International Issues

The Spying Game: Cybersecurity and Export Compliance

The story of whistle-blower Edward Snowden ignited global discourse about internet surveillance systems, spyware, and their implications on the way we work and live.

Recently, the impact of some of these issues on the export compliance world was addressed at the Wassenaar Agreement’s annual plenary meeting in Austria. The group of 41 nations including the United States, Russia, France and Japan agreed on new export controls on cybersecurity technologies, including cryptography, and surveillance tools that could – in the wrong hands – threaten international security.

Existing controls under the Wassenaar Agreement are concerned with conventional arms and dual-use goods and technology.  Most exporters are already diligent in their efforts to prevent selling such items to sanctioned and denied parties and others who would do us harm. But what are cybersecurity technologies and what sort of risks do they present?

Examples of surveillance, law enforcement and intelligence gathering tools include malware and rootkits (software designed to hide certain processes or programs from detection, enabling privileged access to a computer). Governments and other parties can use these tools with malicious intent to avoid security features on electronic devices, extract data from these devices, and ultimately take control of them.  The Financial Times recently asserted that technologies permitting users to screen data for hidden viruses, malware or surveillance cameras can also be used by enemies to “foil cyber-attacks or gain an intimate understanding of Western screening systems and their fallibilities.”

The actual hardware and software that will be impacted by the Wassenaar crackdown has yet to be fully determined, but the implications for export compliance are becoming evident. In the United States, companies wishing to ship surveillance technologies overseas will have to obtain an export license.  To proponents of the new controls, this is a step in the right direction. But some are questioning the big-picture efficacy of the changes. Will focusing our attention on internet spying make a significant dent in terrorism prevention? Some analysts aren’t so sure. One privacy officer noted that new restrictions on strong encryption would “slow the spread to rogue states, such as Syria and Iran”, but speculated that such strict export controls could also have “the perverse effect of lowering encryption standards for everyone.”

Critics have also pointed out that the surveillance tools in question are not even the most threatening in the terrorist arsenal – the internet is more often used as a means of recruitment by terrorists rather than cyber spying. The “old-fashioned” means of acquiring information – moles and anonymous tips – remains more effective for terrorists than decrypting emails ever was.   And skeptics in the U.S. government have been vocal about their misgivings. Some officials are doubtful that “cyber” arms can be as effectively controlled as physical weaponry can.  As one Homeland Security official explained in response to the Wassenaar restrictions, “In cyberspace weapons are bits and bytes and produced as intellectual property.” He added, “While the objective is certainly noble, I suspect the effort will be relatively unsuccessful.”

The quandary of terrorism prevention has always been a great one, but in a world where technology moves at lightning speed, it is even more difficult to find answers to questions of security and risk. Perhaps the Wassenaar restrictions will make it harder for our enemies to play the spying game, but it will take a whole lot more to get them to take their toys and go home.