Intrusion Software Tools and Export Control Introduction The purpose of this Note is to explain the controls on export of intrusion software tools that were agreed by the Wassenaar Arrangement in December 2013 and implemented across the EU in December 2014. It does this by first describing in general terms the purpose and operation of export controls, and how they are agreed and implemented. It then describes the different types of export licence and how to apply. The note then looks in detail at the specific control text and gives some practical examples of what might or might not be controlled. Where relevant there are links to sources of more detailed information. Controls on intrusion software tools were introduced because of real concerns about the use of such tools to breach human rights and the risks that they pose to national security. They do not seek to prevent exports of software or hardware for commercial applications or for legitimate law enforcement purposes; or to inhibit or restrict research into, or the sharing of information about, software vulnerabilities, bugs or malware. The application of these controls means that a licence is required to export such tools from the EU; it is not an outright prohibition on export. The controls also do not restrict the placing of information in the public domain or the subsequent transfer of information already in the public domain. Export Control in Context There are several reasons why governments aim to control the export of goods, software and technology depending on the nature and destinations of the proposed export. The control of strategic exports is the specific remit of the Export Control Organisation (ECO) within the Department for Business, Innovation and Skills. Exports are controlled for various reasons, including: Concerns about internal repression or other human rights violations Concerns about the development of weapons of mass destruction Foreign policy and international treaty commitments including as a result of the imposition of EU or United Nations trade sanctions or arms embargoes National and collective security of the UK and its allies Regional security and conflict Export controls are not unique to the UK. Most countries have some form of an export control policy, legislation and enforcement mechanisms. The UK has a welldeveloped and coherent export control system which is largely based on international agreements and implemented through EU and national legislation. The controls apply primarily to items specified in control lists, notably the UK Military List and the EU Dual-Use 1 List. In turn these lists are based on agreements 1 Dual-use items are goods, software, technology, documents and diagrams which can be used for both civil and military applications. They can range from raw materials to components and complete
reached in the four international export control regimes 2. The controls on the items that are the subject of this note derive from the Wassenaar Arrangement. An introductory guide to export controls can be found here: https://www.gov.uk/beginners-guide-to-export-controls Wassenaar Arrangement Overview The Wassenaar Arrangement (WA) was formed in 1996 (www.wassenaar.org). It aims to contribute to peace and security by promoting transparency and greater responsibility in transfers of conventional arms and dual-use goods and technologies, thus preventing destabilising accumulations and to prevent the acquisition of such items by terrorists. It is not directed against any state or group of states, nor does it seek to interfere with the rights of states to acquire legitimate means to defend themselves, as recognised in Article 51 of the Charter of the United Nations, nor to impede bona fide civil transactions. The WA s 41 Participating States 3 convene to agree lists of items that should be subject to export control and to exchange information and share best practice in implementing controls on those items. The WA itself is not legally binding and it is for each Participating State to decide whether and under what conditions it authorises its own transfers of such items, in accordance with its national policies and with its own judgement as to the potential contribution to military capabilities and the impact on security and stability. UK Implementation of Wassenaar Arrangement Dual-Use Export Controls The UK implements the military goods controls agreed under the WA through the Export Control Order 2008. The dual-use controls are implemented through European Union legislation and can be found within Council Regulation (EC) 428/2009. The Regulation applies directly in each Member State of the EU. Annex I of the Regulation contains the EU Dual-Use List, i.e. the list of dual-use items subject to control, which combines the separate lists agreed by each of the four export control regimes. This Annex is regularly updated although there is usually a delay of around a year before changes to the regime lists are incorporated into the EU list. The most recent update was made on 31 December 2014 4 ; this update introduced the controls related to intrusion software tools that were agreed by the WA in December 2013. The current versions of the UK Military and EU Dual-Use Lists can be found here: https://www.gov.uk/government/publications/uk-strategic-exportsystems, such as aluminium alloys, bearings, or lasers. They could also be items used in the production or development of military goods, such as machine tools, chemical manufacturing equipment and computers. 2 The regimes are: The Nuclear Suppliers Group (NSG); Missile Technology Control Regime (MTCR); Australia Group (AG); and Wassenaar Arrangement (WA). 3 Argentina, Australia, Austria, Belgium, Bulgaria, Canada, Croatia, the Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Japan, Latvia, Lithuania, Luxembourg, Malta, Mexico, the Netherlands, New Zealand, Norway, Poland, Portugal, the Republic of Korea, Romania, the Russian Federation, Slovenia, Slovakia, South Africa, Spain, Sweden, Switzerland, Turkey, Ukraine, the United Kingdom, and the United States. 4 The update was made by Commission Delegated Regulation (EU) 1382/2014.
control-lists-the-consolidated-list-of-strategic-military-and-dual-use-items-thatrequire-export-authorisation The key features of the export control regime set out in the Regulation are: A common list of items subject to control by all EU Member States, but with responsibility for licensing and enforcement remaining with the Member States national authorities No controls on movements between EU Member States of the vast majority of dual-use items A simplified procedure through an EU General Export Authorisations (EUGEA) for exports from the EU to Australia, Canada, Japan, New Zealand, Norway, Switzerland and the USA Detailed information about the EU Regulation and the Dual-Use List is available here: https://www.gov.uk/controls-on-dual-use-goods The ECO is the licensing authority within the UK. All licences are assessed against the Consolidated EU and National Export Licensing Criteria located here: https://www.gov.uk/assessment-of-export-licence-applications-criteria-and-policy. A licence would not be granted if to do so would be inconsistent with any of the Criteria. In making licensing decisions the ECO receives expert advice from the Foreign and Commonwealth Office, the Ministry of Defence and, for applications involving information security, CESG (part of GCHQ). Her Majesty s Revenue and Customs (HMRC) working with the Border Force are responsible for enforcing the controls. Unlicensed export of controlled items may be a criminal offence with significant financial penalties and even prison for the most serious offences. Licence applications are submitted online through the SPIRE export licensing system (https://www.spire.bis.gov.uk). There are 3 types of export licence: Standard Individual Export Licence (SIEL). This authorises the export of a specified quantity of specified items to a single named recipient. The licence allows multiple shipments up to the specified quantity and is usually valid for 2 years. Open Individual Export Licence (OIEL). This authorises the export of an unlimited quantity of specified items to recipients in multiple named destinations. It is usually valid for 5 years. An OIEL is generally granted to exporters who can provide a suitable business justification (such as a longterm supply contract) and who have a demonstrated track record of compliance with export controls. Open General Export Licences (OGELs), including the EU General Export Authorisation (EUGEA) referred to above. These are pre-published licences which allow the export of specified items to specified destinations, subject to the terms and conditions stated within the licence. They are available for use by any exporter who registers to do so on SPIRE and can comply with their conditions of use.
Detailed guidance on the different types of licence, how to apply, and what supporting documentation is required, is available here: https://www.gov.uk/government/collections/export-licensing-guidance--2 The ECO has a target to process at least 70% of all SIEL applications within 20 working days, and to process 99% within 60 working days. In 2014 the ECO granted 13,341 SIELs for exports valued at around 12 billion, and refused 226 applications. The destinations with the highest number of refusals were Russia, Pakistan, China and Iran. Exceptions Before looking at the specific control text relating to intrusion software tools it is important to be aware of and understand some exemptions that apply in general, in order to understand the true impact of the controls. Where items meet these exemptions there is no need to consider control text. These exemptions are contained in the General Software Note (GSN), and General Technology Note (GTN). Throughout the control text, some items appear in double quotes. These terms have a defined meaning throughout the control text. A few terms in single quotes have a local definition in the current context. Other terms should be read according to their English dictionary definition. For a discussion of the General Technology Note in the context of the control entries for "intrusion software" tools, see later in this guidance. Here we look at the General Software Note (GSN); the full text is quoted below: Categories 0 to 9 5 of this list do not control "software" which is any of the following: a. Generally available to the public by being: 1. Sold from stock at retail selling points, without restriction, by means of: a. Over-the-counter transactions; b. Mail order transactions; c. Electronic transactions; or d. Telephone call transactions; and 2. Designed for installation by the user without further substantial support by the supplier; N.B Entry a. of the General Software Note does not release "software" specified in Category 5 - Part 2 ("Information Security"). b. "In the public domain"; or c. The minimum necessary "object code" for the installation, operation, maintenance (checking) or repair of those items whose export has been authorised. N.B Entry c of the General Software Note does not release "software" specified in Category 5 - Part 2 ("Information Security"). 5 Annex I to the EU Dual Use Regulation is divided into ten separate Categories 0 to 9. The Intrusion Software controls are located in Category 4 Computers. The other category of interest is Category 5 Part 2 Information Security. Each Category is subdivided into 5 sub-categories A to E; subcategory A contains entries for Systems, Equipment & Components, D covers Software and E covers Technology.
Entries a. and b. are the most relevant here. Entry a. says that software which is generally available to the public, according to the listed criteria, can only be controlled by Category 5 Part 2, which deals with "Information Security", including cryptography. Entry b. of the General Software Note further exempts anything that is "in the public domain" from all controls, where that term is defined as follows: "In the public domain" (GTN NTN GSN), as it applies herein, means "technology" or "software" which has been made available without restrictions upon its further dissemination (copyright restrictions do not remove "technology" or "software" from being "in the public domain"). Hence for large classes of open source and commercial off the shelf software there is no additional licensing requirement added by the controls related to "intrusion software" tools in Category 4. It is also important to recognise here that export controls do not put any restrictions on the placing of information into the public domain. Of course other restrictions may exist for example, confidentiality clauses in contracts or non-disclosure agreements but these are not export control-related. The Control Entries for "Intrusion Software" Tools The controls themselves are several short paragraphs, using a common definition: 4A005. Systems, equipment, and components therefor, specially designed or modified for the generation, operation or delivery of, or communication with, "intrusion software". 4D004. "Software" specially designed or modified for the generation, operation or delivery of, or communication with, "intrusion software". 4E001a. 4E001c. "Technology" according to the General Technology Note, for the "development", "production" or "use" of equipment or "software" specified in 4A or 4D "Technology" for the "development" of "intrusion software". The first important point to note is that "intrusion software" itself is not controlled. Rather, related items specially designed to interact with intrusion software in the ways specified are controlled; and "technology" for the "development" / "production" / "use" of those items, or for the "development" of intrusion software itself, is controlled. In practical terms the above means the equipment and software control entries 4A005 and 4D004 apply to items such as malware command and control servers, malware build tools, and software to use or serve exploits, rather than the actual malware binaries or exploits. As we will see, the technology portions of the controls are narrowed by the General Technology Note and only apply to "technology" that is peculiarly responsible for meeting the control characteristics.
The definition of "intrusion software" is as follows: "Intrusion software" (4) means "Software" specially designed or modified to avoid detection by 'monitoring tools', or to defeat 'protective countermeasures', of a computer or network-capable device, and performing any of the following: a. The extraction of data or information, from a computer or network-capable device, or the modification of system or user data; or b. The modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions. Notes: 1. "Intrusion software" does not include any of the following: a. Hypervisors, debuggers or Software Reverse Engineering (SRE) tools; b. Digital Rights Management (DRM) "software"; or c. "Software" designed to be installed by manufacturers, administrators or users, for the purposes of asset tracking or recovery. 2. Network-capable devices include mobile devices and smart meters. Technical Notes: 1. 'Monitoring tools': "software" or hardware devices, that monitor system behaviours or processes running on a device. This includes antivirus (AV) products, end point security products, Personal Security Products (PSP), Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS) or firewalls. 2. 'Protective countermeasures': techniques designed to ensure the safe execution of code, such as Data Execution Prevention (DEP), Address Space Layout Randomisation (ASLR) or sandboxing. When reading the definition first look at the initial paragraph : "Software" specially designed or modified to avoid detection by 'monitoring tools', or to defeat 'protective countermeasures', of a computer or network-capable device, and performing any of the following: Here it is clear that "intrusion software" must be specially designed / modified either to avoid detection by 'monitoring tools' or to defeat 'protective countermeasures'. So if software is neither trying to avoid 'monitoring tools' nor defeat 'protective countermeasures' then it cannot be "intrusion software". Merely avoiding detection is not the same as being specially designed to avoid detection. It is quite possible for a software program to be unnoticed or unnoticeable by a given monitoring tool without that having been a design criterion. Factors such as claiming to avoid monitoring tools in marketing material or being updated in the light of monitoring tool improvements would of course point to specific design. If software meets the conditions in either part of the initial paragraph that is not enough for it to be classed as "intrusion software": it further has to be able to steal / modify data, or to modify the standard execution path to run externally provided instructions.
Many tools are able to extract data, but in order for such a tool to be "intrusion software" it further has to be designed to avoid 'monitoring tools' or techniques designed to protect the safe execution of code. Even modifying the standard execution path of a program is not enough on its own to meet the definition of "intrusion software" not only does the modification have to allow externally provided instructions, but it also has to be designed to avoid 'monitoring tools' or defeat 'protective countermeasures'. Thus for example an exploit for program that runs without 'protective countermeasures' will not be intrusion software by virtue of avoiding 'protective countermeasures', so as long as such an exploit is not specially designed / modified to avoid 'monitoring tools' it will not meet the initial paragraph and hence cannot be "intrusion software". "Technology" for the "development" of "intrusion software" is also controlled. The definitions are: "Technology" (GTN NTN All) means specific information necessary for the "development", "production" or "use" of goods. This information takes the form of 'technical data' or 'technical assistance'. N.B.:1: 'Technical assistance' may take forms such as instruction, skills, training, working knowledge, consulting services and may involve transfer of 'technical data'. N.B.: 2: 'Technical data' may take forms such as blueprints, plans, diagrams, models, formulae, tables, engineering designs and specifications, manuals and instructions written or recorded on other media or devices such as disk, tape, read-only memories. "Development" (GTN NTN All) is related to all phases prior to serial production, such as: design, design research, design analyses, design concepts, assembly and testing of prototypes, pilot production schemes, design data, process of transforming design data into a product, configuration design, integration design, layouts. It is important to be aware of the General Technology Note as it narrows the scope of many of the "technology" controls. GENERAL TECHNOLOGY NOTE (GTN) (To be read in conjunction with section E of Categories 1 to 9.) The export of "technology" which is "required" for the "development", "production" or "use" of goods controlled in Categories 1 to 9, is controlled according to the provisions of Categories 1 to 9. "Technology" "required" for the "development", "production" or "use" of goods under control remains under control even when applicable to non-controlled goods. Controls do not apply to that "technology" which is the minimum necessary for the installation, operation, maintenance (checking) or repair of those goods which are not controlled or whose export has been authorised. N.B.: This does not release such "technology" specified in 1E002.e., 1E002.f., 8E002.a. and 8E002.b. Controls on "technology" transfer do not apply to information "in the public domain", to "basic scientific research" or to the minimum necessary information for patent applications.
Hence the "technology" controls related to "intrusion software" apply only to "technology" peculiarly necessary to meet the controlled performance levels, that is, the appropriate combination of avoidance of 'monitoring tools', defeating of 'protective countermeasures', extraction/modification of data, and the modification of the execution path to accept external instructions. "Intrusion Software" related controls examples The following examples of classes of products are written for guidance only as it is not possible to consider the specifics of individual cases. Exporters having doubts about the licensability of their goods, software or technology are encouraged to submit licence applications, or contact the ECO via eco.ist.help@bis.gsi.gov.uk. You are also recommended to seek your own legal advice where necessary. These examples only consider "intrusion software" related controls. Exporters should be aware that other controls, including Category 5 Part 2 controls on cryptography, may apply to instances of the types of products considered here and certain exemptions, for example the General Software Note, apply differently to Category 5 Part 2. Commercial Malware Toolkit for Law Enforcement Consider a piece of custom malware designed to assist investigations by extracting data from a suspect s computer, undetected by any anti-virus. The toolkit for such malware would likely meet the control text of being specially designed for the generation of "intrusion software" and be controlled. Associated manuals and any training course materials would also be potentially subject to a technology control. Open Source Penetration Testing Software This would be "in the public domain" and hence would not be controlled as an "intrusion software" tool due to the General Software Note Entry 2. Commercial Off-The-Shelf Penetration Testing Software If covered by Entry 1 of the General Software Note, as would be expected for commercial off-the-shelf software, then it would not be controlled as an "intrusion software" tool. If sales restrictions or support requirements mean Entry 1 does not apply and if as is likely it interacts with "intrusion software" then it would likely attract control. There are many requirements for enterprise-class penetration testing software within the information assurance industry where the sales and support do not meet Entry 1 of the General Software Note, and we would therefore encourage prospective exporters to submit licence requests. Bug Reports to Vendors A bug report written in terms of what a bug is rather than how to write an exploit for it should not meet the "technology" control as describing a bug should not require explicitly describing how to provide external instructions, or how to defeat 'protective countermeasures' or how to avoid detection by 'monitoring tools'.
A minimal proof of concept (PoC), regardless of capabilities, will not be controlled as "software" even if it meets the definition of "intrusion software", as "intrusion software" itself is not controlled. A bug report that describes a defeat for 'protective countermeasures' and a modification to the standard execution path of a program would be controlled as "technology" if it allowed the execution of external instructions. If instead the only outcome described was to launch a calculator process then this is unlikely to be controlled. Bug Bounties Bug bounties are paid by software vendors or 3 rd parties for the private reporting of verified software bugs. The conditions for payment vary between bug bounty programmes. Reporting a bug by describing just the bug is unlikely to be controlled nor would be providing a proof of concept be controlled. If the terms of payment require a description of how such a proof of concept works then that description could well meet the technology control if the proof of concept met the definition of "intrusion software". Malware Samples Samples of end malware will not be controlled as "intrusion software" is not itself controlled. Analysis of malware samples should not in general be controlled, but if, for example, the analysis describes how to reimplement the aspects of the malware that meet the "intrusion software" definition then the analysis may be controlled as "technology". The exchange of samples of malware command and control components, or of exploit kits, could attract control as the components / kits are likely to meet the control text. Export of any malware sample that is not "in the public domain" and that incorporates cryptography meeting the control definitions in Category 5 Part 2 would likely already require a licence, so little additional licensing burden is anticipated on malware researchers through the "intrusion software" tools controls. Transfers within Companies In common with other Categories of controls, multinational companies whose day-today business requires collaboration by transferring items that meet control entries relating to "intrusion software" tools will require a licence. Public Domain Infosec Journals / Magazine Public domain infosec journals, even those that contain descriptions of proof of concepts for "intrusion software", are not controlled by virtue of being "in the public domain".
Conclusion The controls on intrusion software tools were introduced to address very real risks. The controls do not apply to intrusion software itself; instead they have been deliberately designed to apply to the tools for interacting with intrusion software and to related technology. There are exemptions for software that is generally available for retail purchase and for software and technology that is in the public domain. Where an item is controlled a licence will only be required for export outside the EU, and a special licence applies for exports to Australia, Canada, Japan, New Zealand, Norway, Switzerland and the USA. If you are uncertain whether a licence is required for a particular transfer you may seek advice from the ECO via eco.ist.help@bis.gsi.gov.uk, alternatively you may submit a licence application via SPIRE and you will be advised if a licence is not required. The ECO can also give advice on the most appropriate type of licence for you to use. The ECO would welcome comments on the impact of these controls, especially in relation to security research. If there is evidence that the controls are placing an unnecessary burden on any particular sector or legitimate activity we will consider whether any additional measures such as special licensing arrangements are appropriate. In addition, the ECO would be interested in receiving feedback on the clarity and usefulness of this note.