Cybersecurity and Export Controls
By Gozde Berkil
The Center for International Law and Governance at the Fletcher School of Law and Diplomacy hosted a conference on cybersecurity and the law on September 14 and 15. Following is a review of one of the panels held during the conference.
The draft paper for this session can be viewed here.
At the “Protecting Civilian Institutions and Infrastructure from Cyber Operations: Designing International Law and Organizations” conference held by the Center for International Law and Governance (CILG), the second panel was on the draft paper by Professor Joel Trachtman and Professor Herb Lin, suggesting certain standards for the transfer of cyber tools targeting civilian institutions and infrastructure. The authors flesh out the existing circumstances and norms and describe the failures of these norms using a twofold analysis, technical and legal. In this blog post, I will focus on legal analysis of the norms.
The attempts to control or at least monitor the transfer of cyber tools face several challenges. Primarily, tracing software transfer is not as easy as a good because of its intangible nature. Additionally, software can be transferred for free, thus can easily change hands several times. Considering these factors, Professor Lin contends “it is tough to have territorial control over cyber tools’, but not impossible”.[i] Another problem is the dual use of cyber tools, both in defensive and offensive acts. In other words, a specific cyber tool can be used to target civilian institutions for an offensive purpose; and it can be used to take defensive measures against a cyber operation targeting civilian institutions. Basically, along with the reality of effortless and costless transfer of malicious software, non-categorized export control does not solve the existing problems and due to the dual use of the technology, it may obstruct the access of good people to the same cyber tools for defensive purposes.
In order to overcome this ambiguity, the authors distinguish intrusion software and intrusion-related software,[ii] which the Wassenar Arrangement on Export Controls for Conventional Arms and Dual Use Goods and Technologies[iii] defines as controlled software. Eventually, the authors narrow the scope of the export control to intrusion-related software, which is defined as “software specially designed or modified for the generation, command and control or delivery of intrusion software” in the List of Dual Use Good and Technologies of Wassenar Arrangement.
On the other hand, the authors do not find the Wassenar solution powerful and sophisticated enough.[iv] As the Wassenar Arrangement is not a treaty, giving each state the discretion to comply with the rules without a monitoring body for enforcement, the regulations in Wassenar remain a “recommendation” rather that a binding rule. When we look at state-level regulations adopted as a result of the recommendations in Wassenar, some states like Germany even impose more stringent regulations,[v] while others have concerns about implementing Wassenar controls on intrusion software. For instance, Sweden indicated concerns about making the EU a less competitive place for developing software due to a rigid export control regime.[vi] Similarly, the United States suspended implementation due to concerns about software development and defender access.[vii] In 2015, the United States had accordingly proposed to provide exclusions for exports to US companies or more trusted countries, like the Five Eyes alliance of Australia, Canada, New Zealand, the United Kingdom and the United States.[viii] The lack of a legally binding regime for export controls caused different interpretations of the control and different levels of enforcement.
A possible solution for the transfer of malicious software suggested by the authors of the paper is to strengthen public-private partnership on an export control platform.[ix] Through industry standards such as “not help(ing) governments launch cyber attacks against innocent citizens”[x], private sector’s support might serve the purpose of controlling the transfer of cyber tools to “bad guys”. This approach, unfortunately, does not minimize the risk from a realistic perspective for two reasons. First, it does not address the secondary danger, notably, the transfer from the client in good faith to a third party in bad faith in some way. Second, it is not realistic to expect the profit-oriented private actors to consistently comply with some industry standards that will reduce their sales volume. Therefore, this source is not fully reliable in terms of its contribution to the solution.
Correspondingly, the suggested “verified end-users” system was inspired by the existing license exceptions regime under the US export controls. Essentially, it conditions a due diligence investigation of these transferees by the country of export regime, such as an agreement not to share the software with third parties in violation of the export regime, in the beginning. Second, the transferees must agree to be monitored and audited to be ensured that they act in compliance with the regime. Third, the important government should agree to respect and not to intervene with anything other that the first two conditions.[xi]
As a result, the idea behind the proposed regime is to have support through public-private partnership and to favor the identity-based control rather than a territory-based one, although the ambiguity of making a distinction between national and foreign in terms of an export control of software still exists. A very crucial point regarding the export control regime relying on verified end users is to assure that the concerns of application would be eliminated before implementation. Professor Jonathan Zittrain points out the question, “what if it works”, requires an accurate answer before implementing such regime, because of the risk of creating a too powerful restricting tool which shouldn’t be restricted.[xii] Obviously, the practical questions for the theory requires more debate.
For now, private and international actors as well as states seem to agree on the necessity of a legal regime that regulates the transfer of cyber tools, although they are not willing to abandon certain interests by complying with restrictive regulations. Surely, the international arena will see further debates as long as the technological developments create more complicated cyber tools maintaining its momentum.
__________________________
[i] Lin, Herb and Joel P. Trachtman. Export Control. (Panel at Protecting Civilian Institutions and Infrastructure from Cyber Operations: Designing International Law and Organizations Conference, Center for International Law and Governance, Medford, September 14, 2018).
[ii] Lin, Herb and Joel P. Trachtman. Using International Export Controls to Bolster Cyber Defenses. (Paper presented at Protecting Civilian Institutions and Infrastructure from Cyber Operations: Designing International Law and Organizations Conference, Medford, September 14-15, 2018), 2. Accessed September 16, 2018. https://sites.tufts.edu/cilg/files/2018/09/exportcontrolsdraftsm.pdf
[iii] Wassenar Arrangement on Export Controls for Conventional Arms and Dual Use Goods and Technologies. The Hague: December 1995.
[iv] Lin, Herb and Joel P. Trachtman. Using International Export Controls to Bolster Cyber Defenses. (Paper presented at Protecting Civilian Institutions and Infrastructure from Cyber Operations: Designing International Law and Organizations Conference, Medford, September 14-15, 2018), 8-9. Accessed September 16, 2018. https://sites.tufts.edu/cilg/files/2018/09/exportcontrolsdraftsm.pdf
[v] Lin, Herb and Joel P. Trachtman. Export Control. (Panel at Protecting Civilian Institutions and Infrastructure from Cyber Operations: Designing International Law and Organizations Conference, Center for International Law and Governance, Medford, September 14, 2018).
[vi] Ibid.
[vii] Ibid.
[viii] Lin, Herb and Joel P. Trachtman. Using International Export Controls to Bolster Cyber Defenses. (Paper presented at Protecting Civilian Institutions and Infrastructure from Cyber Operations: Designing International Law and Organizations Conference, Medford, September 14-15, 2018), 11. Accessed September 16, 2018. https://sites.tufts.edu/cilg/files/2018/09/exportcontrolsdraftsm.pdf
[ix] Ibid., 7.
[x] Lin, Herb and Joel P. Trachtman. Export Control. (Panel at Protecting Civilian Institutions and Infrastructure from Cyber Operations: Designing International Law and Organizations Conference, Center for International Law and Governance, Medford, September 14, 2018).
[xi] Lin, Herb and Joel P. Trachtman. Using International Export Controls to Bolster Cyber Defenses. (Paper presented at Protecting Civilian Institutions and Infrastructure from Cyber Operations: Designing International Law and Organizations Conference, Medford, September 14-15, 2018), 13. Accessed September 16, 2018. https://sites.tufts.edu/cilg/files/2018/09/exportcontrolsdraftsm.pdf
[xii] Lin, Herb and Joel P. Trachtman. Export Control. (Panel at Protecting Civilian Institutions and Infrastructure from Cyber Operations: Designing International Law and Organizations Conference, Center for International Law and Governance, Medford, September 14, 2018).