Cyber Update | February 2016
Proposed Regulations on Cyber Exports
The Defense Export Controls Agency (“DECA“) in the Israeli Ministry of Defense published proposed regulations on January 7, 2016, concerning the control of cyber exports substantially more restrictive than the Wassenaar Arrangement. Comments on the proposed regulations may be submitted through March 3, 2016. In the text box appears a free translation of the draft regulations with highlighting of the language proposed to be added by DECA; a proposal that goes beyond the Wassenaar Arrangement.
The Wassenaar Arrangement is an international export control regime. Member countries agree to coordinate their export restrictions on conventional arms and dual-use goods and technologies. In 2013, the Wassenaar Arrangement was amended to include controls over certain (a) software and/or systems equipment and components, specially designed or modified for the generation, operation or delivery of or communication with Intrusion Software; and (b) technology to develop Intrusion Software. Israel is not a member of the Wassenaar Arrangement but generally follows the Wassenaar Arrangement, and automatically incorporated the Intrusion Software updates to the Arrangement from 2013 by updating the Israeli Import-Export Order (Regulation of the Export of Dual-Use Goods and Services) (the “Wassenaar Order“) in January 2014. Under the Israeli Wassenaar Order, all controlled dual-use technologies require an export license, either from the Ministry of the Economy for civilian use exports, or from the Ministry of Defense for defense use exports.
The draft regulations include several major, far sweeping changes.
- DECA is proposing to control Intrusion Software and systems that include Intrusion Software. DECA is proposing to control the Intrusion Software products, and not just the means for creating or delivering the Intrusion Software products. This means that Intrusion Software and Intrusion Software Systems will be controlled, unless they fall into the exemptions for not being considered Intrusion Software.
- The draft regulation also proposes to regulate software, systems, equipment and components specially designed or modified to simulate use, operation or communication with Intrusion Software against another. In essence, all penetration testing systems, equipment and components will be controlled. However, the proposed regulation carves out an exception for penetration testing services.
- The draft regulation proposes to also control software, systems, equipment and components specially designed or modified to protect strategic security systems or to protect warfare equipment against Intrusion Software. The modification can be done by the end user, in which case, the product would be subject to control. The concept of strategic security systems is not well defined. For example, would a civilian nuclear energy plant be considered a strategic security system, simply because it is part of the critical infrastructure?
- Additionally, under the draft, software, systems, equipment and components specially designed or modified to protect or monitor communication lines on a national level, would also be controlled. Again, if the modification to the product can be capable of being done by the end user, in such a way that it would allow protection or monitoring of communication lines on a national level, then it will be subject to control. Thus, an exporter must examine whether the particular item was specifically designed to protect or monitor communication lines on a national level or could be modified to do so.
- The draft regulation attempts to also control systems, equipment and components to perform Digital Forensics or to simulate Digital Forensics which meet the criteria in the proposed regulation. Any export sales of such Digital Forensics software will be subject to control. Some of these products are currently sold in large quantities to multiple purchasers. The ability to obtain licenses per sale will be burdensome. Some Israeli users of Digital Forensic software will need to obtain export licenses for their overseas activity; for example, when an Israeli accounting firm will perform an international audit and will need to export its systems, equipment and components to perform Digital Forensics, it will need to obtain an export license from the Ministry of Economy for this purpose. Some cybersecurity products that are ‘off-grid’ integrate a Digital Forensic type element to capture and download the Static Data of intrusion attempts and other information, which may cause the entire product to become subject to control based on the proposed regulations.
- Perhaps one of the most problematic elements of the proposed regulation, is the proposal to control Vulnerabilities, unless they fall within a narrow set of exceptions. The exceptions are when the Vulnerability is delivered exclusively to the proprietary owner of the code that is at risk, or the Vulnerability is available in the public domain (on a list that DECA acknowledges), or the Vulnerability is intended for use in defense products only manufactured by the company holding that Vulnerability. In addition, the proposal would control systems or software specially designed or modified to automatically detect Vulnerabilities in order to use them in Intrusion Software against another. In other words, software that automatically detects Vulnerabilities would not be controlled. However, if it automatically detects Vulnerabilities in order to be used in Intrusion Software against another, then it would be controlled. DECA believes that only a small percentage of the industry will be subject to control as a result of these proposals on Vulnerabilities.
There is great concern among investors and both large and small companies in the field that these far sweeping proposals will have a chilling effect on the cyber industry in Israel. Some international companies considering investing in the cyber industry have already indicated that they will wait and see what will pan out with these regulations. It is unfortunate that DECA has made these proposals just after IVC Research announced that in 2015 20% of the capital invested in Israeli hi-tech was in the cyber field. The Israeli government has been promoting the State as a cyber capitol, and these regulations may end up making Israel a cyber desert.
Israel is not a cyber-oasis. Rather it is part of the international technology community and must be part of the international technology regulation. This is one of the reasons why Israel follows the Wassenaar Arrangement. Less than six months ago, the Bureau of Industry and Security in the U.S. Department of Commerce withdrew export control proposals on Intrusion Software that also would have been more expansive than the Wassenaar Arrangement. This came after more than 250 companies submitted comments on those proposals. Currently, BIS is looking at proposals to make the controls less strict than Wassenaar.
Israel should seriously consider whether it wants to be the “lone wolf” – the only country with extreme cyber export regulation that will have a chilling effect on its cyber industry, especially when it is so dependent upon international investment and cooperation. If the U.S. is considering less stringent regulation, it would be prudent to discuss with the U.S. regulators and counterparts the proposals they are considering, and coordinate the Israeli proposals so they will work together to the advantage of the international cyber business community.
GKH clients concerned they may be affected by the proposed regulations, or interested in submitting comments to DECA, are invited to contact the GKH Cyber Desk for more information: firstname.lastname@example.org