Last month, changes to the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies (“Wassenaar Arrangement”) placed “zero-days,” other computer exploits, and potentially more categories of software under this multilateral export control regime. These changes take place following reports that the U.S. government purchases “zero day” computer security vulnerabilities—previously unknown exploits—for use by the NSA’s targeted hacking team. Support for these recent changes has come from policymakers and privacy advocates concerned with keeping exploits and network surveillance tools out of the hands of repressive regimes, economic spies, and other bad actors internationally.

Despite these goals, efforts to restrict distribution of surveillance and network exploitation tools must define the tools under control narrowly enough to leave security research tools and other valuable software unregulated while stemming the proliferation of the targeted software. The Wassenaar Arrangement changes attempt to do so by identifying particular characteristics of software as potentially malicious and subjecting software with these characteristics to export controls. Whether the recent Wassenaar amendments draw the line well remains up for debate.

The Wassenaar Arrangement has 41 participating states including the U.S. It creates uniform “control lists” of dual-use technologies, facilitates information sharing on dual-use transfers, and serves as a consultation mechanism for members on national export policies and denials of export license applications.

The recent changes include adding two new classes of export-regulated software to the dual use provision regulations:

Intrusion software:

“Software” specially designed or modified to avoid detection by ‘monitoring tools’, or to defeat ‘protective countermeasures’, of a computer or network capable device, and performing any of the following:

a. The extraction of data or information, from a computer or network capable device, or the modification of system or user data; or

b. The modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions.

and

IP network surveillance systems

5. A. 1. j. IP network communications surveillance systems or equipment, and specially designed components therefore, having all of the following:

1. Performing all of the following on a carrier class IP network (e.g., national grade IP backbone):

a. Analysis at the application layer (e.g., Layer 7 of Open Systems Interconnection (OSI) model (ISO/IEC 7498-1));

b. Extraction of selected metadata and application content (e.g., voice, video, messages, attachments); and

c. Indexing of extracted data; and

2. Being specially designed to carry out all of the following:

a. Execution of searches on the basis of ‘hard selectors’; and

b. Mapping of the relational network of an individual or of a group of people.

The Wassenaar Arrangement focuses primarily on the transparency and harmonization of national export control regimes but is not a treaty, and therefore is not legally binding. Changes to the Wassenaar Arrangement must be implemented separately by each member state, so the precise impact of the recent additions is not yet clear.  Yet, the changes to the Wassenaar Arrangement propose the first major restrictions on widely used, commercially available software since the introduction of restrictions on encryption products to the Arrangement in 1998.

If implemented in the U.S., the changes to the Arrangement would institute export controls for intrusion software and IP network surveillance systems, requiring certain sellers to obtain licenses from the U.S. Department of Commerce. The U.S. Department of Commerce manages the Export Administration Regulations (“EAR”) that govern exports and transfers of “dual use items” (goods, technology and software) with both civilian and military applications. These EAR regulations currently are not applicable to exploits, intrusion software, or surveillance systems, but will likely change to reflect the new Wassenaar terms.  The 2014 National Defense Authorization Act also has required an interagency group to produce additional policy recommendations to control proliferation of cyber weapons.

The Wassenaar Arrangement changes are already having an impact on companies. VUPEN, a leading zero-day exploit firm and known supplier of exploits to the NSA, announced on its website that, in response to the Wassenaar Arrangement changes, it would restrict exploit sales, supplying only approved government agencies in approved countries.  The firm indicated it considered the newly adopted “intrusion software” restrictions applicable to its products. VUPEN also announced it would automatically exclude countries subject to European Union restrictions and countries subject to embargoes by the U.S. or the United Nations.

The newly introduced definitions of restricted software, particularly of intrusion software, could be interpreted to include an overly wide range of legitimately traded and used network security tools. The new language focuses on whether the targeted items are “designed to avoid security features on a device.” While this limitation may initially seem sensible, common beneficial tools avoid security features in order to, for example, install software without the user’s intercession. Auto-updaters may be one such tool, depending on the details of operation. Some experts have wondered whether anti-virus software would fit the intrusion software definition. Given the ambiguity in the definitions of regulated categories, firms may have to consult attorneys before exporting tools that arguably may be covered.

The new restrictions on software exports also face policy debates similar to previous debates regarding encryption export controls and proposals to regulate the market in computer vulnerabilities more generally. Some may raise objections that these software export controls restrict free speech, as with encryption controls. Exploits can be traded as knowledge (of a vulnerability in a particular software program or system) or as weaponized exploits (code written to exploit said vulnerability). The intrusion software clause intends to apply to weaponized exploits, but will it also restrict the exchange of knowledge of vulnerabilities?

The IP network surveillance system provision raises similar questions. What would this restriction mean for vendors of the “data loss prevention” tools used by many businesses to exercise control over information entering and leaving their networks?

More broadly, the Wassenaar Arrangement has been criticized for its weakness as an international tool. Particularly, its lack of harmonized implementation may allow defectors to access export opportunities adherents have forgone. Additionally, the existence of thriving black markets in vulnerabilities and the easily transmissible nature of such software bring into question the suitability of a traditional export regime for controlling these transient, easily transferrable goods. As countries begin to implement the new Wassenaar restrictions on a national level, the effects of the changes and objections to them should become clearer. We plan to continue to follow this evolution and write about it here.