In the past couple of weeks, the US Bureau of Industry and Security (BIS), part of the US Chamber of Commerce, announced the potential implementation of the 2013 changes to the Wassenaar Arrangement (WA), which is a multinational arrangement intended to control the export of certain “dual-use” technologies. The proposed changes place additional controls on the export of “systems, equipment or components specially designed for the generation, operation or delivery of, or communication with, intrusion software.” Many in the security community have been extraordinarily vocal in opposition to this announcement, especially with regard to the newly proposed definition of "Intrusion Software" in the WA. This debate is important and should contribute to the open comment period requested by the BIS, which ends July 20. While the WA appears to be a legitimate attempt to control the export of subversive software, the vague wording has raised alarms within the security community.
For decades the security community has developed and studied exploit and intrusion techniques to understand and improve defenses. Like many research endeavors, it has involved the development, sharing, and analysis of information across national boundaries through articles, conferences, and academic publications. This research has successfully produced countermeasures like DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization), which mitigate numerous exploits seen in the wild. These kinds of countermeasures resulted directly from exploitation research and are protected by the new WA definition. While a robust debate on the WA’s implications is useful for the security community, what seems to be lacking is a strategic level discussion on whether these kinds of arrangements even have the potential to achieve the desired effect. The debate over the definition and wording of key terms is indicative of the larger hurdles these kinds of multinational arrangements encounter. This is especially problematic when building upon legacy agreements. By most measures, the WA simply renamed the COCOM (Coordinating Committee for Multilateral Export Controls) export control regime and is a Cold War relic designed to limit the export of weapons and dual-use technologies to the Soviet bloc. The Cold War ended a quarter of century ago, and yet agreements like WA still are built on that same mentality and framework. Below are four key areas that impact the ability of the WA (and similar agreements) to achieve the desired effect of “international stability” and should be considered when seeking to limit the diffusion of strategically important and potentially destructive materials.
1. Members only: There are only 41 signatories to the WA (see the map below*). While to some that may seem extensive, it reflects less than a quarter of the states in the international community. In layman’s terms, three-quarters of the countries will be playing by a completely different set of rules and regulations, putting those who implement it at a competitive disadvantage – economically and in national security. Moreover, it means that three-quarters of the countries can export these potentially dual-use technologies – including countries like China, Iran, North Korea – rendering it unlikely to achieve the desired effect. To be clear, this concern is not just about US adversaries, but also about allies that could gain a competitive advantage. Israel, not a signatory of the WA, has a thriving cyber security industry and may increasingly attract more investment (and innovation!) in light of implementation of the WA.
2. Credible commitments: International cooperation depends heavily on credible commitments and the ability of states to implement the policies embedded in the treaty domestically. As membership rises, so too does diversity in domestic political institutions and foreign policy objectives. It would be startling (to say the least) if Western European countries and Russia pursue implementation that produce uniform adherence to the WA. Even within Western Europe, elections may usher in a new way of approaching digital security. Recent UK elections with a Tory majority may alter legislation pertaining to surveillance issues, and may run counter to the WA.
3. Ambiguity of language: The most unifying theme of the security community’s opposition to the WA is the vague and open-ended definition of intrusion software. By some estimates, anti-virus software and Chrome auto-updates may fit within the definition. The government will likely receive many comments on the definition over the 60-day response period. It is strongly in the best interest of all parties involved if greater specificity is included. Otherwise, there will continue to be headlines vilifying the government for classifying everything digital as a weapon of war, which clearly is not the case. As we grapple with securing systems globally and ensuring our defenses can prevent advanced threats, one might imagine a future where loose policy definitions move software and techniques underground or off-shore for fear of prosecution. This could be counterproductive to understanding and securing the new and changing connected world.
4. Rudderless ship: The most successful international agreements have relied heavily on global leadership, either directly by a hegemonic state or indirectly through leadership within a specific international governmental organization (IGO). This leadership is essential to ensure compliance and norm diffusion of the regulations inherent within a treaty or agreement. The WA lacks any form of IGO support and certainly lacks any hegemonic or bipolar leadership. Even if this leadership did exist, the cyber domain simply lends itself to obfuscation and manipulation of the data and techniques, rendering external monitoring difficult. More so, China and Russia continue to push forth norms completely orthogonal to those of the WA, including cyber sovereignty. Without global acceptance and agreement on these foundational concepts, the WA has little chance of adherence even if there is domestic support for the verbiage (which clearly is not currently the case).
In short, the hurdles the WA will encounter when trying to achieve its objectives is a typical two-level game that hinders international cooperation. States must balance international polarity and norms on the one hand, with domestic constituents, institutions and domestic norms on the other. Without the proper conditions at both the domestic and international level, agreements have little chance of actually achieving the objective. If the goal is truly focusing on international stability, human rights, and privacy, the WA may not be the optimal means of achieving these goals. As organizations, researchers, and activists continue to contribute to the critical debate about the value and feasibility of the WA, the policy and security communities should take advantage of the open comment period to remember that the complexity and dynamism of the current digital landscape requires novel thinking beyond obsolete Cold War approaches.
*Wassenaar Arrangement Participants (source: https://www.armscontrol.org/factsheets/wassenaar)