2017 export control forum - trade - european...

2017ExportControlForum

IliasChantzos

December19,2017

SeniorDirectorGovernmentAffairsEMEA&APJ

Copyright©2017SymantecCorporaAonSYMANTECCONFIDENTIAL–INTERNALUSEONLY

1.Concepts

2

TrueDualUse(Civ.+Mil.)

CyberAtLarge

Cyber-Surveillance

IntrusionSoTwareWassenaar&OldEUReg.

New

Com

missionProp

osal

EPIN

TAPosiAon


Defini@onsWassenaar&OldEUReg. CommissionProposal EPINTAPosi@on

Defini@ons IntrusionsoTware:speciallydesignedormodifiedtoevadedetecAonortodefeatprotecAon,inordertoextractdata,modifysystemsordata,orexecuteroguecommands

cyber-surveillance:itemsspeciallydesignedforcovertintrusion,inordertomonitor,extract,collectandanalysedata,and/orincapacitateordamagetargetedsystem(includingintrusionsoTwareamongothers).

cyber-surveillance:itemsspeciallydesignedforcovertintrusion,inordertomonitor,extract,collectandanalysedata,and/orincapacitateordamagetargetedsystemwithoutthespecific,informedandunambiguousauthorisa6onoftheownerofthedataortheinfrastructure,andwhichcanbeusedinconnec6onwiththeviola6onofhumanrights,includingprivacy,freespeech,freedomofassemblyandassocia6on,orotherviolaAonsofhumanrights,threatstointernaAonalsecurity,ortheEU’sandMSs’security.

Exemp@ons Hypervisors,debuggers,reverseengineeringtools,DRMsoTwareandassettrackingandrecoverysoTware

Productsforbilling,networkperformancemonitoring,servicequality,usersaAsfacAonandtelcobusinessoperaAons

NetworkandICTsecurityresearchforthepurposeofauthorisedtes6ngortheprotec6onofinforma6onsecuritysystems

3


ThisishowrealintrusionsoNwarelookslike

4


Defini@ons-con@nuedWassenaar&OldEUReg. CommissionProposal EPINTAPosi@on

Defini@ons “IntrusionsoTware”:soTwarespeciallydesignedormodifiedtoavoiddetecAonby‘monitoringtools’,ortodefeat‘protecAvecountermeasures’,ofacomputerornetwork-capabledevice,andperforminganyofthefollowing:a.  TheextracAonofdataorinformaAon,

fromacomputerornetwork-capabledevice,orthemodificaAonofsystemoruserdata;or

b.  ThemodificaAonofthestandardexecuAonpathofaprogramorprocessinordertoallowtheexecuAonofexternallyprovidedinstrucAons.

21.'cyber-surveillancetechnology'shallmeanitemsspeciallydesignedtoenablethecovertintrusionintoinformaAonandtelecommunicaAonsystemswithaviewtomonitoring,extracAng,collecAngandanalysingdataand/orincapacitaAngordamagingthetargetedsystem.Thisincludesitemsrelatedtothefollowingtechnologyandequipment:(a)mobiletelecommunicaAonintercepAonequipment;(b)intrusionsoTware;(c)monitoringcenters;(d)lawfulintercepAonsystemsanddataretenAonsystems;(e)digitalforensics;

cyber-surveillanceitemsincludinghardware,so?wareandtechnology,whicharespeciallydesignedtoenablethecovertintrusionintoinforma6onandtelecommunica6onsystemsand/orthemonitoring,exfiltra6ng,collec6ngandanalysingofdataand/orincapacita6ngordamagingthetargetedsystemwithoutthespecific,informedandunambiguousauthorisa6onoftheownerofthedataortheinfrastructure,andwhichcanbeusedinconnec6onwiththeviola6onofhumanrights,includingtherighttoprivacy,therighttofreespeechandthefreedomofassemblyandassocia6on,orwhichcanbeusedforthecommissionofseriousviolaAonsofhumanrightslaworinternaAonalhumanitarianlaw,orcanposeathreattointernaAonalsecurityortheessenAalsecurityoftheUnionanditsMembers.

Exemp@ons “IntrusionsoTware”doesnotincludeanyofthefollowing:a.Hypervisors,debuggersorSoTwareReverseEngineering(SRE)tools;b.DigitalRightsManagement(DRM)soTware;orc.“SoTware”designedtobeinstalledbymanufacturers,administratorsorusers,forthepurposesofassettrackingorrecovery.

systems,ordevicesthatarespeciallydesignedforanyofthefollowingpurposes:a)billingb)datacollecAonfuncAonswithinnetworkelementsc)qualityofserviceofthenetworkord)UsersaAsfacAone)operaAonattelecommunicaAonscompanies.

NetworkandICTsecurityresearchforthepurposeofauthorisedtes6ngortheprotec6onofinforma6onsecuritysystemsshallbeexcluded.

5


Catch-AllControlForNon-ListedItems

6

CommissionProposal EPINTAPosi@onPolitcyRa@onale

RiskofterrorismandhumanrightsviolaAons Directandindirectimpactonhumanrights

Top-DownCatch-All

AuthorisaAonrequirediftheexporterhasbeeninformedbythecompetentauthoritythattheitemsinquesAonmaybeused:•  forseriousviolaAonsofhumanrightsinarmedconflictorinternalrepression,asidenAfiedbyrelevantinternaAonal,EUornaAonalauthoriAes•  forterrorism.

AuthorisaAonrequiredforcyber-surveillanceitems,wherethereisreasontosuspectthatthisorsimilaritemsmaybeusedtoviolatehumanrights.

BoWom-UpCatch-All(DueDiligence)

Ifanexporterisawarethatitemsheproposestoexport,notlistedinAnnexIareintendedfortheviolaAonofhumanrightsorterrorism,hemustnoAfythecompetentauthority.

Ifanexporter,becomesawarewhileexercisingduediligencethatitemsheproposestoexport,notlistedinAnnexIareintendedfortheviolaAonofhumanrightsorterrorism,hemustnoAfythecompetentauthority.


ControlCriteriaCommissionProposal EPINTAPosi@onInternaAonalobligaAons(e.g.non-proliferaAon) [pracAcallyunchanged]

OSCEandUNsanc6ons/embargos

respectforhumanrightsatthedesAnaAon [pracAcallyunchanged]

Humanrightsviola6onsofficiallyrecognisedbyUN,CoEorEU

InternalpoliAcalsituaAonatthedesAnaAon [pracAcallyunchanged]

preservaAonofpeace,securityandstability [pracAcallyunchanged]

thebehaviourofthedes6na6oncountryvis-à-vistheinterna6onalcommunity,interna6onallawandterroristgroups

propor6onalityoftheexporttothedes6na6oncountry’seconomicsitua6on

ForeignandsecuritypolicyconsideraAons

Riskofdiversionorre-export Riskofdiversionorre-export,especiallyinthecaseofcyberformilitaryandterroristuse

Forbrokeringservicesortechnicalassistanceforcyber-surveillanceitems:privacy,dataprotec6on,freedomofspeech,freedomofassemblyandassocia6on,ruleoflawandpoten6alsecurityrisksfortheEUandMS. 7


TransparencyObliga@onsCommissionProposal EPINTAPosi@on

End-UseStatement

Requiredifappropriate Alwaysrequiredforcyber-surveillanceitems

Publicity AnnualCommissionReportonimplementaAon

Quarterlypublica6onbyMemberStatesofmeaningfulinforma6ononeachlicense(typeoflicense,value,volume,natureofequipment,productdescrip6on,enduser,enduse,countryofdes6na6on,andlicenseapprovalordenialdecision)– Businessconfiden6ality?

8


WerespectinternaAonally

recognizedrightstoprivacyandfreedomof

expression

Wedonotcondoneanygovernment’suseofour

productstoabuseInternetprivacyor

freedomofexpression

WedonotparAcipateinbusinessacAviAesthat

areintendedtoaidrepression

WhatisEnableSafeandProduc@veInternet(ESPI)?

9

AtSymantec,webelieveeveryonehastherighttoasafeandproducAveInternetexperience.WelookuponthisasanopportunitytoenableasafeandproducAveInternet(ESPI).

Inourglobalbusiness,weareguidedbythefollowingprinciples:


ESPIPoliciesandProcesses

EnhancedCustomerDue

Diligence

PublicInternetAccessPolicy

EndUserLicenseAgreements

UniqueClauses

10

OurESPIpoliciesandprocessesareintendedforthebestinterestofourcustomer,whileadheringtoregionallegalregulaAons.Thesepoliciesandprocessespertainto:


WhendoESPIPoliciesapply?

QUALIFYINGPRODUCTS*

CUSTOMERLOCATION38sensiAvecountries

CUSTOMERTYPE

GovernmentorISP(GISP)

NEWORDERS

*allproductsexcludingthosethatdonotraiseproductmisuseconcerns(e.g.,CAS,MAA,Director,DLP,etc…) 11

OurESPIpoliciesandprocessesapplybasedonspecificcriteriathatmatchthefollowingcategories,asillustrated:


Ourrecommenda@onsOurexperience•  OurproductsarenotintrusionsoTwareunderWassenaar.

•  TheECandEPdefiniAonscanimprovebutwouldnotcapturetheminprinciple(exceptcrypto)Theimplementa@onofcontrolsbySymantecandbytherelevantcompetentauthority(-ies)

•  SYMCexportsfromIE,butshipscertainappliancesfromaNLwarehouse.

•  ThereforetheIEauthoritywillconsulttheNLauthority.•  InfewcasestheNLauthorityobjectedtolicensesongroundsthattheproduct(designedforprivatenetworks)ifmisusedandmisconfiguredcouldenablemonitoringoverpublicnetworks.

•  IEandSYMCsharedwithNLevidenceoftheSYMCduediligencetopreventmisuseanddiversion.

•  Eventuallyalllicensesweregranted.•  Sincethen,wehavesubmipedmoreapplicaAonsforexportstochallengingend-usersinchallengingcountries.

•  Allwereapprovedwithin10workingdays.Whatshouldbethefocusofthecontrols?

•  Technology:Focuson‘speciallydesigned’(e.g.FinFisher,HackingTeam,Regin,Bundestrojaner…)

•  End-users:Notourplacetosay,butfromourcyberexperience,state-sponsoringisdifficulttoapributewithcertainty,andterrorismisclosetoimpossibletopredict.Businesscan’tbemadethejudgesofthat.

•  Des@na@ons:Whatregimesare‘repressive’isapoliAcaljudgementcall,notabusinessdecision.12

ThankYou!

2017 export control forum - trade - european...

Documents