A new white paper from the Center for Long-Term Cybersecurity explores the use of international export controls to limit the dissemination of commercial spyware technologies. The paper, “Managing Commercial Spyware Through Export Controls: Lessons Learned from the Wassenaar Experience,” was authored by Elaine Korzak, Research Scholar with the Berkeley Risk and Security Lab (BRSL) and a Research Affiliate with CLTC.
Korzak’s paper focuses on the Wassenaar Arrangement, a multi-lateral coordination mechanism originally established in 1995 to control the export of conventional weapons and dual-use items. The Arrangement, which has dozens of participating nation-states as members, was first applied to limit select spyware tools in 2013, following the Arab Spring, when select spyware (including NGO Group’s Pegasus) was discovered to have been used for widespread surveillance, in violation of human rights.
In the ensuing years, “many activists, journalists, lawyers, and politicians worldwide” have been “targeted and compromised by commercial spyware technologies,” Korzak writes.
But efforts to control the distribution of such technologies through the Wassenaar Agreement have been fraught with challenges. “These changes, which represented the first international effort to directly regulate commercial spyware technologies, proved highly controversial, particularly in the United States,” Korzak explains. “An impasse in international regulation efforts followed for several years.”
The use of Wassenaar to contain spyware was seen as problematic in the United States in part because of the potential impacts on cybersecurity. “Criticism of the proposed rule was mainly based on its perceived detrimental effect on cybersecurity business and research,” Korzak writes. “While controls on items related to intrusion software were aimed at tools used in connection with human rights violations, many argued that they could unintentionally undermine everyday activities involved in the defense of networks and devices, such as penetration testing or vulnerability disclosure.”
Korzak’s analysis, which focuses on the European Union and United States, identifies key lessons that the Wassenaar experience illuminated about the regulation of commercial spyware through multilateral export controls.
First, export control decisions have been compounded by “the need to balance new and additional equities,” Korzak writes. “In addition to economic interests and national security concerns, states need to engage with human rights as well as cybersecurity considerations in the context of export controls. This multitude of considerations requires individual states to wrestle with their own prioritization among these equities in order to effectively engage in and shape export controls, as well as other international regulation efforts.”
Second, the Wassenaar export controls were “contentious,” which “had a lasting effect on the Wassenaar Arrangement and its members, led to questions about the utility of export controls, and impeded international progress on the issue.” Rather than focusing on a single regulatory mechanism, Korzak argues, “stakeholders should pursue a web of national and international measures to address commercial spyware. This, in turn, requires systematic mapping and examination of potential measures.”
Finally, Korzak notes that there are “inherent limitations to Wassenaar controls, and to export controls more generally, that need to be identified and acknowledged. Given that the Wassenaar controls target only a very small subset of commercial spyware technologies, the effectiveness of export controls is naturally limited. The Wassenaar experience provides an opportunity to assess and improve the efficacy of controls, but to conduct such assessments, data regarding export applications, approvals, and denials needs to be systematically gathered, collated, and analyzed.”
Korzak explains that, following the Waasenaar Agreement, there have been more recent efforts to limit spyware, such as the Pall Mall Process, marking a sign of “renewed interest and growing political momentum among states to tackle the question of commercial spyware and its international regulation.”
Korzak’s paper offers a thorough analysis that can be used by future policymakers looking to manage the distribution of spyware technologies. “A look at past efforts, their effectiveness, and their challenges is a crucial step for effectively driving new international regulatory efforts forward,” Korzak writes. “The lessons identified in this paper provide valuable insights for stakeholders seeking to improve upon existing export controls, as well as to explore other mechanisms and measures to address the proliferation and misuse of commercial spyware technologies.”
