Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
2018 Export Control Forum-Information Security Industry Perspective on Current and Future EU Export Controls
David Hughes
December 13, 2018
Director, Trade Compliance (EMEA)
Copyright © 2017 Symantec Corporation SYMANTEC CONFIDENTIAL – INTERNAL USE ONLY
1. Concepts
2
Controlled Dual-Use Items
Cyber-Surveillance
Intrusion SoftwareW
asse
naa
r&
Old
EU
Reg
.
New
Co
mm
issi
on
Pro
po
sal
Copyright © 2017 Symantec Corporation SYMANTEC CONFIDENTIAL – INTERNAL USE ONLY
Definitions
Wassenaar & Old EU Reg. Commission Proposal EP INTA Position
Definitions Intrusion software: specially designed or modified to evade detection or to defeat protection, in order to extract data, modify systems or data, or execute rogue commands
cyber-surveillance: items specially designed for covert intrusion, in order to monitor, extract, collect and analyse data, and/or incapacitate or damage targeted system (including intrusion softwareamong others).
cyber-surveillance: items specially designed for covert intrusion, in order to monitor, extract, collect and analysedata, and/or incapacitate or damage targeted system without the specific, informed and unambiguous authorisation of the owner of the dataor the infrastructure, and which can be used in connection with the violation of human rights, including privacy, free speech, freedom of assembly and association, or other violations of human rights, threats to international security, or the EU’s and MSs’ security.
Exemptions Hypervisors, debuggers, reverse engineering tools, DRM software and asset tracking and recovery software
Products for billing, network performance monitoring, service quality, user satisfaction and telco business operations
Network and ICT security research for the purpose of authorised testing or the protection of information security systems
3
Copyright © 2017 Symantec Corporation SYMANTEC CONFIDENTIAL – INTERNAL USE ONLY
Definitions - continued
Wassenaar & Old EU Reg. Commission Proposal EP INTA Position
Definitions “Intrusion software”: software specially designed or modified to avoid detection by ‘monitoring tools’, or to defeat ‘protective countermeasures’, of a computer or network-capable device, and performing any of the following:a. The extraction of data or information,
from a computer or network-capable device, or the modification of system or user data; or
b. The modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions.
21. 'cyber-surveillance technology' shall mean items specially designed to enable the covert intrusion into information and telecommunication systems with a view to monitoring, extracting, collecting and analysingdata and/or incapacitating or damaging the targeted system. This includes items related to the following technology and equipment:(a) mobile telecommunication interception equipment;(b) intrusion software;(c) monitoring centers;(d) lawful interception systems and data retention systems;(e) digital forensics;
cyber-surveillance items including hardware, software and technology, which are specially designed to enable the covert intrusion into information and telecommunication systems and/or the monitoring, exfiltrating, collecting and analysing of data and/or incapacitating or damaging the targeted system without the specific, informed and unambiguous authorisation of the owner of the data or the infrastructure, and which can be used in connection with the violation of human rights, including the right to privacy, the right to free speech and the freedom of assembly and association, orwhich can be used for the commission of serious violations of human rights law or international humanitarian law, or can pose a threat to international security or the essential security of the Union and its Members.
Exemptions “Intrusion software” does not include any of the following:a. Hypervisors, debuggers or Software Reverse Engineering (SRE) tools;b. Digital Rights Management (DRM) software; orc. “Software” designed to be installed by manufacturers, administrators or users, for the purposes of asset tracking or recovery.
systems, or devices that are specially designed for any of the following purposes:a) billingb) data collection functions within network elementsc) quality of service of the network ord) User satisfactione) operation at telecommunications companies.
Network and ICT security research for the purpose of authorised testing or the protection of information security systems shall be excluded.
4
Copyright © 2017 Symantec Corporation SYMANTEC CONFIDENTIAL – INTERNAL USE ONLY
Definition of ‘malware’The EU has already worked on definitions of ‘malware’ and ‘malicious software’:
5
Copyright © 2017 Symantec Corporation SYMANTEC CONFIDENTIAL – INTERNAL USE ONLY
Illegal access, interception, interferenceIn addition Directive 2013/40/EU on attacks against information systems defines Illegal access, interception and interference
6
Copyright © 2017 Symantec Corporation SYMANTEC CONFIDENTIAL – INTERNAL USE ONLY
Joint FR/UK/SE EU009 Proposal – UGEA No. EU009
• Proposal for a new UGEA for encryption products
• UGEA expectations: A UGEA will1. Be easy to apply for2. Be convenient to implement, .3. apply minimal controls and bureaucracy to a subset of exports
• Issues with this proposal:1. Too many exceptions: primarily Information Security Products2. Additional Technical complexity: Items are defined in Annex 1, UGEA should be based on Annex 1 control list
numbers. Not on additional technical parameters. Requires additional administrative work do determine which products qualify.
3. Restriction – military, paramilitary, police, intelligence or surveillance end-use, or other security end-use by the government.Also: (d) for use in connection with a violation of human rights, democratic principles or freedom of speech as defined by the Charter of Fundamental Rights of the European Union, by using interception technologies and digital data transfer devices formonitoring mobile phones and text messages and targeted surveillance of Internet use (e.g. via Monitoring Centres and Lawful Interception Gateways
4. Reporting requirement: Prior to first export – technical data – detailed (manufacturer, name, model, description, tech specs including crypto algorithms, key management details, protocols. Must be kept up to date – new products need to be reported, also changes to existing products.
5. Annual export report requirement
7
Copyright © 2017 Symantec Corporation SYMANTEC CONFIDENTIAL – INTERNAL USE ONLY
Joint FR/UK/SE EU2009 Proposal – UGEA No. EU009
• New GEA should at least match current EU National General Export Authorisations:• UK: covers majority of Cat 5 part 2 (small carve out for Annex IV prods). “Notes: “likewise it is
necessary to keep a control on telecommunications items that may constitute part of any interception chain even if they do not integrate some lawful or unlawful interception functionalities”. Excluded county list, similar to EU proposal. Both licences restrict military/WMD end-use. Reporting requirements similar to proposal
• NL: NL010 authorises export of standard crypto to most countries
• DE: GA16 authorises export of standard crypto to most countries
• Ideally Licensing Authorities would make decision where the best allocation of time and attention can be spent, and concentrate on high-risk export scenarios. This would result in a licence exception like the US ENC licence exception.
• This is what is needed to establish a level playing field between US and EU exporters
8
Copyright © 2017 Symantec Corporation SYMANTEC CONFIDENTIAL – INTERNAL USE ONLY
Catch-All Control For Non-Listed Items
9
Commission Proposal EP INTA Position
PolicyRationale
Risk of terrorism and human rights violations Direct and indirect impact on human rights
Top-DownCatch-All
Authorisation required if the exporter has been informed by the competent authority that the items in question may be used:• for serious violations of human rights in armed
conflict or internal repression, as identified by relevant international, EU or national authorities
• for terrorism.
Authorisation required for cyber-surveillance items, where there is reason to suspect that this or similar items may be used to violate human rights.
Bottom-Up Catch-All(Due Diligence)
If an exporter is aware that items he proposes to export, not listed in Annex I are intended for the violation of human rights or terrorism, he must notify the competent authority.
If an exporter, becomes aware while exercising due diligence that items he proposes to export, not listed in Annex I are intended for the violation of human rights or terrorism, he must notify the competent authority.
Copyright © 2017 Symantec Corporation SYMANTEC CONFIDENTIAL – INTERNAL USE ONLY
We respect internationally
recognized rights to privacy and freedom of
expression
We do not condone any government’s use of our
products to abuse Internet privacy or
freedom of expression
We do not participate in business activities that
are intended to aid repression
Symantec’s approach to “Exercising due diligence” on human rights concerns: “Enabling a Safe and Productive Internet (ESPI)”
10
At Symantec, we believe everyone has the right to a safe and productive Internet experience. We look upon this as an opportunity to enable a safe and productive Internet (ESPI).
In our global business, we are guided by the following principles:
Copyright © 2017 Symantec Corporation SYMANTEC CONFIDENTIAL – INTERNAL USE ONLY
ESPI Policies and Processes
Enhanced Customer Due
Diligence
Public Internet Access Policy
End User License Agreements
Unique Clauses
11
Our ESPI policies and processes are intended for the best interest of our customer, while adhering to regional legal regulations. These policies and processes pertain to:
Copyright © 2017 Symantec Corporation SYMANTEC CONFIDENTIAL – INTERNAL USE ONLY 12
Due DiligenceEnhanced Customer Due Diligencere: Enhanced Customer Due DiligenceWhen do Symantec’s ESPI policies apply?
NETWORK PROTECTION PRODUCTS
(aka: BlueCoat)
CUSTOMER LOCATION82 sensitive
countries
CUSTOMER TYPE
Government owned, or
Internet Service Provider
NEW ORDERS
Symantec’s ESPI policies and processes apply based on specific criteria, as illustrated:
12
Copyright © 2017 Symantec Corporation SYMANTEC CONFIDENTIAL – INTERNAL USE ONLY
ESPI Process
• Account is researched by the ESPI sales support team.GISP or Non-GISP classification and research justification is attached to the account in Salesforce.
• The Symantec Sales rep is required to provide information as to how the products will be used by the End User.
• Additional detailed questionnaire is completed when order amount is > $250K US and end user is located in an ESPI sensitive country
• If products will be used in a Public Network, additional information and approval by an ESPI committee made up of ESPI sales support, Symantec VPs, and Trade Compliance is required before opportunity can proceed.
13
Copyright © 2017 Symantec Corporation SYMANTEC CONFIDENTIAL – INTERNAL USE ONLY 14
Public Internet Access Policy
Enhanced Customer Due
Diligence
End User License Agreements
Unique Clauses
https://www.symantec.com/content/dam/symantec/docs/other-resources/public-internet-access-policy-en.pdf
14
Copyright © 2017 Symantec Corporation SYMANTEC CONFIDENTIAL – INTERNAL USE ONLY 15
Section 9B - Compliance
Symantec’s Channel Partner Agreement contract language
• Product Misuse and Protection of Human Rights. As a member of Symantec’s Secure One partner program, You shall read and abide by the principles set forth in the Public Internet Access Policy(the “PIAP”) posted on Symantec.com. As stated in the PIAP, Symantec products empower our customers to safely and securely utilize the Internet, but certain products have the potential for misuse, such as improper monitoring or surveillance of public Internet users, or blocking of websites or applications. Our mutual aim is to ensure that our products are used in a manner consistent with internationally recognized human rights. You will promptly notify Symantec of any potential or actual misuse of Symantec products that comes to Your attention and fully cooperate in any subsequent review or investigation of such incidents.
15
Thank You!