties of purposes to which DPI could be put, a one-size-fits-all license requirement for DPI would certainly seem to be overkill.

But the biggest nightmare will be how these license requirements will seep into the deemed export rules. Any company that employs network engineers (in other words, any company but the Asian Lithuanian Taco and Waffle Truck on the corner) will encounter real difficulties in hiring and managing foreign employees working on their networks. Let’s just hope that these negotiations at Wassenaar fizzle (but I’m not holding my breath).

Permalink Comments (1)

Bookmark and Share



Apr

11

Bird Flu Research Flies Into Export Laws, Crashes, Then Burns


Posted by Clif Burns at 10:43 pm on April 11, 2012
Category: BISGeneralTechnical Data ExportWassenaar

Bird FluApparently international research on how best to prevent, contain and treat bird flu is now threatened by international laws restricting export of information relating to potential agents of biological warfare according to this report on NPR. The problem concerns research conducted by researchers in the United States and the Netherlands which resulted in a controversial paper concerning alterations in the virus that would make it more contagious. There was some concern that this information might be useful to terrorists and rogue states interested in biological warfare agents.

To address this concern, the decision was initially made to restrict publication of the study and related materials and to make them available only to designated researchers and government officials with “a need to know.” What apparently no one realized was that this would prevent the research from falling within the fundamental research exception and would, therefore, prevent cross-border discussions or transfer of the information without specific governmental authorization.

Once this was realized, the decision was made to eliminate the “need to know” restrictions and simply to publish the materials so that the research could be considered fundamental research and could be shared freely with researchers in other countries. But the government of the Netherlands is arguing that the publication of the research could not undo the effect of the earlier decision to restrict dissemination and that therefore the research could not be exported from the Netherlands without approval of that government.

This situation illustrates the difficulty in applying the fundamental research in practice. To begin with, there is no easy way to determine what is or is not fundamental research. Export lawyers and export professional at universities have tried to strengthen the case that research is eligible for the fundamental research exception by pointing to whether research was published or, even if not published, was permitted or required to be published under applicable grant contracts or university rules.

The conundrum here is whether sensitive material can be transformed into fundamental research simply by publication. If one group of researchers decides to release the information, does this act of a few individuals instantly transform the information into fundamental research? But if publication isn’t the standard for deciding what is fundamental research, what other standards are available and who should be able to apply those standards? What these questions without answers demonstrate more than anything else is the slippery slope that we head down when we try to apply export controls to information. Rather we should rely on classification rules and procedures to control dissemination of truly sensitive information.

Permalink Comments (3)

Bookmark and Share



Jan

12

Hey Big Brother


Posted by Clif Burns at 10:18 pm on January 12, 2011
Category: BISChinaForeign Export ControlsWassenaar

Johan Gadolin
ABOVE: Johan Gadolin,
discoverer of yttrium


China Daily is a great source of unintentional humor, and I really wish I had more time to peruse it. I did stumble across a recent opinion piece in China Daily on the rare earth export issue and, not surprisingly, there is much to snicker about in it, unless, of course, your business depends on the availabilities of the lanthanides, known to us non-technical sorts as the rare earth elements.

China initially justified its restrictions on exports of the lanthanides as a measure to encourage companies using lanthanides to relocate to China. Article XI of the General Agreement on Trade and Tariffs generally prohibits export quotas unless they fall within the exceptions set forth in Section 2 of Article XI or Article XX. Not surprisingly, efforts to distort international trade by forcing companies to relocate to the country imposing the quota is not within the exceptions set forth in GATT.

Somewhat later China began to cite the environmental impact of rare earth mining as a justification for the quotas. That argument was easily dismissed as a transparent ruse because China imposed no restrictions on rare earth mining for domestic use, no matter how loudly they complained the foreign exports of rare earths were killing Chinese workers.

Now, the article referenced by this post attempts to concoct another justification for its export quotas: national security. The article starts with a slam at the Wassenaar Arrangement which it claims is some kind of anti-socialist conspiracy by capitalist Western nations and a broad-based justification for China to impose any export controls it can dream up:

Export regulation was originally introduced for security issues. After World War II, the United States and other countries established the Coordinating Committee for Multilateral Export Controls (COCOM) against socialist countries; its successor, in effect today, is the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies.

In recent years the restrictions have become ever tighter. On June 19, 2007, the US Ministry [sic] of Commerce listed more than 2,500 kinds of technologies, devices, and materials banned [sic] for export to China.

Those familiar with the 2007 rule cited by China Daily, may wonder where the author came up with the idea that 2,500 kinds of technologies were banned for export. The rule imposed certain new license requirements for dual use items destined for use by the Chinese military but did not ban those exports. There were bans on items controlled for nuclear proliferation, missile technology, or chemical and biological warfare that would contribute to major Chinese weapons systems, but the 2,500 number is more than a little high as an estimate of the number of technologies involved.

More importantly, China’s claim that these restrictions are premised on national security would be more convincing if it had been its initial justification. And, of course, the Wassenaar list, which represents not a capitalist conspiracy but a multilateral consensus of strategic goods that require export controls, would permit China to exert export controls on the items on that list, items that don’t include the lanthanides.

Permalink Comments Off

Bookmark and Share



Nov

29

Wikileaks: Armenia Threatened with Sanctions after Iran Arms Deal


Posted by Clif Burns at 10:22 pm on November 29, 2010
Category: ArmeniaArms ExportSanctionsWassenaar

Serzh Sarkisian
ABOVE: Armenian President Serzh
Sarkisian


According to one of the Wikileak cables published by the Guardian, Armenia, in 2003, sold machine guns and rockets to Iran which were later used in a fatal attack on U.S. forces in Iraq by Shia militants. Secretary Rice discussed this with Armenian President Serzh Sarkisian, who denied any involvement in the arms transfer.

In December 2008 the State Department sent a letter to Sarkisian threatening U.S. sanctions on Armenia unless Armenia signed a written agreement that it would undertake certain specified steps to prevent further arms transfers to Iran or other terrorist states. Those steps were to include:

  • Adopt the Wassenaar Arrangement control lists
  • Ensure that Armenian-based brokers aren’t involved in arms transfers
  • Accept periodic unannounced inspections by the United States
  • Consult with the United States on all arms transfers to countries that are not members of NATO, the E.U., or the Wassenaar Arrangement.

There is no indication that Armenia entered into such an agreement other than, of course, the absence of current U.S. sanctions against Armenia.

Permalink Comments Off

Bookmark and Share