International export control law
Definition[edit | edit source]
|International export control law|
|International export control law has three main pillars: binding international arms treaties, UN Security Council resolutions, and non-binding multilateral export control regimes. Among these, only the Wassenaar Arrangement (WA) deals with cyber tools.
The WA is a non-binding export control regime with 42 participating States as of 2022, many of which have a significant cyber technology sector. Moreover, some non-participating States align their export control legislation and policies – partially or wholly – with the WA.
The WA’s primary goal is “to contribute to regional and international security and stability, by promoting transparency and greater responsibility in transfers of conventional arms and dual-use goods and technologies, thus preventing destabilising accumulations.” To this end, the participating States should apply export controls to every item on the WA’s Dual-Use or Munitions List. Both lists have been amended to include specific cyber tools and related items to prevent destabilizing accumulations of these items, thereby contributing to security and stability in cyber space.
The Munitions List designates “‘Software’ specially designed or modified for the conduct of military offensive cyber operations” as a controlled item. Furthermore, the list covers the technology related to such software.
The Dual-Use List deals with cyber intrusion tools. However, the WA does not place intrusion tools themselves on the Dual-Use List but only items related to intrusion tools. Whereas an “intrusion tool” means the actual “intruding” software that is installed on the target device, related items are “systems, equipment, and components” or “‘software’ specially designed or modified for the generation, command and control, or delivery of ‘intrusion software’”.
Moreover, States agreed to follow certain best practices to control the transfer of said cyber items irrespective of their means of transfer, thus, including their intangible transfer such as via e-mail or the cloud.
Consequently, participating States should require a prior export licence for each export of a cyber tool or related items covered by the WA. In the licensing process, the export control agency should examine whether the transfer of such cyber items would contribute to destabilizing accumulations. There is no clear definition within the WA and no consensus among the participating States on what constitutes “destabilizing accumulations”. Nevertheless, the regime includes best practices setting out relevant elements States should consider in their assessment, at least with respect to weapons. Human rights concerns are included among the elements to consider. However, the final licensing decision always remains within the sole discretion of each participating State.
Appendixes[edit | edit source]
See also[edit | edit source]
Notes and references[edit | edit source]
- For example, the Treaty on the Non-Proliferation of Nuclear Weapons (adopted 1 July 1968, entered into force 5 March 1970) 729 UNTS 161 (NPT); Convention on the Prohibition of the Development, Production and Stockpiling of Bacteriological (Biological) and Toxin Weapons and on their Destruction (adopted 10 April 1972, entered into force 26 March 1975) 1015 UNTS 163 (CBTW); Convention on the Prohibition of the Development, Production, Stockpiling and Use of Chemical Weapons and on their Destruction (adopted 13 January 1993, entered into force 29 April 1997) 1974 UNTS 45 (CWC); Arms Trade Treaty (adopted 2 April 2013, entered into force 24 December 2014) 3031 UNTS 269 (ATT); Convention on Prohibitions or Restrictions on the Use of Certain Conventional Weapons which may be Deemed to be Excessively Injurious or to have Indiscriminate Effects (adopted 10 October 1980, entered into force 2 December 1983) 1342 UNTS 137 (CCW).
- Especially United Nations Security Council (UNSC), ‘Resolution 1540’ (28 April 2004) UN Doc S/Res/1540.
- These are Argentina, Australia, Austria, Belgium, Bulgaria, Canada, Croatia, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, India, Ireland, Italy, Japan, Latvia, Lithuania, Luxembourg, Malta, Mexico, Netherlands, New Zealand, Norway, Poland, Portugal, Republic of Korea, Romania, Russian Federation, Slovakia, Slovenia, South Africa, Spain, Sweden, Switzerland, Türkiye, Ukraine, United Kingdom and United States, see The Wassenaar Arrangement, ‘About us’ (23.12.2021) .
- For example, Israel, Taiwan, and the United Arab Emirates.
- ‘Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies’ Guidelines & Procedures, including the Initial Elements (12 July 1996) WA-DOC (19) PUB 007 para I.1.
- Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies: List of Dual-Use Goods and Technologies (reflects the agreements recorded in Appendix 5 to the Initial Elements, dated 19 December 1995, and all subsequent amendments, including those approved by the Plenary in December 2021) WA-LIST (20) 1 (WA Dual-Use List) and Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies: Munitions List (reflects the agreements recorded in Appendix 5 to the Initial Elements, dated 19 December 1995, and all subsequent amendments, including those approved by the Plenary in December 2021) WA-LIST (20) 1 (WA Munitions List). The Dual-Use List deals with items that can have both a military and civilian application, and the Munitions List deals with purely military items.
- Whether those cyber tools qualify as weapons under IHL is controversial; see Legal review of cyber weapons, means and methods of warfare.
- WA Munitions List ML21.b.5.; does not apply to “vulnerability disclosure” or to “cyber incident response”, limited to non-military defensive cybersecurity readiness or response, see WA Munitions List note 2 to ML21.b.5.; see also the general software note to the WA Munitions List.
- This “includes ‘software’ designed to destroy, damage, degrade or disrupt systems, equipment or ‘software’, specified by the Munitions List, cyber reconnaissance and cyber command and control ‘software’, therefore.” See WA Munitions List note 1 to ML21.b.5.
- Which includes the technology required for developing, producing, operating, installing, maintaining (checking) and repairing military offensive cyber tools, see WA Munitions List ML22.a. The WA defines technology as “specific information necessary for the ‘development’, ‘production’ or ‘use’ of a product. The information takes the form of ‘technical data’ or ‘technical assistance’”, see Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies: Definitions of Terms (reflects the agreements recorded in Appendix 5 to the Initial Elements, dated 19 December 1995, and all subsequent amendments, including those approved by the Plenary in December 2021) WA-LIST (20) 1 (WA Definitions), 234. “‘Technical data’ may take forms such as blueprints, plans, diagrams, models, formulae, tables, engineering designs and specifications, manuals and instructions written or recorded on other media or devices such as disk, tape, read-only memories”, see WA Definitions 234. “‘Technical assistance’ may take forms such as instruction, skills, training, working knowledge, consulting services. ‘Technical assistance’ may involve transfer of ‘technical data’”, see WA Definitions 234.
- The WA defines intrusion software as “‘[s]oftware’ specially designed or modified to avoid detection by ‘monitoring tools’, or to defeat ‘protective countermeasures’, of a computer or network-capable device” and to perform either “extraction of data” or “modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions”, see WA Definitions 224.
- WA Dual-Use List cat 4.A.5. and cat. 4.D.4. Moreover, the list names technology for the “development”, “production” or “use” of intrusion tools, see WA Dual-Use List cat 4.E.1.a. See also the general technology note to the WA Dual-Use List and above n 36. Does not apply to “vulnerability disclosure” or “cyber incident response”, see WA Dual-Use List note 1 to cat 4.E.1.a.
- ‘Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies’ Compendium of Best Practice Documents (December 2019) WA-DOC (19) PUB 005.
- Wassenaar Arrangement, ‘Elements for Objective Analysis and Advice Concerning Potentially Destabilising Accumulations of Conventional Weapons’ Explanatory Note (As adopted in 1998 and amended by the Plenary in 2004 and 2011).
- See ibid 1.e, 3.a; Wassenaar Arrangement, ‘Best Practice Guidelines for Exports of Small Arms and Light Weapons (SALW)’ (2002) (Agreed at the 2002 Plenary and amended at the 2007 and 2019 Plenary) 1–2 ; moreover, items related to intrusion tools were added by the participating States due to the human rights concerns associated with such tools, E Korzak, ‘Export Controls: The Wassenaar experience and its lessons for international regulation of cyber tools’ in E Tikk and M Kerttunen (eds), Routledge Handbook of International Cybersecurity (Routledge 2020) 305; but see also UN Human Rights Council, ‘Surveillance and human rights’ Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression (28 May 2019) UN Doc A/HRC/41/35 para. 34-38, 66(f) recommending that participating States “should develop a framework by which the licensing of any technology would be conditional upon a national human rights review and companies’ compliance with the Guiding Principles on Business and Human Rights.”
- ‘Wassenaar Arrangement’ 5.