Skip to main content

International Cybersecurity Norms and Information Age Export Controls

November 23, 2016


Dan Arnaudo

Russian backed cyberattacks on the Democratic National Committee, hacking Hillary Clinton’s campaign, on critical infrastructure and even on the roots of the Internet itself have captured the headlines in the past year. These kinds of attacks are only likely to grow in the coming years as we become increasingly interconnected through traditional computers, mobiles, and the growing “Internet of Things”.

What is worse, we now have governments and corporations that use and profit from these same information technologies on exponential scales. Malicious malware, viruses, and trojans in the hands of rogue hackers, dictatorial regimes, and other adversaries become tools of intelligence services and law enforcement in the hands of governments and multinationals. How do we as citizens confront these challenges, and push our elected representatives and our governments to address them?

In a new article I presented at the 2nd Seminar on the Governance of Networks and the Brazilian Internet Bill of Rights, I explore how this dual use concept works in terms of the export of cyber weapons internationally. I examine the policies of China, the EU, and the US in terms of the major exporters of such information and communication technology (ICT), the international treaties that have been created to control them, and the major cases of violations in the past decade.

The EU and the US are both parties to the Wassenaar Arrangement and the Budapest Convention on Cybercrime, the two major export control regimes for ICT. China is not a member of either, while countries like Russia and South Africa have acceded to Wassenaar, the Council of Europe (which includes countries outside of the EU such as Turkey) penned the Budapest Convention, they invite others to join, as well.

Wassenaar contains a list of dual use technologies that can have both civilian and military applications, and in section 5, it specifies both software and hardware to encrypt information or test information security, amongst other uses. The Budapest Convention focuses on prohibiting the sale and export of technologies that can be used to commit crimes, specifically against the confidentiality, integrity, or availability of other computers and networks.

There is no way to prevent the export or misuse of these kinds of technologies in all cases. Authoritarian regimes will always use them to track, surveil, and censor opposition, individuals will find and use them for there own ends, and companies will make and profit from their use. Through these agreements and other legal safeguards on government intrusion, citizens, policymakers and government officials in democratic states can demand accountability in both the public and private sector.

The US Congress has rightly demanded that the government restrict the export of surveillance hardware to dictatorial, murderous regimes such as Syria. When an investigation revealed that servers configured by a company called Blue Coat for such purposes were diverted from Iraq to Syria, the government had the means under the terms of the agreement to sanction the company and ensure that measures were put in place to verify end users and prevent such exports in future. The Wassenaar Arrangement provided a means for the government to hold the company accountable.


Buy two bugs get one free! Hacking Team customer revenue by country in 2015, from the leaked files.

In terms of software, the exposure of the Italian company Hacking Team’s internal emails and files shows a network of clients ranging from intelligence services and law enforcement, from Sudan to Brazil, including dictatorships and democracies. Again, the European Union cited Wassenaar in blocking the company from making new deals outside of the trading block while it reviewed the its activities.

The fall of Moammar Gadhafi’s regime in Libya helps to illustrate just how deeply certain European technology firms are entwined with authoritarian regimes, and also how companies follow EU policy in practice. In 2009, a French corporation called Amesys provided Gadhafi with a complete Internet filtering system. Its EAGLE system could examine traffic flowing through the central Libyan Internet Exchange in Tripoli, not only to block and identify sites that users want to access, but could also open emails and other forms of electronic correspondence. As Amesys company documents found in Gadhafi’s Internet surveillance office describe:

“Whereas many Internet interception systems carry out basic filtering on IP address and extract only those communications from the global flow (Lawful Interception), EAGLE Interception system analyses and stores all the communications from the monitored link (Massive interception).”


The Amesys EAGLE System, via Wikileaks.

China’s ZTE and a South African firm called VASTech also each contributed pieces to Libya’s surveillance infrastructure, while Narus, a subsidiary of Boeing, participated in the bidding process. VASTech noted that it was in compliance with EU and US regulations and would never export technology to states under UN sanctions, but this case illustrates both the centrality of these technologies in authoritarian command and control structures and the range of international companies that can provide them.

The section of the Wassenaar Arrangement on Information Security has been updated in 2013, a rewrite that has drawn protests from security researchers who argue that they need access to tools such as penetration testers for legitimate purposes, including securing systems against attacks. Clearly there needs to be a balance so that organizations and individuals in democratic states can collaborate with each other across borders to ensure privacy and guard against surveillance by any party. The flags raised by these opponents are legitimate and the wording of such agreements needs to be carefully examined and exceptions granted for legitimate security users.

Above all, these international agreements provide the mechanisms for citizens of democratic states, in collaboration with their representatives in legislatures and the bureaucracy, to ensure their privacy, hold their governments and others accountable and cooperate across borders to ensure compliance and pressure authoritarian regimes. These technologies are only growing more powerful, and we need every tool, legal and technical, to challenge the ability of others to use them to destroy our privacy, a cornerstone of democracy in the process.

This post originally appeared on Dan Arnaudo’s website.

This publication was made possible in part by a grant from Carnegie Corporation of New York. The statements made and views expressed are solely the responsibility of the author.