![Sample our Politics & International Relations journals, sign in here to start your FREE access for 14 days]({"type":"image" , "src" : "/sda/5947/TOC-Subject-Sample-2021-Politics-International-Relations.jpg"})
ABSTRACT
This paper analyzes a recent debate on regulating cyber weapons through multilateral export controls. The background relates to the amending of the international Wassenaar Arrangement with offensive cyber security technologies known as intrusion software. Implicitly, such software is related to previously unregulated software vulnerabilities and exploits, which also make the ongoing debate particularly relevant. By placing the debate into a historical context, the paper reveals interesting historical parallels, elaborates the political background, and underlines many ambiguity problems related to rigorous definitions for cyber weapons. Many difficult problems remaining for framing offensive security tools with multilateral export controls are also pointed out.
Notes
1. For the purposes of this paper, the concept of cyber weapons is deliberately left undefined (for a theoretical discussion about the concept see Bellovin, Landau, & Lin, Citation2017; Eilstrup-Sangiovanni, Citation2018).
2. This kind of voluntarism has also remained Wassenaar’s central problem (Gärtner, Citation2010). In the contemporary global world, an export to Middle East might be denied for a supplier in the US, although a transfer might be possible via a subsidiary in another country, to paraphrase Beck’s (Citation2000) example. Exporters’ failures to comply are relatively common (Burke, Citation2012). Inadequate comprehensiveness and lack of diligence have frequently also opened different loopholes through which shadow exports are still possible despite of placed controls (Waltz, Citation2007). The ICT sector is supposedly particularly problematic in this regard.
3. This threefold terminological setup is not comprehensive, but it still allows framing the scope of the paper as well as the current debate. Importantly, the restriction to these three concepts deliberately bypasses arguably more fundamental concepts related to threats, risks, and likelihoods. Nor is the attempt to place the case at hand into analytical cages such as the confidentiality, integrity, and availability (CIA) triad.
4. Here, offensive security is used to analytically distinguish practices and technologies that are distinct to those used in the more traditional defensive security segment, including conventional anti-virus software companies (Ruohonen et al., Citation2016b). This definition is deliberately restricted to the industry (for a more encompassing discussion see Eilstrup-Sangiovanni, Citation2018; Slayton, Citation2016). Analogously to the duality between vulnerabilities and exploits – often, demonstrating the existence of the former mandates the engineering of the latter, the (defensive) technologies within the sector often utilize offensive techniques for defensive purposes. The so-called penetration testing (Knowles et al., Citation2016) is the prime example in this regard. Furthermore, it can be noted that the term zero-day vulnerability refers to a vulnerability that has been discovered, whether by a benign actor or a criminal, but not made known (that is, disclosed) to the affected vendor, its users, and the public.
5. Moreover, the current composition makes it possible to question whether terms such as Western or transatlantic are misleading for characterizing the case. While keeping this terminology remark in mind, in this paper, when used, these terms refer to the long historical genesis rather than to the geographic composition.
6. By and large, this dividing line can be argued to apply also to Europe within which the public outcries for tighter controls have often met the commercial rationale of creating a level playing field for the European defense and security industries (Bauer & Bromley, Citation2016; Hansen, Citation2016). In terms of the 2010s debate, however, the voice of the industry is largely a global one rather carrying a particular geographic tone.
7. This kind of large institutional variety is not limited to bureaucratic administrative institutions (that is, the policy complexity extends to parliamentary institutions). Nor is it specific to the United States. In general, poor coordination between institutions may also contribute to problems in rigorous enforcement, alongside other inefficiencies in export controls (Seyoum, Citation2017; Yuan, Citation2002).
8. A number of historical examples could be used for illustrating this rationale. It was present when in 2008 when President Bush announced to reform dual-use export control policies (Bartlett et al., Citation2008), to give a relatively recent example. To give another, more distant example: in the long historical picture, the rationale was visible already with the US reluctance for engagement in the early multilateral efforts, as exemplified by the late 1935 ratification of the (1925) Geneva Arms Traffic Convention (Erickson, Citation2015). To some extent, both examples could be used as evidence for framing even the whole history of modern export controls against the dual rationale.
9. Although some scholars have interpreted the EU response as having resulted from opaque US policies for cryptography (Winkel, Citation2003), it is worthwhile to emphasize this NGO-side, including the role of academia. Indeed, perhaps the most famous legal case during the crypto wars was initiated by computer scientist Daniel J. Bernstein – a case that can be interpreted as having signaled the fundamental turn of tide (Kennedy, Citation2000; McGlone & Burton, Citation2000; Thomsen & Paytas, Citation2001). Analogously, emergence of the open source phenomenon accelerated the relaxation (Diffie & Landau, Citation2007). Although the paper is framed against multilateral controls (policies), which are imposed by states against other states, it should be thus emphasized that export control politics cannot be understood with a state-centric viewpoint alone.
10. A simple example would be a structured query language injection; what separates commands externally injected to execution from other commands externally inserted to execution?
11. This change allows to also make a small historical parallel to the ATT negotiations during which the US also eventually reversed its position (see Bromley et al., Citation2012; Erickson, Citation2015). Another reversal occurred in April 2019 when the Trump administration announced a withdrawal from the ATT to which the US had joined (without ratification) in 2013 during the Obama administration.
12. It can be remarked that the mid-2010s events in the EU largely followed a similar path, although the analogous European lobbying efforts were not as successful as in the United States. In the late-2010s, however, there were also some cracks within the EU. Although the attempts were unsuccessful, some member states (notably, Finland, Sweden, and the United Kingdom) opposed the EU-level enforcement by arguing that regulation should occur primarily through the WA and its national implementations (Moßbrucker, Citation2018).
13. As noted by Eilstrup-Sangiovanni (Citation2018), the speed at which multilateral agreements and conventions are negotiated has been a common issue also in the cyber security domain. The same point extends to the right timing to conduct such negotiations in the face of other events in world politics. In other words, it may be that mid-2010s was not the optimal time to alter the WA.
14. It is not difficult to ask even trickier questions. By recalling the WA's definitions, consider the following imaginary question as an example: is the use of the nmap tool (cf. Lyon, Citation2009) part of monitoring or (and) defeating of countermeasures, such as firewalls, when conducted in, say, virtualized environments for penetration testing of an open source software updating solution deployed for a particular hypervisor running in a cloud?
15. Also Herr and Rosenzweig (Citation2016) raise the same point about PR5. It is worth further remarking that a robust way to improve the terminology would be to attach the concepts to standards, but the problem is that particularly offensive cyber security tools and techniques seldom have clear technical reference points.
Additional information
Notes on contributors
Jukka Ruohonen
Jukka Ruohonen is a researcher.
Kai K. Kimppa
Kai K. Kimppa is a researcher.