Publications

Cyber Update | February 2016

February 2016

Cyber Update

February 2016

Proposed Regulations on Cyber Exports

The Defense Export Controls Agency (“DECA“) in the Israeli Ministry of Defense published proposed regulations on January 7, 2016, concerning the control of cyber exports substantially more restrictive than the Wassenaar Arrangement. Comments on the proposed regulations may be submitted through March 3, 2016. In the text box appears a free translation of the draft regulations with highlighting of the language proposed to be added by DECA; a proposal that goes beyond the Wassenaar Arrangement.

The Wassenaar Arrangement is an international export control regime. Member countries agree to coordinate their export restrictions on conventional arms and dual-use goods and technologies. In 2013, the Wassenaar Arrangement was amended to include controls over certain (a) software and/or systems equipment and components, specially designed or modified for the generation, operation or delivery of or communication with Intrusion Software; and (b) technology to develop Intrusion Software. Israel is not a member of the Wassenaar Arrangement but generally follows the Wassenaar Arrangement, and automatically incorporated the Intrusion Software updates to the Arrangement from 2013 by updating the Israeli Import-Export Order (Regulation of the Export of Dual-Use Goods and Services) (the “Wassenaar Order“) in January 2014. Under the Israeli Wassenaar Order, all controlled dual-use technologies require an export license, either from the Ministry of the Economy for civilian use exports, or from the Ministry of Defense for defense use exports.

The draft regulations include several major, far sweeping changes.

  • DECA is proposing to control Intrusion Software and systems that include Intrusion Software. DECA is proposing to control the Intrusion Software products, and not just the means for creating or delivering the Intrusion Software products. This means that Intrusion Software and Intrusion Software Systems will be controlled, unless they fall into the exemptions for not being considered Intrusion Software.
  • The draft regulation also proposes to regulate software, systems, equipment and components specially designed or modified to simulate use, operation or communication with Intrusion Software against another. In essence, all penetration testing systems, equipment and components will be controlled. However, the proposed regulation carves out an exception for penetration testing services.
  • The draft regulation proposes to also control software, systems, equipment and components specially designed or modified to protect strategic security systems or to protect warfare equipment against Intrusion Software. The modification can be done by the end user, in which case, the product would be subject to control. The concept of strategic security systems is not well defined. For example, would a civilian nuclear energy plant be considered a strategic security system, simply because it is part of the critical infrastructure?
  • Additionally, under the draft, software, systems, equipment and components specially designed or modified to protect or monitor communication lines on a national level, would also be controlled. Again, if the modification to the product can be capable of being done by the end user, in such a way that it would allow protection or monitoring of communication lines on a national level, then it will be subject to control. Thus, an exporter must examine whether the particular item was specifically designed to protect or monitor communication lines on a national level or could be modified to do so.
  •  The draft regulation attempts to also control systems, equipment and components to perform Digital Forensics or to simulate Digital Forensics which meet the criteria in the proposed regulation. Any export sales of such Digital Forensics software will be subject to control. Some of these products are currently sold in large quantities to multiple purchasers. The ability to obtain licenses per sale will be burdensome. Some Israeli users of Digital Forensic software will need to obtain export licenses for their overseas activity; for example, when an Israeli accounting firm will perform an international audit and will need to export its systems, equipment and components to perform Digital Forensics, it will need to obtain an export license from the Ministry of Economy for this purpose. Some cybersecurity products that are ‘off-grid’ integrate a Digital Forensic type element to capture and download the Static Data of intrusion attempts and other information, which may cause the entire product to become subject to control based on the proposed regulations.
  • Perhaps one of the most problematic elements of the proposed regulation, is the proposal to control Vulnerabilities, unless they fall within a narrow set of exceptions. The exceptions are when the Vulnerability is delivered exclusively to the proprietary owner of the code that is at risk, or the Vulnerability is available in the public domain (on a list that DECA acknowledges), or the Vulnerability is intended for use in defense products only manufactured by the company holding that Vulnerability. In addition, the proposal would control systems or software specially designed or modified to automatically detect Vulnerabilities in order to use them in Intrusion Software against another. In other words, software that automatically detects Vulnerabilities would not be controlled. However, if it automatically detects Vulnerabilities in order to be used in Intrusion Software against another, then it would be controlled. DECA believes that only a small percentage of the industry will be subject to control as a result of these proposals on Vulnerabilities.

There is great concern among investors and both large and small companies in the field that these far sweeping proposals will have a chilling effect on the cyber industry in Israel. Some international companies considering investing in the cyber industry have already indicated that they will wait and see what will pan out with these regulations. It is unfortunate that DECA has made these proposals just after IVC Research announced that in 2015 20% of the capital invested in Israeli hi-tech was in the cyber field. The Israeli government has been promoting the State as a cyber capitol, and these regulations may end up making Israel a cyber desert.

Israel is not a cyber-oasis. Rather it is part of the international technology community and must be part of the international technology regulation. This is one of the reasons why Israel follows the Wassenaar Arrangement. Less than six months ago, the Bureau of Industry and Security in the U.S. Department of Commerce withdrew export control proposals on Intrusion Software that also would have been more expansive than the Wassenaar Arrangement. This came after more than 250 companies submitted comments on those proposals. Currently, BIS is looking at proposals to make the controls less strict than Wassenaar.

Israel should seriously consider whether it wants to be the “lone wolf” – the only country with extreme cyber export regulation that will have a chilling effect on its cyber industry, especially when it is so dependent upon international investment and cooperation. If the U.S. is considering less stringent regulation, it would be prudent to discuss with the U.S. regulators and counterparts the proposals they are considering, and coordinate the Israeli proposals so they will work together to the advantage of the international cyber business community.

GKH clients concerned they may be affected by the proposed regulations, or interested in submitting comments to DECA, are invited to contact the GKH Cyber Desk for more information: heather@gkh-law.com

 

PROPOSED DRAFT FOR CHARACTERIZING CONTROLLED PRODUCTS AND KNOWLEDGE IN THE CYBER FIELD

The blue bold text indicates additions to the Wassenaar Arrangement Dual-Use list

Definitions:

“Intrusion Software”

Software specially designed or modified to avoid detection by ‘monitoring tools’, or to defeat ‘protective countermeasures’ of a computer or network capable device, and performing any of the following:

a. The extraction of data or information, from a computer or network capable device, or the modification of data of a system or user; or

b. The modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions; or

c. disruption of functional abilities of the system or causing physical damage to the system.

 

“Intrusion Software” does not include any of the following:

a. Hypervisors, debuggers or Software Reverse Engineering (SRE) tools;

b. Digital Rights Management (DRM) software; or

c. Software designed to be installed by manufacturers, administrators or users, for the purposes of asset tracking or recovery.

 

“Network-Capable Devices” include mobile devices and smart meters.

“Monitoring Tools” – software or hardware devices, that monitor system behaviors or processes running on a device. This includes antivirus (AV) products, end point security products, Personal Security Products (PSP), Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS) or firewalls.

“Protective Countermeasures”– techniques designed to ensure the safe execution of code, such as Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR) or sandboxing” (mechanism for downloading software safely).”

“Vulnerability”- imperfection in a code or a protocol, which can be exploited in order to harm a system or software.

“Digital Forensics”- obtaining, analyzing or restoring data through a physical interface to computing equipment or storage such as computers, cellphone devices, hard discs, satellite navigation devices, USB components, smart cards and SIM cards.

“Static Data”- data that is maintained in a hard disc or in different storage equipment that does not require an electrical power source in order to maintain the data.

“Volatile Data”- data that is maintained in equipment that requires electrical power in order to maintain the data.

 

 Additions to the controls list:

Systems, Equipment and Components:

1. Intrusion Software and systems including Intrusion Software.

2. Systems, equipment, and components therefor, specially designed or modified for the generation, operation or delivery (pasting) of, or communication with, Intrusion Software including systems, equipment and components specially designed or modified to simulate use, operation or communication with Intrusion Software against another, and not including providing services intended to check systems’ immunity against attack (PT).

3. Systems, equipment and components specially designed or modified to protect strategic security systems or to protect warfare equipment against Intrusion Software. 

4. Systems, equipment, and components specially designed or modified to protect or monitor communication lines on a national level.

5. Systems, equipment, and components to perform Digital Forensics or to simulate Digital Forensics that was:

a. Specially designed to perform or use techniques to prevent the possibility of changing data, in order to copy the data in its entirety; or

b. Specially designed to perform data analysis in order to:

            i.    Restore Static Data created by the system or user;

           ii.    Detection or analysis of Volatile Data created by the system or user.

 

Software:

6. Software specially designed or modified for the generation, operation or delivery (pasting) of, or communication with, Intrusion Software, including software specially designed or modified to simulate use, operation or communication with Intrusion Software against another, and not including providing services intended to check systems’ immunity against attack (PT).

7. Software specially designed or modified to protect strategic security systems or to protect warfare equipment against Intrusion Software.

8. Software specially designed or modified to protect or monitor communication lines on a national level.

 

Technology and Knowledge:

9. Technology and knowledge for the development of Intrusion Software.

10. Vulnerability, not including the following:

a. Vulnerabilities delivered exclusively to whoever developed the code or protocol, or someone on their behalf;

b. Vulnerabilities made available in the public domain.

c. Vulnerabilities intended to use in defense products only, manufactured in the Company holding the Vulnerability or the Company. In this section “Company” includes a company that is a subsidiary or has a subsidiary as defined in the Israeli Securities Law, 5728-1968.

11. System or software specially designed or modified to automatically detect Vulnerabilities, in order to use them in Intrusion Software against another.