A consortium of western governments is looking to tighten the control of sensitive cyber security technology, so that exports are handled just like weapon sales.
Citing sources familiar with the matter, The Financial Times reports that several international governments are working together to update the terms of The Wassenaar Agreement, which was first introduced in 1996 by 41 countries (including the US Russia, Japan, France, Germany and the UK) to limit the export of electronics security technologies.
The revised agreement, drawn up in Vienna last week (week starting December 2), is expected to further limit security technologies much in the same way as weapon sales and could classify software and hardware products that are used for hacking, network surveillance and intelligence. This would most likely mean greater export controls on such products, which is likely to have a deep impact on vendors.
Diplomats are said to be particularly concerned about “deep package inspection” technologies which allow users to screen data for hidden viruses, malware or surveillance programmes. They believe that this could well fall into enemy hands, allowing them to foil cyber attacks and potentially gain an understanding of western security screening systems.
The UK government is leading this rush to clamp down on cyber security technology exports and “cyber proliferation” – an area of increasing concern for most western governments. This is perhaps not surprising considering the UK Trade and Investment government office recently estimated that the cyber security market is valued at £123 billion and growing at 10 percent year-on-year.
A spokesman for the UK's Department for Business, which deals with the country's export license regime, called the move a necessity.
“The government agrees that further regulation is necessary. These products have legitimate uses in defending networks and tracking and disrupting criminals but we recognise that they may also be used to conduct espionage.
“Given the international nature of this problem we believe that an internationally agreed solution will be the most effective response. That is why the UK is leading international efforts to agree export controls on specific technologies of concern. We expect to be able to announce real progress in this area in early December.”
A number of industry observers have applauded the move, although 2-Sec CEO Tim Holman, who is also the President of the UK's Information Systems Security Association (ISSA), said that it could stifle software innovation.
“There have long been export controls in place for cryptographic solutions, and this new directive could add niche providers of security solutions to the list, especially IDS, IPS and other analysis/detection tools,” said Holman, when speaking to SCMagazineUK.com. “That is ultimately what our adversaries seek to avoid.”
““Innovation of course will be stifled by any regulatory restrictions and put the technology into the hands of governments and larger organisations under strict license” he added.
“Overall I kind of think [that] this is a necessary step – there are extremely powerful tools out there that can take down websites at a click of a mouse, so why shouldn't they be licensed and sold in a controlled manner?”
Meanwhile, Peter Armstrong, the director of cyber security at Thales UK, welcomed the UK government's move and said that it represented another “great step” to educating governments and businesses on the threat of cyber proliferation.
“It's encouraging to see the UK government leading the push to clamp down on cyber proliferation,” Armstrong told SCMagazineUK.com.
“It's crucial in this day and age to remember that it is no longer just physical threats to infrastructure that pose the biggest concern. The danger of cyber threats should not be downplayed as they are not confined to geographical borders and do have the ability to deliver physical damage to infrastructure. Modern nations are entangled in multiple networks, networks that need rigorous defences in place.”
Armstrong added: “This latest move is a great step towards educating government and businesses alike that cyber security is national security issue, not just an IT issue confined to the public domain.
"Much like the control and regulation of arms, the UK government needs to ensure that the cyber defence supply chain is trusted and adequately protected. It is important too that guidance is clear and readily available to all parts of the cyber supply industry, large and small, in order to ensure consistent behaviour.”