For centuries, export control regulations have accompanied the development of new weapon technologies. The revelations of the \u2018Pegasus Project\u2019 have put the question of whether and how to regulate the export of the new technology \u2018cyberweapons\u2019 in the limelight: Is the current international export control law up to the challenge of sufficiently regulating the proliferation of \u2018cyberweapons\u2019 or does it need an update? To answer this question, the blog post will, first, turn to the definition and relevance of \u2018cyberweapons\u2019. Secondly, international export control law is introduced as a possible measure to mitigate the risks posed by \u2018cyberweapons\u2019 against the backdrop of regulating the use of \u2018cyberweapons\u2019 or establishing a moratorium on its trade. Third, the blog post will assess the export of \u2018cyberweapons\u2019 in general and the export of Pegasus in particular within the current international export control framework. The current framework seems to touch upon partial aspects of the trade with \u2018cyberweapons\u2019. However, it stands to fear that it is not up to the task of sufficiently curtailing the proliferation of \u2018cyberweapons\u2019 and the associated risks, as it especially leaves the underlying problem of the trade with zero-day vulnerabilities untouched.<\/p>\n
The \u2018Pegasus Project\u2019<\/strong><\/p>\n The \u2018Pegasus Project<\/a>\u2018 is an investigative research project into the dealings of the Israeli company NSO Group Technologies (NSO). NSO is a technology firm that sells a smartphone surveillance tool called \u2018Pegasus\u2019 to States. The States can then silently \u2013 thus without user interaction of the target like \u2018clicking\u2019 on a link (so-called zero-touch) \u2013 install \u2018Pegasus\u2019 on smartphones, taking advantage of unknown software vulnerabilities (so-called zero-day vulnerabilities). The combination of zero-day and zero-touch can be referenced as zero-day zero-touch vulnerabilities, which are particularly rare and valuable. After successful intrusion, the intruder can access the smartphone\u2019s data, communications, and turn on the microphone, the camera, and GPS tracking. The project revealed<\/a> that many States used the tool not only to legitimately fight crime and terrorism but also to spy on human rights attorneys, journalists, activists, opposition politicians, dissidents, and other State\u2019s officials. While such use<\/em> by the recipient state raises inter alia <\/em>the issue of the legality of international espionage, the following sections will address whether the transfer<\/em> of \u2018Pegasus\u2019 has violated international export control law.<\/p>\n Defining \u2018Cyberweapons\u2019<\/strong><\/p>\n Amid the revelations, \u2018Pegasus\u2019 has often been referred to as a \u2018cyberweapon\u2019 (see, i.e., here<\/a>, here<\/a> and here<\/a>). However, it is unclear what the term \u2018cyberweapon\u2019 precisely conveys. So far, a clear-cut (legal) definition has not emerged. Instead, \u2018cyberweapons\u2019 are primarily described<\/a> in varying functional or technical terms. One point of divergence is the distinction between offensive <\/em>and defensive<\/em> cyber tools and whether they both fall within the category of \u2018cyberweapons\u2019. Moreover, it is unsettled whether surveillance tools like \u2018Pegasus\u2019 should be classified as \u2018cyberweapons\u2019. However, for this blog post, a precise delimitation is unwarranted as this classification does not affect the assessment of surveillance tools under international export control law.<\/p>\n The interconnected world is undoubtedly vulnerable to attacks by \u2018cyberweapons\u2019. They pose significant risks to critical infrastructure, the functioning of the State, international peace and security, and \u2014 like \u2018Pegasus\u2019 \u2014 to individuals\u2019 human rights. Despite these risks, the trade of \u2018cyberweapons\u2019 flourishes due to high demand by States and other actors. The copying and electronic transfer of \u2018cyberweapons\u2019 further accelerate their proliferation compared to traditional arms. One way to cope with these risks is to regulate the use<\/em> of \u2018cyberweapons\u2019 and promote responsible state behavior in cyberspace.<\/p>\n Regulating the Use of \u2018Cyberweapons\u2019?<\/strong><\/p>\n In the last years, several state and non-state initiatives have started addressing the problem in different fora and with different focuses. These include the \u2018UN Open-Ended Working Group on Developments in the Field of ICTs in the Context of International Security<\/a>\u2018 (OEWG), the \u2018UN Group of Governmental Experts on Advancing Responsible State Behavior in Cyberspace in the Context of International Security<\/a>\u2018 (GGE), the \u2018Programme of Action for Advancing Responsible State Behaviour in Cyberspace<\/a>\u2018, the Tallinn Manual Processes (with 3.0. just being initiated<\/a>) and state practice (i.e. Germany<\/a>).<\/p>\n State practice, thereby, concentrates mostly on applying current international law to cyberspace, including issues surrounding \u2018cyberattacks\u2019. Germany, for example, is of the position<\/a> that cyber operations by a state may infringe upon another state\u2019s rights and may likewise be responded to by cyber means, i.e., to counter an armed (cyber-)attack. Moreover, Germany puts forward<\/a> that cyber operations need to and are able to follow IHL when employed. Similarly, the Tallinn Manual focuses on applying the international law of war to cyberspace, including the application to cyberattacks perpetrated with \u2018cyberweapons\u2019. In contrast, the GGE and the OEWG not only deal with the application of international law to cyberspace but also established detailed, non-binding norms to advance \u2018Responsible State Behaviour in Cyberspace in the Context of International Security<\/a>\u2019. History, however, has shown that mere regulation on the use of certain technologies and weapons does not suffice to prevent actors from \u2018irresponsibly\u2019 utilizing the technology to the detriment of international peace and security. Therefore, these actors need to be barred from acquiring \u2018cyberweapons\u2019 in the first place.<\/p>\n An International Moratorium on the Trade with \u2018Cyberweapons\u2019?<\/strong><\/p>\n Prominently, Edward Snowden called<\/a> for an international export ban on \u2018cyberweapons\u2019 amid the \u2018Pegasus\u2019 revelations (see similarly here<\/a>, here<\/a>, here<\/a>, here<\/a> and here<\/a>). Such a ban seems like an apparent solution to the proliferation risks associated with \u2018cyberweapons\u2019. However, such a \u2018cyberweapons\u2019 moratorium is unlikely to emerge in the near-term future for several reasons.<\/p>\n Recent examples show that an international treaty on the issue would most probably require years of lengthy negotiations. For example, the discussions<\/a> on the regulation on lethal autonomous weapon systems (LAWS) within the United Nations Convention of Certain Conventional Weapons framework have been going on for several years, without significant progress. States\u2019 positions regarding this matter range<\/a> \u2014 comparable to the discussion about \u2018cyberweapons\u2019 \u2014 from an outright ban of LAWS to \u2018merely\u2019 regulating<\/a> the trade of LAWS or its components and to not regulating LAWS at all. Moreover, attempts to negotiate a \u2018Cybersecurity\u2019-Treaty, which would also take on the trade with \u2018cyberweapons\u2019, has so far fallen on deaf ears within the international community.<\/p>\n Nevertheless, the GGE and OEWG took a small step towards a proliferation halt. Their final reports both called for the prevention of \u2018the proliferation of malicious [information and communications technology] tools and techniques and the use of harmful hidden functions\u2019 (see here<\/a> and here<\/a>). The GGE thereby restated its principle 13 i), which it had established in its 2015 report, and which has been reiterated by the UN General Assembly (UNGA) on several occasions. These non-binding norms may have an impact towards the creation of formal international law in the future, if they are referenced and reiterated by States and international organs like the UNGA. The Tallinn Manual, for instance, may not be explicitly endorsed by States but is still used as a reference, as exemplified by Germany\u2019s report on the application of international law in cyberspace<\/a>. Despite this, the calls by the OEWG and GGE are merely non-binding recommendations that have not manifested to international law or developed into a comprehensive framework for cyber non-proliferation efforts. For the moment, principle 13 i) reflects the international communities\u2019 general understanding that \u2018cyberweapons\u2019 may pose risks to international security and stresses the preference of States for non-binding instruments in this area. This way, they retain enough leeway to foster their strategic goals by exporting \u2018cyberweapons\u2019. The export of \u2018Pegasus\u2019, for instance, was part of Israeli foreign policy, especially in the warming relations to its Arabic neighbors (see here<\/a>). For the same strategic reasons, unilateral declarations by States to impose a moratorium on \u2018cyberweapons\u2019 exports within their jurisdiction are highly unlikely.<\/p>\n While \u2018new\u2019 international law is not on the horizon, the question arises: What does existing international export control law have to say about \u2018cyberweapons\u2019?<\/p>\n Existing International Export Control Law and \u2018Cyberweapons\u2019<\/strong><\/p>\n There are two main pillars in international export control law: binding international arms treaties (i.e., NPT<\/a>, BTWC<\/a>, CWC<\/a>, ATT<\/a>, CCW<\/a>) and non-binding multilateral export control regimes (i.e., NSG<\/a>, Australia Group<\/a>, MTCR<\/a> and the Wassenaar Arrangement<\/a>). These frameworks cover a wide range of weapons, namely nuclear, biological, chemical, and conventional weapons, as well as dual-use items. However, among them, only the Wassenaar Arrangement deals \u2014 at least partially \u2014 with \u2018cyberweapons\u2019, although without expressly mentioning the term.<\/p>\n The Wassenaar Arrangement is a voluntary export control regime established in 1996, with currently 42 participating States. Its primary purpose is \u2018to contribute to regional and international security and stability, by promoting transparency and greater responsibility in transfers of conventional arms and dual-use goods and technologies, thus preventing destabilising accumulations.\u2019 To this end, the participating States should apply export controls to all items either on the Dual-Use List<\/a> or the Munitions List<\/a>, meaning they have to license the export of listed items.<\/p>\n In the case of the Wassenaar Agreement\u2019s applicability, States agreed to follow multiple best practices<\/a>, such as to control the transfer of \u2018software\u2019 irrespective of its means of transfer, thus, including intangible transfers. Moreover, according to the Arrangement, States should report on their export decisions of listed items. If one State denies the export of a listed item, another participating State can still approve the export. The exporting State should then merely notify all other States of the approval. The final export decision always remains the sole responsibility of each participating State.<\/p>\n The Case of \u2018Pegasus\u2019<\/strong><\/p>\n In the case of \u2018Pegasus\u2019, Israel claims<\/a> to have acted \u2018in accordance with its defense export control law, complying with international export control regimes\u2019. The claim is intriguing as Israel is not a participating State of the Wassenaar Arrangement. However, Israel has committed<\/a> to following the Arrangement unilaterally. The commitment indicates the authority and impact of the non-binding Wassenaar Arrangement, but only if Israel indeed acts<\/em> within the Arrangement\u2019s constraints. Otherwise, Israel\u2019s commitment would not be more than mere lip service. Therefore, the question remains whether Israel acted within the bounds of the Wassenaar Arrangement concerning the export of \u2018Pegasus\u2019.<\/p>\n The Wassenaar Agreement\u2019s Munitions List names \u2018\u201dSoftware\u201d specially designed or modified for the conduct of military offensive cyber operations\u2019 as a controlled item (Item 21.b.5. Munitions List). This \u2018includes \u201csoftware\u201d designed to destroy, damage, degrade or disrupt systems, equipment or \u201csoftware\u201d, specified by the Munitions List, cyber reconnaissance and cyber command and control \u201csoftware\u201d, therefor\u2019. Thus, the Wassenaar Arrangement applies to \u2018cyberweapons\u2019, used in a purely<\/em> military manner. However, \u2018Pegasus\u2019 and the like are not designed to \u2018destroy, damage, degrade or disrupt\u2019 military systems. Instead, they intrude and manipulate civilian cell phones.<\/p>\n But software often has both, military and<\/em> civilian use. Generally, the Dual-Use List covers such dual-use items, including dual-use software. However, it does not<\/em> directly cover any dual-use items that can be classified as \u2018cyberweapons\u2019. Instead, the Dual-Use List only names items related<\/em> to intrusion software: Specifically, \u2018systems, equipment, and components\u2019 (Cat. 4.A.5 Dual-Use List) or \u2018software\u2019 (Cat. 4.D.4 Dual-Use List) \u2018specially designed or modified for the generation, command and control, or delivery of \u201cintrusion software\u201d\u2019. The Wassenaar Arrangement defines intrusion software \u2014 and, therefore, arguably a type of \u2018cyberweapon\u2019 \u2014 in its definitions section<\/a>. According to the definition, intrusion software is \u2018\u201c[s]oftware\u201d specially designed or modified to avoid detection by \u201cmonitoring tools\u201d, or to defeat \u201cprotective countermeasures\u201d, of a computer or network-capable device\u2019 and to perform either \u2018extraction of data\u2019 or \u2018modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions.\u2019 Thus, the Arrangement does not place intrusion software itself<\/em> on the Dual-Use List but only related items.<\/p>\n The Arrangement, therefore, applies only to \u2018Pegasus\u2019-related exports. As intrusion software, \u2018Pegasus\u2019 itself is not among the listed items. But supplying the necessary IT infrastructure to employ and control \u2018Pegasus\u2019, retrieve data, and provide technical assistance (Cat. 4.E.1.c Dual-Use List) to other States, which NSO certainly did, requires prior licensing. Indeed, the Israeli government approved<\/a> each export of \u2018Pegasus\u2019-related technology. Crucially, however, the underlying decision of whether a specific export of \u2018Pegasus\u2019 is compatible with the goals and aims of the Arrangement and, therefore, eligible for a license remains within the sole discretion of Israel. Something the Israeli government apparently answered in the affirmative. Thus, Israel acted within the bounds of the Wassenaar Arrangement, thereby confirming its authority. However, this conclusion lays bare the lack of a mutual understanding within the Arrangement which circumstances necessitate the denial of an export license.<\/p>\n The Way Forward<\/strong><\/p>\n In line with the aforementioned, the Wassenaar Arrangement applies to offensive military \u2018cyberweapons\u2019 and items related to intrusion software like \u2018Pegasus\u2019. It, therefore, draws a baseline in the non\u2011proliferation efforts against \u2018cyberweapons\u2019. However, it does not offer an entirely comprehensive export control regime for \u2018cyberweapons\u2019: Its limited membership and the categories of \u2018cyberweapons\u2019 on the Dual-Use List would have to be broadened to close existing gaps. Moreover, although the Arrangement\u2019s non-binding character does not necessarily render it ineffective, a strengthened compliance mechanism would boost its effectiveness. Finally, participating States should try to find common ground on the circumstances under which an export license should be denied.<\/p>\n In addition to international export control law,<\/em> other areas of international law, as well as supranational and national law, might offer an extra layer of protection against the irresponsible proliferation of \u2018cyberweapons\u2019. This includes above all positive and due diligence obligations derived from international human rights, as well as the recently recast EU Dual-Use Regulation<\/a>, which expressly addresses \u2018cyber-surveillance items\u2019 and transforms the non-binding Wassenaar Arrangement\u2019s lists into binding European law. Moreover, the efforts to regulate the proliferation of \u2018cyberweapons\u2019 should not preclude the ongoing efforts to promote responsible state behavior in cyberspace and regulate the use<\/em> of \u2018cyberweapons\u2019.<\/p>\n