Written in late 2014 to clear up some notable confusion on the reach of the Wassenaar Arrangement.
I have a Patreon, here, where you can subscribe to support my security and systems-focused writing. You sign up for a fixed amount per essay (with an optional monthly cap), and you'll be notified every time I publish something new. At higher support levels, you'll get early access, a chance to get in-depth answers to your questions, and even for more general consulting time.
© 2021 Eleanor Saitta.
There is a significant degree of confusion as to what has actually been added to the list of controlled dual-use goods and technologies in the Wassenaar Arrangement (WA). The WA is a 41-country agreement that signatory nations agree to enact in national law; it does not have legal force directly. Recently, a set of items was added to the list that attempt to control both large-scale surveillance systems and malware. The full text of the most recent version of the control list can be found here.
The controlled items intended to stop malware are as follows:
4. A. 5. on pp73:
Systems, equipment, and components therefor, specially designed or modified for the generation, operation or delivery of, or communication with, “intrusion software”.
4. D. 4. on pp74:
“Software” specially designed or modified for the generation, operation or delivery of, or communication with, “intrusion software”.
4. E. 1. c. on pp74:
“Technology” for the “development” of “intrusion software”.
In order to understand what this means, we need to expand a bunch of definitions. The following are the definitions of terms used here (a very, very long list). None of them, especially “Intrusion Software” are directly controlled items.
Is related to all stages prior to serial production, such as: design, design research, design analysis, design concepts, assembly and testing of prototypes, pilot production schemes, design data, process of transforming design data into a product, configuration design, integration design, layouts.
Means all production stages, such as: product engineering, manufacture, integration, assembly (mounting), inspection, testing, quality assurance.
Operation, installation (including on-site installation), maintenance (checking), repair, overhaul and refurbishing.
- “Intrusion software”
“Software” specially designed or modified to avoid detection by ‘monitoring tools’, or to defeat ‘protective countermeasures’, of a computer or network capable device, and performing any of the following:
- The extraction of data or information, from a computer or network capable device, or the modification of system or user data; or
- The modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions.
- ”Intrusion software“ does not include any of the following:
- Hypervisors, debuggers or Software Reverse Engineering (SRE) tools;
- Digital Rights Management (DRM) “software” or
- “Software” designed to be installed by manufacturers, administrators or users, for the purposes of asset tracking or recovery.
- Network-capable devices include mobile devices and smart meters.
- ‘Monitoring tools’: “software” or hardware devices, that monitor system behaviours or processes running on a device. This includes antivirus (AV) products, end point security products, Personal Security Products (PSP), Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS) or firewalls.
- ‘Protective countermeasures’: techniques designed to ensure the safe execution of code, such as Data Execution Prevention (DEP), Address Space Layout Randomisation (ASLR) or sandboxing.
Specific information necessary for the “development”, “production” or “use” of a product. The information takes the form of technical data or technical assistance. Controlled “technology” for the Dual-Use List is defined in the General Technology Note and in the Dual-Use List. Controlled “technology” for the Munitions List is specified in ML22.Technical Notes
- ‘Technical data’ may take forms such as blueprints, plans, diagrams, models, formulae, tables, engineering designs and specifications, manuals and instructions written or recorded on other media or devices such as disk, tape, read-only memories.
- ‘Technical assistance’ may take forms such as instruction, skills, training, working knowledge, consulting services. ‘Technical assistance’ may involve transfer of ‘technical data’.
A collection of one or more “programmes” or “microprogrammes” fixed in any tangible medium of expression.
A sequence of instructions to carry out a process in, or convertible into, a form executable by an electronic
A sequence of elementary instructions maintained in a special storage, the execution of which is initiated by the introduction of its reference instruction register.
- “Source code”
A convenient expression of one or more processes which may be turned by a programming system into equipment executable form (“object code” (or object language)).
- “Object code”
An equipment executable form of a convenient expression of one or more processes (“source code” (or source language)) which has been compiled by a programming system.
- “Information security”
All the means and functions ensuring the accessibility, confidentiality or integrity of information or communications, excluding the means and functions intended to safeguard against malfunctions. This includes “cryptography”, “cryptographic activation”, cryptanalysis, protection against compromising emanations and computer security.
‘Cryptanalysis”: the analysis of a cryptographic system or its inputs and outputs to derive confidential variables or sensitive data, including clear text. (ISO 7498-2-1988 (E), paragraph 3.3.18).
- “In the public domain”
This means “technology” or “software” which has been made available without restrictions upon its further dissemination. Note: Copyright restrictions do not remove “technology” or “software” from being “in the public domain”.
It's specifically noted in a statement of understanding that electronic transfers are a covered export, and that unless explicitly excepted, if either “technology” or “software” would be controlled, “source code” is also controlled unless explicitly decontrolled. The “General Software Note” on pp3, however, does carve out some important exclusions to the controlled items list:
The Lists do not control “software” which is any of the following:
Generally available to the public by being:
- Sold from stock at retail selling points without restriction, by means of:
- Over-the-counter transactions;
- Mail order transactions;
- Electronic transactions; or
- Telephone call transactions; and
- Designed for installation by the user without further substantial support by the supplier;
“In the public domain”; or
The minimum necessary “object code” for the installation, operation, maintenance (checking) or repair of those items whose export has been authorised.
Note: Entry 1 of the General Software Note does not release “software” controlled by Category 5 - Part 2 (“Information Security”).
Note Entry 3 of the General Software Note does not release “software” controlled by Category 5 - Part 2 (”Information Security“).
That's the end of our definitions. If you caught that bit about “Information Security”, that's the section primarily on cryptographic software. There's some potentially worrying stuff in there too, but we mostly settled that set of issues in the 90's, and while the WA list isn't great there, the national laws that implemented it are mostly reasonable. Now we have to fight this again, to make sure that the laws implementing things this time around are reasonable. Because the focus during the last round was cryptography, not more general purpose computer security, those last few words in the definition of information security simply got ignored — it's not clear we'll be so lucky this time.
This has given us the technical definition, but let's look at something specific that might be problematic here, namely a fuzzer. A fuzzer, for those of you not familiar with them, is a standard piece of testing software that simply generates massive amounts of random input for a program, in the attempt to find strings that will cause the system to crash. In the process of its normal operation, a fuzzer will generate things that meet the definition of “Intrusion Software”, namely “software specially designed to defeat protective countermeasures of a computer or network capable device and performing the modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions”. That's what fuzzers do.
The string generated by the fuzzer isn't a “hypervisor, debugger, or Software Reverse Engineering (SRE) tool, Digital Rights Management (DRM) software, or Software designed to be installed by manufacturers, administrators or users, for the purposes of asset tracking or recovery” — it's a potential exploit, the thing we're trying to find with the fuzzer so we can fix bugs or exploit them in the wild — there's no difference between attack and defense at this level.
Now, the fuzzer itself most definitely is “Software specially designed or modified for the generation, operation or delivery of, or communication with, intrusion software”, so it's a controlled item under 4. D. 4.. If it's not generally available to the public, designed for installation by the user without further substantial support by the supplier, or in the public domain (“been made available without restrictions upon its further dissemination”), then it is specifically a controlled item under the WA, for which, once the agreement is enacted, export regulations will apply.
This is just one example, but it indicates the potentially problematic nature of what's been passed here so far. It's not as bad as it looks at first glance, but if not implemented nationally with extreme care, it may become quite bad, and it represents a worrying trend.
In addition to the intrusion software category, the WA also added a set of controls on surveillance systems, of which the following are the relevant controlled items (excerpted):
5. A. 1. j./ on pp81:
IP network communications surveillance systems or equipment, and specially designed components therefor, having all of the following:
Performing all of the following on a carrier class IP network (e.g., national grade IP backbone):
- Analysis at the application layer (e.g., Layer 7 of Open Systems Interconnection (OSI) model (ISO/IEC 7498-1));
- Extraction of selected metadata and application content (e.g., voice, video, messages, attachments); and
- Indexing of extracted data; and
Being specially designed to carry out all of the following:
- Execution of searches on the basis of 'hard selectors'; and
- Mapping of the relational network of an individual or of a group of people.
Note 5.A.1.j. does not apply to systems or equipment, specially designed for any of the following:
- Marketing purpose;
- Network Quality of Service (QoS);or
- Quality of Experience (QoE).
5. D. 1. on pp 82:
“Software” as follows:
- “Software” specially designed or modified for the “development”, “production” or “use” of equipment, functions or features, specified by 5.A.1.;
- “Software” specially designed or modified to support “technology” specified by 5.E.1.;
- Specific “software” specially designed or modified to provide characteristics, functions or features of equipment, specified by 5.A.1. or 5.B.1.;
5. E. 1. on pp 82:
“Technology” as follows:
- “Technology” according to the General Technology Note for the “development”, “production” or “use” (excluding operation) of equipment, functions or features specified by 5.A.1. or “software” specified by 5.D.1.a.;
In the same way that we found problematic examples for intrusion software, problematic examples for surveillance systems will almost certainly come to hand.