For Intel Firms, Changes to Cold War Arms Treaty Could Make Hacking Phones Much Harder

The field is now subject to the Wassenaar Arrangement, which regulates technology that can be used for both civilian and security-related purposes

Yossi Melman
Send in e-mailSend in e-mail
NSO Group's stand at the annual European Police Congress in Berlin.
A man reads at Israel's NSO Group's stand at the annual European Police Congress in Berlin, Feb. 4, 2020. NSO is known for its Pegasus spyware, enabling the remote surveillance of smartphones.Credit: Hannibal Hanschke/Reuters
Yossi Melman

A regulatory change two months ago on the international level is expected to create difficulties in the Israeli cybertechnology sector. The change involves an amendment to the Wassenaar Arrangement, a voluntary international agreement regulating conventional weapons and so-called dual use technology, which can be put to both civilian and military use.

The change tightens oversight of “intrusion software” designed to break into smartphones and decipher encryption on digital devices. Companies specializing in forensic cybertechnology will be affected most. That’s the field dealing with the development of software that helps law enforcement agencies collect evidence and reconstruct cellphone data in criminal investigations.

The Wassenaar Arrangement, which was created in 1966 and is named after a Dutch town, governs nine dual-use technologies and 22 categories of weaponry. The pact has its origins in the Cold War and was initially aimed at preventing the transfer of information from NATO countries to the members of the Warsaw Pact, the Communist bloc led by the Soviet Union.

There are other voluntary arrangements to control and oversee the spread of weapons. One of them is the Missile Technology Control Regime, which Iran and North Korea refuse to adhere to. Today the Wassenaar Arrangement has 42 signatories including the United States, Canada, Britain, Germany and France. The members also include Australia, Russia, South Korea, Argentina, Mexico and Turkey.

A Turkish veto

China and Israel are the two most prominent countries that are not parties to the agreement. Israel is not a party due to opposition from . The addition of new member states requires the unanimous consent of the existing members and Turkey has refused to consent. In 2006, Israel announced that it would comply with the decisions of the Wassenaar Arrangement, although in practice, Israel selectively revises its list of dual-use technologies when its suits the country.

It’s important to note that the international arrangement deals only with the import and export of dual-use technology. Military technologies are not covered by it.

NSO founders Omri Lavie (left) and Shalev Hulio (right).
NSO founders Omri Lavie (left) and Shalev Hulio (right).

But how is it possible to make the distinction between military and dual-use technologies, and in the world of cybertechnology no less? When it comes to forensic cybertechnology, the Wassenaar Arrangement now regulates the field, which up to now had been wide open. It has been decided that anyone wishing to buy or sell intrusion software will need a license.

That is expected to make it more difficult for law enforcement (because the need for a license could delay time-sensitive investigations). But it will also make life harder for the tech firms in the field (because the licensing requirement will make it more difficult for them to do business).

Exploiting weaknesses

Intrusive systems in the forensic cybertechnology world exploit operating systems’ weaknesses to install malware and Trojan horses. One of the most prominent companies in the field is the which developed a software tool a decade ago called Pegasus that makes use of weaknesses in the design of smartphones to extract data by circumventing the phones’ security systems.

The use of such data is a double-edged sword. It can assist in the global war against terrorists and other criminals, but if it is sold to dubious regimes, these governments can use it against political rivals or to abuse human rights.

Security camera footage shows Tashfeen Malik and husband Syed Farook, who carried out San Bernardino massacre in California in December 2015.
Security camera footage shows Tashfeen Malik and husband Syed Farook, who carried out San Bernardino massacre in California in December 2015.Credit: AP

The problematic aspect of breaking into cellphones and the relationship between law enforcement agencies and the private sector dominated the headlines in December 2015 in the wake of the mass shooting at the Inland Regional Center in San Bernardino, California, where two terrorists, a man and a woman, stormed a local health office and killed 14 people. The assailants, who were of Pakistani background, fled the scene but were eventually killed in a police chase.

The FBI found the iPhone 5s of one of the terrorists, but the phone’s manufacturer, Apple, refused to permit FBI agents to recover the data on it, claiming that it would violate Apple’s privacy policy. A court ordered that the FBI be allowed to access the data, but the FBI and even America’s powerful National Security Agency failed to unlock the device.

It was initially reported that help was enlisted from Cellebrite, an Israeli cybersecurity firm that specializes in cellphone data extraction and analysis. Later, however, the Washington Post reported that the FBI had hired and

Government bureaucracy

In Israel, there is a complex bureaucracy when it comes to the import and export of dual-use technology. On paper, the Defense Ministry oversees the technology meant for security-related use and the Economy and Industry Ministry supervises technology for civilian use.

But since in the cybertechnology world distinguishing the two is a complex matter, the two ministries have engaged in turf battles that on occasion have affected companies in the field as well. A third government entity, the Israel National Cyber Directorate, has stepped in to try to resolve the matter.

Comments