Embed Size (px)
Citation preview
May 2, 2023 CONFIDENTIAL | ENIRAM SKYLIGHT1
Cybersecurity & Export Controls
Jeremy OtisGeneral Counsel
C5 Forum on European Export ControlsBrussels, 28 September 2016
May 2, 2023 CONFIDENTIAL | ENIRAM SKYLIGHT2
Agenda
• Regulating Cyber tools: “Intrusion Software” & the Wassenaar Arrangement – Can Export Controls Effectively Control the Spread of Cyber Threats?
• Classifying cyber tools as dual-use items: Goals, Threats & Challenges
• View from Finland
• Conclusions
3
Export Controls & Humann Rights• European Commission (2015): Human
rights and security are ”inexorably interlinked”
• International recognition that surveillance software designed and sold by western companies has been responsible for serious abuses by respressive governments– Hacking Team (Italy)/Sudan– FinFisher (UK)/Egypt
• Export Controls can be a useful tool to protect Human Rights
CONFIDENTIAL
Can Export Controls Achieve Human Rights Goals?• Export controls are designed to promote national security, and to a lesser extent global human
rights, objectives by restricting the cross-border flow of specified goods with actual or potential military applications.
• Key goals of national export control regimes typically include: – Promoting global and regional secuirty by preventing spread of weapons and related
technologies, and– implementing key foreign policy and national security objectives as well as international
treaty committments, sanctions and embargoes
• Wassenaar Arragement (WA): multilaterally-agreed (41 signatory nations) control list of dual-use goods with possible military applications that are subject to export licensing– Since 2013, additions to WA dual-use list attempt to promote human rights objectives by limiting
the cross-border transfer of surviellience technologies, in particular regulating the sale of technologies w zero-day exploit capababilities to repressive governments.
5
European Commission Implementation of WA
COMMISSION DELEGATED REGULATION (EU) 2015/2420 of 12 October 2015 amending Council Regulation (EC) No 428/2009 setting up a Community regime for the control of exports, transfer, brokering and transit of dual use items Cat 4 "Intrusion software" = “Software” specially designed or modified to avoid detection by 'monitoring tools', or to defeat 'protective countermeasures', of a computer or network-capable device, and performing any of the following:
a. the extraction of data or information, from a computer or network-capable device (incl. mobile devices), or the modification of system or user data; orb. The modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions.
does not include any of the following:
a. Hypervisors, debuggers or Software Reverse Engineering (SRE) tools;
b. Digital Rights Management (DRM) "software"; or
c. “Software" designed to be installed by manufacturers, administrators or users, for the purposes of asset tracking or recovery.
**Most common malware R&D tools (remote control software, penetration testing tools, vulnerability reports, proofs-of-concept) potentially all under new WA list definitions and would be subject to national export licensing requirements**
6
Threats & Challenges: Parity is Elusive• EU implemented WA intrusion software rules Oct
2015• US initially backed WA intrusion sw controls but
later reversed position– Proposed Rule, based on WA rules/defs,
submitted for public comment in 2015 and received strong objections from industry and privacy groups
– EFF: WA Intrusion software def is too broad, US Adoption would impact the entire InfoSec industry• Most cybersecurity research is performed by
commerical entities so manadatory export licensing of intrusion software will have a chilling effect on legitimate & essential cybersecurity R&D
– US now seeks to renegotiate WA cyber rules/defs prior to implementation
• BUT uneven application places European cybersecurity vendors at a competitive disadvantage, which leads to uncertainty, inaction, and/or hesitancy to invest in ”risky” R&D, further chilling security research in Europe
7
View from Finland
Finland’s cybersecurity cluster (F-Secure, SSH, Nixu) will comply with WA rules but effective Implementation of requires at a minimum:
– clear guidelines & establishment of Help Desk for inquiries– Narrow application by national authorities– Express carve-out for day-to-day R&D tools (malware samples/toolkits, penetration
testing tools, bug and vulnerabilty reports) used by cybersecurity vendors
Per the Finnish Export Authorities: • Since Oct 2015, no licenses have yet been granted for the export of intrusion software
nor has any specific guidance been requested (as of June 2016), and• Discussion of the intrusion software issue is still continuing
Voices from FinlandLobbying Efforts from Finland’s cybersecurity cluster (F-Secure, SSH, Nixu) include:
• Sept. 2015, Brussels: F-Secure reps attend EP public hearing on WA implementation
• Oct. 2015: F-Secure, SSH & Nixu all individually participated in EC public commentary
• Nov 2015: Finnish cybersecurity companies submit joint position paper to EC with proposals and requesting guidance prior to implementation and enforcement of intrustion software export restrictions
• June 2016, Geneva: Finnish contribution to UNIDIR/CSIS International Security Cyber Issues Workshop session ”Managing the Spread of Cyber Tools that can be Used for Malicious and Unlawful Purposes”
9
Conclusions
• The EU’s core human rights and national security goals can likley be achieved via mandatory export licensing of intrusion software
• Europe’s cybersecurity vendors are prepared to comply wth new rules provided they are given:– clear guidance from EU and national authorities (who exercise restraint in
restricting the exchange of legitimate research tools) and – assurances that competitors in other countries/regions are bound to follow
substantiually similar rules.
• Harmonization of rules accross jurisictions and clarification of what licenses are required is key
May 2, 2023 CONFIDENTIAL | ENIRAM SKYLIGHT10
Thank you.
Jeremy OtisGeneral CounselEniram Ltd.Itälahdenkatu 22a FI-00210 Helsinki Finlandwww.eniram.fi m +358 40 726 6937
May 2, 2023 CONFIDENTIAL | ENIRAM SKYLIGHT11
