Prime Minister Withdraws Proposed Cyber Export Regulations

Just in time for Passover – the Israeli Cyber Industry has been released from the pending threat of burdensome and expansive regulation on cyber export.

On April 19, 2016, the Prime Minister’s Office announced that it is withdrawing the proposed regulations expanding the control of cyber exports. The controls on intrusion software will remain consistent with the 2013 Wassenaar Arrangement updates.

Back in early January this year, the Defense Export Controls Agency (“DECA“) in the Israeli Ministry of Defense (“MOD“) together with the National Cyber Bureau in the Prime Minister’s Office (“PMO“) published proposed broad sweeping regulations concerning the control of cyber exports, substantially more comprehensive than the Wassenaar Arrangement. This proposal brought a flurry of public comment in February and March, and garnered the personal attention of the Prime Minister, Benjamin Netanyahu. An inter-ministerial committee was constituted by the Prime Minister with instructions “to formulate a policy and implementation framework that support the continued prosperity of the cyber industry in Israel, by removing obstacles and providing maximum certainty to companies, entrepreneurs and investors.”

After members of the inter-ministerial team participated in a range of relevant forums as a trust-building step, with the goal of fully presenting the issue and hearing feedback, they proposed their recommendations to the PMO, which were adopted. In a joint press release by the PMO, MOD, Ministry of Economy and Industry and Ministry of Foreign Affairs dated April 17, 2016, it was decided to limit the control over cyber export to the language in the Wassenaar Arrangement, and not to expand on it.

The Wassenaar Arrangement is an international export control regime to which over 40 countries are party. Member countries agree to coordinate their export restrictions on conventional arms and dual-use goods and technologies. In 2013, the Wassenaar Arrangement was amended to include controls over certain (a) software, and (b) systems equipment and components therefor; all as specially designed or modified for the generation, operation or delivery of or communication with Intrusion Software. In addition, technology for the development of Intrusion Software is controlled.

“Intrusion Software” is defined as, “Software specially designed or modified to avoid detection by ‘monitoring tools’, or to defeat ‘protective countermeasures’ of a computer or network capable device, and performing any of the following: (a) The extraction of data or information, from a computer or network capable device, or the modification of data of a system or user; or (b) The modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions. “Intrusion Software” does not include any of the following: (a) Hypervisors, debuggers or Software Reverse Engineering (SRE) tools; (b) Digital Rights Management (DRM) software; or (c) Software designed to be installed by manufacturers, administrators or users, for the purposes of asset tracking or recovery.”

Israel is not a member of the Wassenaar Arrangement but follows the Wassenaar Arrangement, and automatically, in January 2014, adopted these amendments on the control of Intrusion Software by updating the Israeli Import-Export Order (Regulation of the Export of Dual-Use Goods and Services) (the “Wassenaar Order“). Under the Israeli Wassenaar Order, all controlled dual-use technologies require an export license, either from the Ministry of the Economy, in the case of exports for civilian use, or from the Ministry of Defense, in the case of exports for defense use.

The joint press release also stated that “[i]n order to maximize certainty and minimize the regulatory burden, definitions will be published that clarify the areas bound by export controls. In addition, a thorough examination for the provision of exemptions and reliefs on licensing requirements will be conducted, according to country and to type of product, technology and services. This will be done in conjunction with continuous monitoring of developments in the Wassenaar Arrangement and in the policies of other countries on cyber export controls, while paying attention to national security, diplomatic and economic interests and assets.” The ministries responsible for implementation have not yet provided any clarification on this.

The press release states that DECA will control exports under the Wassenaar Order to be used by security forces or for them, in accordance with details to be published and subject to the definition determined by law. DECA has confirmed that no details have been published to date. Control of all other controlled cyber exports will be done by the Ministry of Economy and Industry (“MOE“) through a joint mechanism with National Cyber Bureau. According to MOE, no changes in the controls over cyber have been implemented at MOE, and the process remains the same as it has been.

We will continue to update as more information becomes available. We wish all our clients and friends a happy Passover and festival of freedom.

GKH’s Cyber Team is available to assist clients with any matters and concerns.
For further information regarding this update, please contact Adv. Heather A. Stone, Partner, Head of Cyber Desk, at heather@gkh-law.com or 03-6074520.

This alert is prepared as an informational service to clients and colleagues of Gross, Kleinhendler, Hodak, Halevy, Greenberg & Co. (GKH) and the information presented is not intended to provide legal opinions or advice. Readers should seek professional legal advice regarding the matters about which they are particularly concerned.