2017 export control forum - trade - european...
TRANSCRIPT
2017ExportControlForum
IliasChantzos
December19,2017
SeniorDirectorGovernmentAffairsEMEA&APJ
Copyright©2017SymantecCorporaAonSYMANTECCONFIDENTIAL–INTERNALUSEONLY
1.Concepts
2
TrueDualUse(Civ.+Mil.)
CyberAtLarge
Cyber-Surveillance
IntrusionSoTwareWassenaar&OldEUReg.
New
Com
missionProp
osal
EPIN
TAPosiAon
Copyright©2017SymantecCorporaAonSYMANTECCONFIDENTIAL–INTERNALUSEONLY
Defini@onsWassenaar&OldEUReg. CommissionProposal EPINTAPosi@on
Defini@ons IntrusionsoTware:speciallydesignedormodifiedtoevadedetecAonortodefeatprotecAon,inordertoextractdata,modifysystemsordata,orexecuteroguecommands
cyber-surveillance:itemsspeciallydesignedforcovertintrusion,inordertomonitor,extract,collectandanalysedata,and/orincapacitateordamagetargetedsystem(includingintrusionsoTwareamongothers).
cyber-surveillance:itemsspeciallydesignedforcovertintrusion,inordertomonitor,extract,collectandanalysedata,and/orincapacitateordamagetargetedsystemwithoutthespecific,informedandunambiguousauthorisa6onoftheownerofthedataortheinfrastructure,andwhichcanbeusedinconnec6onwiththeviola6onofhumanrights,includingprivacy,freespeech,freedomofassemblyandassocia6on,orotherviolaAonsofhumanrights,threatstointernaAonalsecurity,ortheEU’sandMSs’security.
Exemp@ons Hypervisors,debuggers,reverseengineeringtools,DRMsoTwareandassettrackingandrecoverysoTware
Productsforbilling,networkperformancemonitoring,servicequality,usersaAsfacAonandtelcobusinessoperaAons
NetworkandICTsecurityresearchforthepurposeofauthorisedtes6ngortheprotec6onofinforma6onsecuritysystems
3
Copyright©2017SymantecCorporaAonSYMANTECCONFIDENTIAL–INTERNALUSEONLY
ThisishowrealintrusionsoNwarelookslike
4
Copyright©2017SymantecCorporaAonSYMANTECCONFIDENTIAL–INTERNALUSEONLY
Defini@ons-con@nuedWassenaar&OldEUReg. CommissionProposal EPINTAPosi@on
Defini@ons “IntrusionsoTware”:soTwarespeciallydesignedormodifiedtoavoiddetecAonby‘monitoringtools’,ortodefeat‘protecAvecountermeasures’,ofacomputerornetwork-capabledevice,andperforminganyofthefollowing:a. TheextracAonofdataorinformaAon,
fromacomputerornetwork-capabledevice,orthemodificaAonofsystemoruserdata;or
b. ThemodificaAonofthestandardexecuAonpathofaprogramorprocessinordertoallowtheexecuAonofexternallyprovidedinstrucAons.
21.'cyber-surveillancetechnology'shallmeanitemsspeciallydesignedtoenablethecovertintrusionintoinformaAonandtelecommunicaAonsystemswithaviewtomonitoring,extracAng,collecAngandanalysingdataand/orincapacitaAngordamagingthetargetedsystem.Thisincludesitemsrelatedtothefollowingtechnologyandequipment:(a)mobiletelecommunicaAonintercepAonequipment;(b)intrusionsoTware;(c)monitoringcenters;(d)lawfulintercepAonsystemsanddataretenAonsystems;(e)digitalforensics;
cyber-surveillanceitemsincludinghardware,so?wareandtechnology,whicharespeciallydesignedtoenablethecovertintrusionintoinforma6onandtelecommunica6onsystemsand/orthemonitoring,exfiltra6ng,collec6ngandanalysingofdataand/orincapacita6ngordamagingthetargetedsystemwithoutthespecific,informedandunambiguousauthorisa6onoftheownerofthedataortheinfrastructure,andwhichcanbeusedinconnec6onwiththeviola6onofhumanrights,includingtherighttoprivacy,therighttofreespeechandthefreedomofassemblyandassocia6on,orwhichcanbeusedforthecommissionofseriousviolaAonsofhumanrightslaworinternaAonalhumanitarianlaw,orcanposeathreattointernaAonalsecurityortheessenAalsecurityoftheUnionanditsMembers.
Exemp@ons “IntrusionsoTware”doesnotincludeanyofthefollowing:a.Hypervisors,debuggersorSoTwareReverseEngineering(SRE)tools;b.DigitalRightsManagement(DRM)soTware;orc.“SoTware”designedtobeinstalledbymanufacturers,administratorsorusers,forthepurposesofassettrackingorrecovery.
systems,ordevicesthatarespeciallydesignedforanyofthefollowingpurposes:a)billingb)datacollecAonfuncAonswithinnetworkelementsc)qualityofserviceofthenetworkord)UsersaAsfacAone)operaAonattelecommunicaAonscompanies.
NetworkandICTsecurityresearchforthepurposeofauthorisedtes6ngortheprotec6onofinforma6onsecuritysystemsshallbeexcluded.
5
Copyright©2017SymantecCorporaAonSYMANTECCONFIDENTIAL–INTERNALUSEONLY
Catch-AllControlForNon-ListedItems
6
CommissionProposal EPINTAPosi@onPolitcyRa@onale
RiskofterrorismandhumanrightsviolaAons Directandindirectimpactonhumanrights
Top-DownCatch-All
AuthorisaAonrequirediftheexporterhasbeeninformedbythecompetentauthoritythattheitemsinquesAonmaybeused:• forseriousviolaAonsofhumanrightsinarmedconflictorinternalrepression,asidenAfiedbyrelevantinternaAonal,EUornaAonalauthoriAes• forterrorism.
AuthorisaAonrequiredforcyber-surveillanceitems,wherethereisreasontosuspectthatthisorsimilaritemsmaybeusedtoviolatehumanrights.
BoWom-UpCatch-All(DueDiligence)
Ifanexporterisawarethatitemsheproposestoexport,notlistedinAnnexIareintendedfortheviolaAonofhumanrightsorterrorism,hemustnoAfythecompetentauthority.
Ifanexporter,becomesawarewhileexercisingduediligencethatitemsheproposestoexport,notlistedinAnnexIareintendedfortheviolaAonofhumanrightsorterrorism,hemustnoAfythecompetentauthority.
Copyright©2017SymantecCorporaAonSYMANTECCONFIDENTIAL–INTERNALUSEONLY
ControlCriteriaCommissionProposal EPINTAPosi@onInternaAonalobligaAons(e.g.non-proliferaAon) [pracAcallyunchanged]
OSCEandUNsanc6ons/embargos
respectforhumanrightsatthedesAnaAon [pracAcallyunchanged]
Humanrightsviola6onsofficiallyrecognisedbyUN,CoEorEU
InternalpoliAcalsituaAonatthedesAnaAon [pracAcallyunchanged]
preservaAonofpeace,securityandstability [pracAcallyunchanged]
thebehaviourofthedes6na6oncountryvis-à-vistheinterna6onalcommunity,interna6onallawandterroristgroups
propor6onalityoftheexporttothedes6na6oncountry’seconomicsitua6on
ForeignandsecuritypolicyconsideraAons
Riskofdiversionorre-export Riskofdiversionorre-export,especiallyinthecaseofcyberformilitaryandterroristuse
Forbrokeringservicesortechnicalassistanceforcyber-surveillanceitems:privacy,dataprotec6on,freedomofspeech,freedomofassemblyandassocia6on,ruleoflawandpoten6alsecurityrisksfortheEUandMS. 7
Copyright©2017SymantecCorporaAonSYMANTECCONFIDENTIAL–INTERNALUSEONLY
TransparencyObliga@onsCommissionProposal EPINTAPosi@on
End-UseStatement
Requiredifappropriate Alwaysrequiredforcyber-surveillanceitems
Publicity AnnualCommissionReportonimplementaAon
Quarterlypublica6onbyMemberStatesofmeaningfulinforma6ononeachlicense(typeoflicense,value,volume,natureofequipment,productdescrip6on,enduser,enduse,countryofdes6na6on,andlicenseapprovalordenialdecision)– Businessconfiden6ality?
8
Copyright©2017SymantecCorporaAonSYMANTECCONFIDENTIAL–INTERNALUSEONLY
WerespectinternaAonally
recognizedrightstoprivacyandfreedomof
expression
Wedonotcondoneanygovernment’suseofour
productstoabuseInternetprivacyor
freedomofexpression
WedonotparAcipateinbusinessacAviAesthat
areintendedtoaidrepression
WhatisEnableSafeandProduc@veInternet(ESPI)?
9
AtSymantec,webelieveeveryonehastherighttoasafeandproducAveInternetexperience.WelookuponthisasanopportunitytoenableasafeandproducAveInternet(ESPI).
Inourglobalbusiness,weareguidedbythefollowingprinciples:
Copyright©2017SymantecCorporaAonSYMANTECCONFIDENTIAL–INTERNALUSEONLY
ESPIPoliciesandProcesses
EnhancedCustomerDue
Diligence
PublicInternetAccessPolicy
EndUserLicenseAgreements
UniqueClauses
10
OurESPIpoliciesandprocessesareintendedforthebestinterestofourcustomer,whileadheringtoregionallegalregulaAons.Thesepoliciesandprocessespertainto:
Copyright©2017SymantecCorporaAonSYMANTECCONFIDENTIAL–INTERNALUSEONLY
WhendoESPIPoliciesapply?
QUALIFYINGPRODUCTS*
CUSTOMERLOCATION38sensiAvecountries
CUSTOMERTYPE
GovernmentorISP(GISP)
NEWORDERS
*allproductsexcludingthosethatdonotraiseproductmisuseconcerns(e.g.,CAS,MAA,Director,DLP,etc…) 11
OurESPIpoliciesandprocessesapplybasedonspecificcriteriathatmatchthefollowingcategories,asillustrated:
Copyright©2017SymantecCorporaAonSYMANTECCONFIDENTIAL–INTERNALUSEONLY
Ourrecommenda@onsOurexperience• OurproductsarenotintrusionsoTwareunderWassenaar.
• TheECandEPdefiniAonscanimprovebutwouldnotcapturetheminprinciple(exceptcrypto)Theimplementa@onofcontrolsbySymantecandbytherelevantcompetentauthority(-ies)
• SYMCexportsfromIE,butshipscertainappliancesfromaNLwarehouse.
• ThereforetheIEauthoritywillconsulttheNLauthority.• InfewcasestheNLauthorityobjectedtolicensesongroundsthattheproduct(designedforprivatenetworks)ifmisusedandmisconfiguredcouldenablemonitoringoverpublicnetworks.
• IEandSYMCsharedwithNLevidenceoftheSYMCduediligencetopreventmisuseanddiversion.
• Eventuallyalllicensesweregranted.• Sincethen,wehavesubmipedmoreapplicaAonsforexportstochallengingend-usersinchallengingcountries.
• Allwereapprovedwithin10workingdays.Whatshouldbethefocusofthecontrols?
• Technology:Focuson‘speciallydesigned’(e.g.FinFisher,HackingTeam,Regin,Bundestrojaner…)
• End-users:Notourplacetosay,butfromourcyberexperience,state-sponsoringisdifficulttoapributewithcertainty,andterrorismisclosetoimpossibletopredict.Businesscan’tbemadethejudgesofthat.
• Des@na@ons:Whatregimesare‘repressive’isapoliAcaljudgementcall,notabusinessdecision.12
ThankYou!