2018 Export Control Forum - Presentation by Symantec · 2019-04-29 · 2018 Export Control Forum-Information Security Industry Perspective on Current and Future EU Export Controls

2018 Export Control Forum-Information Security Industry Perspective on Current and Future EU Export Controls

David Hughes

December 13, 2018

Director, Trade Compliance (EMEA)

Copyright © 2017 Symantec Corporation SYMANTEC CONFIDENTIAL – INTERNAL USE ONLY

1. Concepts

2

Controlled Dual-Use Items

Cyber-Surveillance

Intrusion SoftwareW

asse

naa

r&

Old

EU

Reg

.

New

Co

mm

issi

on

Pro

po

sal


Definitions

Wassenaar & Old EU Reg. Commission Proposal EP INTA Position

Definitions Intrusion software: specially designed or modified to evade detection or to defeat protection, in order to extract data, modify systems or data, or execute rogue commands

cyber-surveillance: items specially designed for covert intrusion, in order to monitor, extract, collect and analyse data, and/or incapacitate or damage targeted system (including intrusion softwareamong others).

cyber-surveillance: items specially designed for covert intrusion, in order to monitor, extract, collect and analysedata, and/or incapacitate or damage targeted system without the specific, informed and unambiguous authorisation of the owner of the dataor the infrastructure, and which can be used in connection with the violation of human rights, including privacy, free speech, freedom of assembly and association, or other violations of human rights, threats to international security, or the EU’s and MSs’ security.

Exemptions Hypervisors, debuggers, reverse engineering tools, DRM software and asset tracking and recovery software

Products for billing, network performance monitoring, service quality, user satisfaction and telco business operations

Network and ICT security research for the purpose of authorised testing or the protection of information security systems

3


Definitions - continued

Wassenaar & Old EU Reg. Commission Proposal EP INTA Position

Definitions “Intrusion software”: software specially designed or modified to avoid detection by ‘monitoring tools’, or to defeat ‘protective countermeasures’, of a computer or network-capable device, and performing any of the following:a. The extraction of data or information,

from a computer or network-capable device, or the modification of system or user data; or

b. The modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions.

21. 'cyber-surveillance technology' shall mean items specially designed to enable the covert intrusion into information and telecommunication systems with a view to monitoring, extracting, collecting and analysingdata and/or incapacitating or damaging the targeted system. This includes items related to the following technology and equipment:(a) mobile telecommunication interception equipment;(b) intrusion software;(c) monitoring centers;(d) lawful interception systems and data retention systems;(e) digital forensics;

cyber-surveillance items including hardware, software and technology, which are specially designed to enable the covert intrusion into information and telecommunication systems and/or the monitoring, exfiltrating, collecting and analysing of data and/or incapacitating or damaging the targeted system without the specific, informed and unambiguous authorisation of the owner of the data or the infrastructure, and which can be used in connection with the violation of human rights, including the right to privacy, the right to free speech and the freedom of assembly and association, orwhich can be used for the commission of serious violations of human rights law or international humanitarian law, or can pose a threat to international security or the essential security of the Union and its Members.

Exemptions “Intrusion software” does not include any of the following:a. Hypervisors, debuggers or Software Reverse Engineering (SRE) tools;b. Digital Rights Management (DRM) software; orc. “Software” designed to be installed by manufacturers, administrators or users, for the purposes of asset tracking or recovery.

systems, or devices that are specially designed for any of the following purposes:a) billingb) data collection functions within network elementsc) quality of service of the network ord) User satisfactione) operation at telecommunications companies.

Network and ICT security research for the purpose of authorised testing or the protection of information security systems shall be excluded.

4


Definition of ‘malware’The EU has already worked on definitions of ‘malware’ and ‘malicious software’:

5


Illegal access, interception, interferenceIn addition Directive 2013/40/EU on attacks against information systems defines Illegal access, interception and interference

6


Joint FR/UK/SE EU009 Proposal – UGEA No. EU009

• Proposal for a new UGEA for encryption products

• UGEA expectations: A UGEA will1. Be easy to apply for2. Be convenient to implement, .3. apply minimal controls and bureaucracy to a subset of exports

• Issues with this proposal:1. Too many exceptions: primarily Information Security Products2. Additional Technical complexity: Items are defined in Annex 1, UGEA should be based on Annex 1 control list

numbers. Not on additional technical parameters. Requires additional administrative work do determine which products qualify.

3. Restriction – military, paramilitary, police, intelligence or surveillance end-use, or other security end-use by the government.Also: (d) for use in connection with a violation of human rights, democratic principles or freedom of speech as defined by the Charter of Fundamental Rights of the European Union, by using interception technologies and digital data transfer devices formonitoring mobile phones and text messages and targeted surveillance of Internet use (e.g. via Monitoring Centres and Lawful Interception Gateways

4. Reporting requirement: Prior to first export – technical data – detailed (manufacturer, name, model, description, tech specs including crypto algorithms, key management details, protocols. Must be kept up to date – new products need to be reported, also changes to existing products.

5. Annual export report requirement

7


Joint FR/UK/SE EU2009 Proposal – UGEA No. EU009

• New GEA should at least match current EU National General Export Authorisations:• UK: covers majority of Cat 5 part 2 (small carve out for Annex IV prods). “Notes: “likewise it is

necessary to keep a control on telecommunications items that may constitute part of any interception chain even if they do not integrate some lawful or unlawful interception functionalities”. Excluded county list, similar to EU proposal. Both licences restrict military/WMD end-use. Reporting requirements similar to proposal

• NL: NL010 authorises export of standard crypto to most countries

• DE: GA16 authorises export of standard crypto to most countries

• Ideally Licensing Authorities would make decision where the best allocation of time and attention can be spent, and concentrate on high-risk export scenarios. This would result in a licence exception like the US ENC licence exception.

• This is what is needed to establish a level playing field between US and EU exporters

8


Catch-All Control For Non-Listed Items

9

Commission Proposal EP INTA Position

PolicyRationale

Risk of terrorism and human rights violations Direct and indirect impact on human rights

Top-DownCatch-All

Authorisation required if the exporter has been informed by the competent authority that the items in question may be used:• for serious violations of human rights in armed

conflict or internal repression, as identified by relevant international, EU or national authorities

• for terrorism.

Authorisation required for cyber-surveillance items, where there is reason to suspect that this or similar items may be used to violate human rights.

Bottom-Up Catch-All(Due Diligence)

If an exporter is aware that items he proposes to export, not listed in Annex I are intended for the violation of human rights or terrorism, he must notify the competent authority.

If an exporter, becomes aware while exercising due diligence that items he proposes to export, not listed in Annex I are intended for the violation of human rights or terrorism, he must notify the competent authority.


We respect internationally

recognized rights to privacy and freedom of

expression

We do not condone any government’s use of our

products to abuse Internet privacy or

freedom of expression

We do not participate in business activities that

are intended to aid repression

Symantec’s approach to “Exercising due diligence” on human rights concerns: “Enabling a Safe and Productive Internet (ESPI)”

10

At Symantec, we believe everyone has the right to a safe and productive Internet experience. We look upon this as an opportunity to enable a safe and productive Internet (ESPI).

In our global business, we are guided by the following principles:


ESPI Policies and Processes

Enhanced Customer Due

Diligence

Public Internet Access Policy

End User License Agreements

Unique Clauses

11

Our ESPI policies and processes are intended for the best interest of our customer, while adhering to regional legal regulations. These policies and processes pertain to:

Copyright © 2017 Symantec Corporation SYMANTEC CONFIDENTIAL – INTERNAL USE ONLY 12

Due DiligenceEnhanced Customer Due Diligencere: Enhanced Customer Due DiligenceWhen do Symantec’s ESPI policies apply?

NETWORK PROTECTION PRODUCTS

(aka: BlueCoat)

CUSTOMER LOCATION82 sensitive

countries

CUSTOMER TYPE

Government owned, or

Internet Service Provider

NEW ORDERS

Symantec’s ESPI policies and processes apply based on specific criteria, as illustrated:

12


ESPI Process

• Account is researched by the ESPI sales support team.GISP or Non-GISP classification and research justification is attached to the account in Salesforce.

• The Symantec Sales rep is required to provide information as to how the products will be used by the End User.

• Additional detailed questionnaire is completed when order amount is > $250K US and end user is located in an ESPI sensitive country

• If products will be used in a Public Network, additional information and approval by an ESPI committee made up of ESPI sales support, Symantec VPs, and Trade Compliance is required before opportunity can proceed.

13


Public Internet Access Policy

Enhanced Customer Due

Diligence

End User License Agreements

Unique Clauses

https://www.symantec.com/content/dam/symantec/docs/other-resources/public-internet-access-policy-en.pdf

14


Section 9B - Compliance

Symantec’s Channel Partner Agreement contract language

• Product Misuse and Protection of Human Rights. As a member of Symantec’s Secure One partner program, You shall read and abide by the principles set forth in the Public Internet Access Policy(the “PIAP”) posted on Symantec.com. As stated in the PIAP, Symantec products empower our customers to safely and securely utilize the Internet, but certain products have the potential for misuse, such as improper monitoring or surveillance of public Internet users, or blocking of websites or applications. Our mutual aim is to ensure that our products are used in a manner consistent with internationally recognized human rights. You will promptly notify Symantec of any potential or actual misuse of Symantec products that comes to Your attention and fully cooperate in any subsequent review or investigation of such incidents.

15

https://www.symantec.com/campaigns/global-leader-cyber-security

Thank You!

Documents

2018 Export Control Forum - Presentation by Symantec · 2019-04-29 · 2018 Export Control Forum-Information Security Industry Perspective on Current and Future EU Export Controls