Will Israeli cyber companies that deal with intrusion and surveillance software need to readjust their products soon? Opinion
Axiom: the Americans control the computer, internet and cyber realm and know it better than anyone else. They are ahead by several years.
The US administration is the one who defines, in practice, the rules of commerce in this realm and, and is the one who sets the boundaries for the entire world. The guiding is divided into two very broad definitions: national security, and anti-terrorism.
It appears, though, that the light this axiom has been shining has dimmed a bit in Israel’s Finance, Foreign and Defense Ministries over the past few years. Facing the success of Israel’s various cyber companies, and the US capital waves that followed suit – those departments pursued an independent policy that became increasingly detached from what was happening around the world.
Now, Israel’s Ministry of Defense is working overtime to translate into Hebrew the new game rules which are being redefined in Washington, DC. First and foremost, Israel is limiting the export to licensed users only, and narrowing the list of countries available for export.
The history of cyber export supervision is relatively short.
In 2013, the Americans added a cybersecurity category to the Wassenaar Arrangements. Basic concepts such as intrusion software and command and control systems were defined, as well as categories of countries under cyber export restrictions.
The US Bureau of Industry and Security (BIS) is in charge of drafting the US export regulations and handling export requests. BIS is caught between two forces.
At one end of the spectrum are government entities that act on behalf of national security and anti-terrorism. These entities include the NSA, CIA, and FBI, and are interested in maintaining the American advantage in the cyber arena and prevent the proliferation of intelligence capabilities.
At the other end is the American cyber industry, which attempts to maintain the largest possible activity area, free from export restrictions. Until recently, the industry managed to put a stop to significant export control changes.
In the past year, things started picking up the pace. In October 2021, BIS published a draft of new regulations that tighten supervision on certain cyber items that could be used for malicious activities. The regulations are expected to take effect in early March 2022 (pushed back from the original January 19th).
Major changes include detailed references to systems, equipment, assemblies, software and tech that have been developed or transformed to create or control malicious intrusive software. Over 60 pages attempt to paint a clearer, more updated boundary picture.
The regulations go to great length to differentiate between legitimate systems that update their software or track malicious activity, and other systems that insert surveillance and data collection software into the system without the user’s knowledge or consent.
The requirement for companies to make sure that their products are only used by approved customers, according to the listed categories, has also been tightened.
It is interesting to note that the rules do not discuss hackers. This is spelled out in the lengthy Q&A sheet published by BIS.
In practice, the new regulations leave a lot of grey as far as the way products are catalogued, how content is defined, who are legitimate customers, and especially regarding enforcement. As the spirit of things is “when in doubt – aggravate”, it’s safe to assume that lawyers of relevant companies will not be out of business.
Although the new regulations will only take effect in March, they have already been activated in practice, with the inclusion of several cyber companies in the BIS Entity List in November 2021 – including Israel’s NSO Group and Candiru. The haste in which Israel’s MoD issued its new regulations also speaks to what is already happening in the US.
Cyber companies that deal with offensive capabilities will have to jump through many hoops on their way to obtain an export license – if that’s even waiting for them at the end of a long, tiring process. In Israel, those companies will face an even higher hurdle by local authorities.
Quite a few Israeli companies, which are connected to offensive cyber, will have to take a long hard look at themselves vis-à-vis the new definitions and the US government’s tenacity to enforce them. Some till need to redefine their products.
The author is the former head of the IDF Intelligence Corps 8200 unit