Homeland security experts warn of the next wide scale military offensive beginning with a decisive zero-day cyber-attack. Last December, representatives from over 40 developed nations heeded these warnings through an amendment to the “Wassenaar Arrangement” – a multilateral export control regime through which adherent states commit to regulating trade of a variety conventional arms and “dual-use” goods and technologies. Through the December amendment, the Wassenaar “control list” now includes reference to “Intrusion Software” and certain forms of “IP network surveillance” systems. While the amendment was ostensibly aimed at curtailing the proliferation of “active” or “offensive” cyber technologies – the kinds used to initiate attacks and exploitations or to actively mine and analyze protected data – the language is worded broadly and may have inadvertently captured innocuous commercial activity of civilian IT companies.
Grace Period (outside of Israel)
To the grace of exporters from official Wassenaar countries (such as the U.S. and most of Europe), amendments to the Wassenaar list apply only after formal domestic implementation takes place. As a result, states are waiting to issue formal guidance before constraining their local exporters with onerous export control licensing. However, the same is not true for the State of Israel, which, ironically, is not a formal member of the Wassenaar arrangement.
Regulations in Israel
In Israel, changes to the Wassenaar control list are automatically and almost instantly incorporated into domestic law. Consequently, exporters in Israel’s cyber industry and even those in the broader IT sector are expected (unrealistically, in our opinion) to be fully cognizant of the recent regulatory developments and, if necessary, obtain requisite export licensing from the Israeli Ministry of Defense (MOD) or the Israeli Ministry of the Economy (MOE). To the dismay of Israel’s robust cyber industry (estimated to have exported upwards of 3 billion USD in 2013), no guidance from local regulatory authorities has been issued. Instead, ambiguities abound – both regarding the language of the Wassenaar amendment and the MOD/MOE licensing processes. And yet, despite the lack of regularly guidance, the law nevertheless prescribes harsh criminal and administrative penalties against both companies and individuals for export control compliance failures (including prison, heavy fines and/or denial of export privileges).
In conclusion, the Israeli cyber and IT communities are waiting in tension to receive some direction from local export control authorities. However, recent HFN conversations with senior export control regulators at the MOD, MOE and the National Cyber Bureau indicate that despite the amendment having taken effect over half a year ago, it may yet take some time before such guidance is issued. Moreover, it is entirely unclear if such guidance will alleviate the growing fears of an overly broad cyber/IT export control system in Israel.
As a result, until this zero-day export-control vulnerability is addressed, cyber and IT firms operating throughout Israel must conduct informed “product classifications” and arm themselves with the legal and regulatory tools to avoid being the subject of enforcement actions for inadvertent compliance failures.