Export controls place cybersecurity on par with military weaponry

U.S. comes to agreement with other Western governments to place controls on surveillance, hacking software, cryptography

Internet cyber security

The U.S. and other Western governments have agreed to place export controls on sophisticated surveillance and hacking software and cryptography, placing the cybersecurity technologies on par with military weaponry.

[3 reasons why America's security model is broken]

The alliance of 41 countries, including the U.S., the U.K., Russia, Japan, France and Germany, met in Vienna this week to hammer out an export agreement that would restrict sales outside the alliance, The Financial Times reported.

In the U.S., the upshot of the agreement is that companies that want to ship covered technologies overseas will have to obtain a license. The full impact of the agreement won't be known until there's a determination of the software and hardware covered.

The export control alliance, which started during the Cold War, is known as the Wassenaar Arrangement. While many Western governments are represented, the two missing countries, China and Israel, make the effectiveness of the latest pact questionable, Stewart Baker, former general counsel of the U.S. National Security Agency, said.

"Wassenaar doesn't include China or Israel, both major producers of surveillance and hacking tools," Baker said in his blog.

"So the new control regime could turn out to be an exercise in moral preening, as Europe and the United States sacrifice technology sales to China and Israel for the sake of political correctness."

The U.S. and Europe have complained for some time about China-based cyberespionage campaigns aimed at stealing intellectual property and sensitive documents from major corporations, government agencies and think tanks. The Chinese government denies being behind the attacks.

The latest talks were unusual in that the European Union was as "enthusiastic" about controls as the U.S., Baker said. "Usually, Europeans have let the U.S. take the lead, and the economic hit, when it comes to controlling exports."

The purpose of the Wassenaar Arrangement is to prevent arms races in which countries stockpile and develop increasingly lethal weaponry. Compliance with the alliance's agreements is voluntary.

Cybersecurity technology is considered on par with military weapons because it can be used to attack computer systems of national importance, such as those found in government, financial institutions and critical infrastructure.

Categories of technology covered under the agreement include "surveillance and law enforcement/intelligence gathering tools and Internet protocol network surveillance systems or equipment, which, under certain conditions may be detrimental to international and regional security and stabiliy," according to an alliance statement.

[If confirmed, DHS nominee to continue wiht cybersecurity initiatives]

Cryptography is one technology covered under the pact. Aaron Titus, chief privacy officer and general counsel at data security vendor Identity Finder, said new restrictions on strong encryption would slow the spread to rogue states, such as Syria and Iran.

However, he cautioned that strict export controls could also have "the perverse effect of lowering encryption standards for everyone."

"For example, until just a few years ago, GSM mobile phones implemented an encryption standard so weak it was little better than plain text according to most cryptologists," Titus said.

"The handset industry adopted this insecure standard so they could export phones globally without running afoul of encryption export controls."

Another technology likely to be covered under the pact is deep packet inspection, which is a type of filtering software that examines the data part of a packet traveling across a network. DPI technology typically checks for data movement that violates corporate policies, as well as spam and malware.

The capture and analysis of network traffic has been in the spotlight since revelations of massive collections of Internet activity by the NSA. The spying, which came to light through the release of documents from ex-NSA contractor Edward Snowden, has sparked severe criticism of the NSA by U.S. privacy advocates and foreign governments.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.