Defence mulls surveillance malware export restrictions

Australia's Department of Defence will consult with the technology industry on plans to add security exploits and some hacking tools to controlled export lists.

The consultation follows amendments to the Wassenaar Arrangement (WA), which covers so-called dual-use goods that may be used by both military and civilians and should be restricted from being shipped to embargoed states as a result.

Amendments restricting the proliferation of malware used by governments and law enforcement for spying were introduced in March by the United Kingdom and subsequently approved at a WA meeting in Vienna last month.

It placed on WA export control lists software "specially designed or modified to avoid detection" or to "defeat protective countermeasures" of computers or network devices which could exfiltrate or modify data or alter a "standard execution path" to enable remote execution. (pdf)

London also saw its proposal to restrict mobile jamming and interception technology adopted by WA export control lists.

Forty one nations participate and vote on annual changes to the WA but are not bound to instate the changes nor incorporate the corresponding reforms into national laws.

Australia implements changes to the WA control lists via the Defence and Strategic Good List under the Customs (Prohibited Exports) Regulations Act 1958 each year.

Defence told SC Magazine it will work with the Strengthened Export Controls Steering Group and consult with "relevant stakeholders" in deciding whether the WA changes will be implemented.

"...Changes would will be implemented on the basis of national discretion and in accordance with national legislation and policies," a Department spokesperson said.

"As part of this process, the Defence Export Control Office aims to identify changes that may affect Australian exporters, and to liaise with relevant stakeholders."

The additions of security technology to the WA dual-use lists leaves open the possibility that penetration testing tools relied on by infosec professionals could be restricted.

But London officials close to the WA changes told Privacy International researcher Edin Omanovic it was the intention of WA participants to focus on tools such as the German made FinFisher spy tool to restrict only platforms marketed and used by law enforcement and governments for lawful interception.

"Discussions between Privacy International and export control officials involved in drafting the new controls suggest that it was never the intention of these new controls to catch legitimate security research tools and that efforts have been made to prevent them from being subject to controls," Omanovic said.

"On the face of it, however, there are still areas to be worried about in the new agreement."

Omanovic was concerned that restrictions on tools used to develop and operate restricted security products could catch out legitimate hardware and software.

By contrast the WA restrictions imposed on the exploit trade may have little effect.

A prominent exploit broker said most intermediaries already avoid selling zero day hacks to hot-button nations such as Iran where the intelligence could be used to suppress civilians.

Security professionals contacted by SC Magazine were unaware of Australian individuals or organisations selling security exploits offshore.

Exploit research firm Vupen recently added a note to its website adding that it complies with the December WA changes and would not sell its zero days to embargoed nations.