A regulatory change two months ago on the international level is expected to create difficulties in the Israeli cybertechnology sector. The change involves an amendment to the Wassenaar Arrangement, a voluntary international agreement regulating conventional weapons and so-called dual use technology, which can be put to both civilian and military use.
The change tightens oversight of “intrusion software” designed to break into smartphones and decipher encryption on digital devices. Companies specializing in forensic cybertechnology will be affected most. That’s the field dealing with the development of software that helps law enforcement agencies collect evidence and reconstruct cellphone data in criminal investigations.
The Wassenaar Arrangement, which was created in 1966 and is named after a Dutch town, governs nine dual-use technologies and 22 categories of weaponry. The pact has its origins in the Cold War and was initially aimed at preventing the transfer of information from NATO countries to the members of the Warsaw Pact, the Communist bloc led by the Soviet Union.
There are other voluntary arrangements to control and oversee the spread of weapons. One of them is the Missile Technology Control Regime, which Iran and North Korea refuse to adhere to. Today the Wassenaar Arrangement has 42 signatories including the United States, Canada, Britain, Germany and France. The members also include Australia, Russia, South Korea, Argentina, Mexico and Turkey.
A Turkish veto
China and Israel are the two most prominent countries that are not parties to the agreement. Israel is not a party due to opposition from Turkey. The addition of new member states requires the unanimous consent of the existing members and Turkey has refused to consent. In 2006, Israel announced that it would comply with the decisions of the Wassenaar Arrangement, although in practice, Israel selectively revises its list of dual-use technologies when its suits the country.
It’s important to note that the international arrangement deals only with the import and export of dual-use technology. Military technologies are not covered by it.
- FBI probes use of Israeli cyberattack firm NSO's spyware against Americans
- Israeli court orders Facebook to unblock account of NSO Group employee
- The question isn’t whether NSO hacked Jeff Bezos’ phone – but whether it was even hacked at all
But how is it possible to make the distinction between military and dual-use technologies, and in the world of cybertechnology no less? When it comes to forensic cybertechnology, the Wassenaar Arrangement now regulates the field, which up to now had been wide open. It has been decided that anyone wishing to buy or sell intrusion software will need a license.
That is expected to make it more difficult for law enforcement (because the need for a license could delay time-sensitive investigations). But it will also make life harder for the tech firms in the field (because the licensing requirement will make it more difficult for them to do business).
Intrusive systems in the forensic cybertechnology world exploit operating systems’ weaknesses to install malware and Trojan horses. One of the most prominent companies in the field is the controversial Israeli firm the NSO Group, which developed a software tool a decade ago called Pegasus that makes use of weaknesses in the design of smartphones to extract data by circumventing the phones’ security systems.
The use of such data is a double-edged sword. It can assist in the global war against terrorists and other criminals, but if it is sold to dubious regimes, these governments can use it against political rivals or to abuse human rights.
The problematic aspect of breaking into cellphones and the relationship between law enforcement agencies and the private sector dominated the headlines in December 2015 in the wake of the mass shooting at the Inland Regional Center in San Bernardino, California, where two terrorists, a man and a woman, stormed a local health office and killed 14 people. The assailants, who were of Pakistani background, fled the scene but were eventually killed in a police chase.
It was initially reported that help was enlisted from Cellebrite, an Israeli cybersecurity firm that specializes in cellphone data extraction and analysis. Later, however, the Washington Post reported that the FBI had hired and paid private hackers who were successful in their mission.
In Israel, there is a complex bureaucracy when it comes to the import and export of dual-use technology. On paper, the Defense Ministry oversees the technology meant for security-related use and the Economy and Industry Ministry supervises technology for civilian use.
But since in the cybertechnology world distinguishing the two is a complex matter, the two ministries have engaged in turf battles that on occasion have affected companies in the field as well. A third government entity, the Israel National Cyber Directorate, has stepped in to try to resolve the matter.