Last week we posted on reports that the Wassenaar Plenary was considering adding certain cybersecurity hardware and software products to the list of items that members of the Wassenaar Arrangement, which includes the United States, have agreed to subject to export controls. A press release today from Privacy International purports to provide details and operative language for the new controls, the first control to be on certain types of intrusion software and the second on certain types of deep packet inspection (“DPI”). Both of the proposed new controls are somewhat narrower than we first thought might be the case before we saw this language.

The controls on intrusion software originate from a U.K. proposal. It would control software designed to bypass security and detection systems in order to collect data or modify the execution of software on the targeted device:

“Software” specially designed or modified to avoid detection by ‘monitoring tools’, or to defeat ‘protective countermeasures’, of a computer or network capable device, and performing any of the following:
a. The extraction of data or information, from a computer or network capable device, or the modification of system or user data; or
b. The modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions.

The target seems to be malware and rootkits used by government agencies to spy on its citizens, such as FinFisher software which we previously discussed here. Of course, the language is broad enough to cover exports of most malware and might give governments additional enforcement tools against domestic hackers and distributors of malware. Although I don’t believe that anti-virus software is the intended target, the language might wind up covering such software as well since it is designed to defeat the countermeasures of viruses and malware and to extract data about the malware from a computer or network.

The second new controls will target “IP network surveillance systems.” Specifically, the language, as proposed by France, is narrower than the title suggests and reads as follows:

5. A. 1. j. IP network communications surveillance systems or equipment, and specially designed components therefor, having all of the following:
1. Performing all of the following on a carrier class IP network (e.g., national grade IP backbone):
a. Analysis at the application layer (e.g., Layer 7 of Open Systems Interconnection (OSI) model (ISO/IEC 7498-1));
b. Extraction of selected metadata and application content (e.g., voice, video, messages, attachments); and
c. Indexing of extracted data; and
2. Being specially designed to carry out all of the following:
a. Execution of searches on the basis of ‘hard selectors’; and
b. Mapping of the relational network of an individual or of a group of people.

When I previously posted about possible added controls on DPI software and hardware, I noted that the “deep” in DPI could mean many things. This language clarifies that by only covering inspection at OSI Layer 7, the so-called application layer. Moreover, it only captures items that in addition to capturing the traffic contents also index that software and analyze it for relational data among individuals. The biggest ambiguity is what is meant by a “carrier class IP network,” a term likely to be defined differently by the various members of the Wassenaar arrangement.

We can only assume that exporters have been very bad this year because they may find a big lump of coal left in their export reform stocking by jolly old St. Nick or, perhaps more accurately, Good King Wassenaar (to continue torturing this extended metaphor.) The jolly old elves who negotiate the Wassenaar Agreement are meeting in Vienna this week, and according to this Financial Times article, they are likely to impose new controls on cybersecurity hardware and software. When the U.S. implements these changes, it means that some network equipment and software that did not previously require licenses will now require them.

The details of the changes are still not fully known. Obviously, many things could be classified as “cybersecurity” software and/or hardware, so the scope of these controls could be significant. The Financial Times article singles out deep packet inspection as one area of cybersecurity likely to be subject to export controls:

Particularly sensitive areas include so-called “deep package inspection” technologies which allow users to screen data for hidden viruses, malware or surveillance programmes. Western intelligence agencies are particularly concerned about such technologies falling into enemy hands, because they could enable them to foil cyber attacks or gain an intimate understanding of Western screening systems and their fallibilities.

Deep packet inspection is commonly used to refer to network software and hardware that looks beyond the headers of IP packet transiting a network to examine the data payload in the packet. DPI technologies vary in the degree to which the data payload is inspected, particularly given constraints on inline processing as the data streams through the network. Some DPI may look for patterns or signatures indicating viruses or attacks (to block the packet), the type of traffic , e.g., (P2P vs VOIP ( to prioritize the traffic), or even the actual content of unencrypted traffic for censorship or law enforcement purposes. Given that there are varieties of “deep” in Deep Packet Inspection and varieties of purposes to which DPI could be put, a one-size-fits-all license requirement for DPI would certainly seem to be overkill.

But the biggest nightmare will be how these license requirements will seep into the deemed export rules. Any company that employs network engineers (in other words, any company but the Asian Lithuanian Taco and Waffle Truck on the corner) will encounter real difficulties in hiring and managing foreign employees working on their networks. Let’s just hope that these negotiations at Wassenaar fizzle (but I’m not holding my breath).