The Wassenaar Arrangement (or the Wassenaar Arrangement on Global Export for Conventional Arms and Dual-Use Goods and Technologies) is an international export control arrangement. It was established in 1996 to increase transparency and responsibility in the trade of conventional arms and “dual-use technologies” (conventional items that could be potentially weaponized). Currently 41 nations are members of Wassenaar. While most of these are NATO or former COMECON (Warsaw Pact) members, the list also includes countries like Mexico, Japan, South Korea, South Africa and Argentina.
It’s called an arrangement, rather than agreement, because the scheme is legally voluntary for member countries—Wassenaar has no official legal standing in any of the participant countries. It is also up to each country to independently develop an export control process and make decisions on whether to allow the sale of a particular product to a foreign jurisdiction. For example, in Canada companies who wish to export controlled items to jurisdictions other than the U.S. need to apply for an permit through Global Affairs Canada. The current controversy over General Dynamics Land Systems Canada’s $15 billion sale of armoured vehicles to Saudi Arabia, and the requirement for Minister Dion to approve this deal, is an example of the Wassenaar export control process in action.
Why does Wassenaar matter to ICT firms?
Wassenaar’s list of controlled items are reviewed on an annual basis and in 2013 it was updated to include a new control for “intrusion software.” The intention of this was to prevent rogue countries from buying technology they could use to oppress or spy on their citizens.
While motivated by noble intentions, the negotiators probably didn’t realize that including the overly broad category of “intrusion software” would also disrupt a wide range of essential defensive cyber security activity. For instance, it would require companies to obtain an export permit every time a piece of “intrusion software” is shared across borders, a process which in Canada can take between 10 and 40 days. This would make it near impossible for cyber security professionals in different countries to collaborate in real time to defend against emerging threats, risking everyone’s cyber security. It would make it harder for Red Teams to conduct network penetration testing across borders, even if they work for the same company. Additionally, it does not prevent rogue countries from purchasing technologies from non-Wassenaar countries (e.g. China) or on the dark web.
What’s the current status of Wassenaar and what’s ITAC doing about it?
Canada updated its control lists, adding “intrusion software” to its controlled items list in December 2014. The United States Department of Commerce proposed similar rules in May 2015; however, in the face of significant opposition from the technology industry, the DoC has paused their current approach. In January 2016, congressional hearings were held on this issue. Representatives from Symantec, Microsoft, VMWare and the Information Technology Industry Council provided excellent testimony on the potentially catastrophic implications of implementing these export controls. At the March meeting of ITAC’s Cyber Security Forum, Cristin Flynn Goodwin, Assistant General Counsel for Microsoft, provided an update on the current situation with Wassenaar in the U.S., noting that the issue was raised during keynote addresses at the influential RSA Conference, and it has led to schools revaluating “capture the flag” competitions.
Meanwhile in Canada, ITAC has been working closely with Global Affairs Canada on this issue. In February 2016, ITAC sent a letter to Minister Chrystia Freeland recommending Canada push to have controls on “intrusion software” removed during the 2016 Wassenaar negotiations. To date Global Affairs Canada has been receptive to ITAC’s request; however, the outcomes of negotiations will not be known until September 2016. Until then, ITAC will continue to work closely with Global Affairs Canada and our members to monitor negotiations and ensure an enlightened controls process emerges that can protect human rights while recognizing the realities of the cyber security industry.
If you have any questions on this issue or would like to get involved, please contact David Messer, Sr. Director Policy, ITAC at firstname.lastname@example.org