Cyber-surveillance tools are a growing challenge for the international community. Their sophistication and potential for misuse pose threats to human rights (as evident in the many allegations of Pegasus spyware being used to target political dissidents, journalists and human rights defenders) and to national security (as seen in concerns about Russia’s potential use of its Snake spyware in attacks on critical infrastructure). On 18–20 March 2024, invited governments will meet for the third Summit for Democracy in Seoul. This presents an opportunity to push forward the work started at last year’s summit to enhance the use of export controls to limit the proliferation of cyber-surveillance tools and prevent their misuse.
The code of conduct
A key achievement of the second Summit for Democracy, held in March 2023, was a code of conduct endorsed by 25 states on the use of export controls to ‘prevent the proliferation of goods, software, and technologies that enable serious human rights abuses’. The code of conduct forms part of the Export Control and Human Rights Initiative launched at the first Summit for Democracy in 2021.
States subscribing to the code of conduct commit to applying export controls ‘to ensure that relevant goods and technologies are used in compliance with international human rights law’. They also commit to developing best practices concerning the application of export controls to cyber-surveillance tools, facilitating the adoption of due-diligence standards by companies, and promoting the wider adoption of the code of conduct.
The unmet potential of export controls
Export controls require companies to obtain government-issued licences before transferring sensitive items identified in a control list. Since 2013, five categories of cyber-surveillance tool have been added to the dual-use control lists of the Wassenaar Arrangement (an export control regime with 43 participating states) and the European Union. Their inclusion enables Wassenaar participants and the EU’s member states to oversee the trade in the listed cyber-surveillance tools and to block exports on national security or human rights grounds.
Export controls have already yielded some notable results in preventing or prosecuting unlicensed transfers of cyber-surveillance tools. However, much could still be done to improve their consistency, coverage and application. The third Summit for Democracy is a chance not just to recruit more subscribers to the code of conduct but also to agree on some key steps to strengthen the use of export controls in this space.
Five ways forward
Promote adoption of a global instrument
Altogether, 49 states are committed to applying export controls on cyber-surveillance tools—by endorsing the code of conduct, participating in the Wassenaar Arrangement or being EU member states. However, this leaves the majority of states worldwide with no controls on exports of cyber-surveillance tools. Producers of cyber-surveillance tools have shown they can shift production from one state to another, underlining the need for a global instrument to prevent so-called jurisdiction shopping. Code of conduct subscribers could agree to use their collective voice to support the adoption of a global instrument committing all states to apply export controls to cyber-surveillance tools, potentially as a component of the planned United Nations Programme of Action to Advance Responsible State Behaviour in the Use of ICTs in the Context of International Security.
Harmonize control lists
While the Wassenaar Arrangement and EU dual-use lists are detailed, they are not the only, or the most comprehensive, lists of controlled cyber-surveillance tools. The lists adopted by the EU in connection with its sanctions on Belarus, Iran, Myanmar, Syria and Venezuela are broader in scope. Spain and Germany have included additional cyber-surveillance tools in their national export control lists. Switzerland recently proposed the inclusion of controls on another cyber-surveillance tool in the Wassenaar list but, given the divisions within the group, it is not certain that it will be adopted. Code of conduct subscribers could agree to publish a single list that consolidates these different controls. This consolidated list could also be put forward as the basis of a global instrument committing states to regulate the trade in cyber-surveillance tools.
Further boost transparency
Export controls have contributed to public transparency in the trade in cyber-surveillance tools. This is because some states that implement such controls publish information on licence approvals and denials in their national reports on arms exports. However, the level of transparency varies significantly between states. The EU has committed to releasing details of all member states’ exports of cyber-surveillance tools and recently published a set of reporting templates outlining which information will be published. Code of conduct subscribers could agree to adopt and implement the EU guidelines as common minimum standards for the publication of data on export licensing decisions.
Draft guidelines for assessing export licence applications
Export controls have been used to block many transfers of cyber-surveillance tools deemed to pose security or human rights risks. During 2020 and 2021, EU member states denied 67 licence applications for such exports. However, states’ implementation of these controls is inconsistent, and there are reports of some approving exports of cyber-surveillance tools to countries that are likely use them in ways that violate human rights. One reason for this inconsistency is a lack of common guidelines for assessing licence applications. As part of their work on developing best practices, code of conduct subscribers could agree to draft guidelines for assessing export licences. These guidelines should be connected and aligned with other efforts aimed atestablishing clearer standards for the domestic use ofcyber-surveillance tools, including the Freedom Online Coalition and Pall Mall Process.
Create a platform for sharing experience and building enforcement capacity
As well as blocking undesirable transfers, export controls also empower states to prosecute companies that try to export cyber-surveillance tools without the necessary licence. In 2023, charges were filed in Germany against four individuals related to the unauthorized export of cyber-surveillance tools to Türkiye that were used to spy on the Turkish opposition movement. However, such prosecutions are rare, not least because many exports of cyber-surveillance tools involve transfers of software, which can be more challenging to detect, investigate and prosecute than physical items. States with limited resources and experience may need assistance if they are to effectively implement and cyber-surveillance export controls. The code of conduct subscribers could agree to create a platform for states to share experiences of enforcing controls on exports of cyber-surveillance tools and provide technical and legal assistance.
Towards consistent and universal controls
Export controls remain the most effective and actively utilized policy response to the risks of proliferation and misuse of cyber-surveillance tools. However, their efficacy is limited by gaps and inconsistences in the controls that have already been adopted, and the number of states committed to applying them needs to be expanded.
While the code of conduct may only have 25 subscribers to date, they include important and influential players. The third Summit for Democracy is an opportunity for them to drive the agenda forward and bring an effective global export control regime for cyber-surveillance tools a few steps closer.
With support from the Open Society Foundations, the SIPRI Dual-Use and Ams Trade Control Programme is conducting a project focused on improving the implementation of export controls related to surveillance technologies.
ABOUT THE AUTHOR(S)
Dr Mark Bromley is the Director of the SIPRI Dual-Use and Arms Trade Control Programme.
Cyber-surveillance tools are a growing challenge for the international community. Their sophistication and potential for misuse pose threats to human rights (as evident in the many allegations of Pegasus spyware being used to target political dissidents, journalists and human rights defenders) and to national security (as seen in concerns about Russia’s potential use of its Snake spyware in attacks on critical infrastructure). On 18–20 March 2024, invited governments will meet for the third Summit for Democracy in Seoul. This presents an opportunity to push forward the work started at last year’s summit to enhance the use of export controls to limit the proliferation of cyber-surveillance tools and prevent their misuse.
The code of conduct
A key achievement of the second Summit for Democracy, held in March 2023, was a code of conduct endorsed by 25 states on the use of export controls to ‘prevent the proliferation of goods, software, and technologies that enable serious human rights abuses’. The code of conduct forms part of the Export Control and Human Rights Initiative launched at the first Summit for Democracy in 2021.
States subscribing to the code of conduct commit to applying export controls ‘to ensure that relevant goods and technologies are used in compliance with international human rights law’. They also commit to developing best practices concerning the application of export controls to cyber-surveillance tools, facilitating the adoption of due-diligence standards by companies, and promoting the wider adoption of the code of conduct.
The unmet potential of export controls
Export controls require companies to obtain government-issued licences before transferring sensitive items identified in a control list. Since 2013, five categories of cyber-surveillance tool have been added to the dual-use control lists of the Wassenaar Arrangement (an export control regime with 43 participating states) and the European Union. Their inclusion enables Wassenaar participants and the EU’s member states to oversee the trade in the listed cyber-surveillance tools and to block exports on national security or human rights grounds.
Export controls have already yielded some notable results in preventing or prosecuting unlicensed transfers of cyber-surveillance tools. However, much could still be done to improve their consistency, coverage and application. The third Summit for Democracy is a chance not just to recruit more subscribers to the code of conduct but also to agree on some key steps to strengthen the use of export controls in this space.
Five ways forward
Promote adoption of a global instrument
Altogether, 49 states are committed to applying export controls on cyber-surveillance tools—by endorsing the code of conduct, participating in the Wassenaar Arrangement or being EU member states. However, this leaves the majority of states worldwide with no controls on exports of cyber-surveillance tools. Producers of cyber-surveillance tools have shown they can shift production from one state to another, underlining the need for a global instrument to prevent so-called jurisdiction shopping. Code of conduct subscribers could agree to use their collective voice to support the adoption of a global instrument committing all states to apply export controls to cyber-surveillance tools, potentially as a component of the planned United Nations Programme of Action to Advance Responsible State Behaviour in the Use of ICTs in the Context of International Security.
Harmonize control lists
While the Wassenaar Arrangement and EU dual-use lists are detailed, they are not the only, or the most comprehensive, lists of controlled cyber-surveillance tools. The lists adopted by the EU in connection with its sanctions on Belarus, Iran, Myanmar, Syria and Venezuela are broader in scope. Spain and Germany have included additional cyber-surveillance tools in their national export control lists. Switzerland recently proposed the inclusion of controls on another cyber-surveillance tool in the Wassenaar list but, given the divisions within the group, it is not certain that it will be adopted. Code of conduct subscribers could agree to publish a single list that consolidates these different controls. This consolidated list could also be put forward as the basis of a global instrument committing states to regulate the trade in cyber-surveillance tools.
Further boost transparency
Export controls have contributed to public transparency in the trade in cyber-surveillance tools. This is because some states that implement such controls publish information on licence approvals and denials in their national reports on arms exports. However, the level of transparency varies significantly between states. The EU has committed to releasing details of all member states’ exports of cyber-surveillance tools and recently published a set of reporting templates outlining which information will be published. Code of conduct subscribers could agree to adopt and implement the EU guidelines as common minimum standards for the publication of data on export licensing decisions.
Draft guidelines for assessing export licence applications
Export controls have been used to block many transfers of cyber-surveillance tools deemed to pose security or human rights risks. During 2020 and 2021, EU member states denied 67 licence applications for such exports. However, states’ implementation of these controls is inconsistent, and there are reports of some approving exports of cyber-surveillance tools to countries that are likely use them in ways that violate human rights. One reason for this inconsistency is a lack of common guidelines for assessing licence applications. As part of their work on developing best practices, code of conduct subscribers could agree to draft guidelines for assessing export licences. These guidelines should be connected and aligned with other efforts aimed at establishing clearer standards for the domestic use of cyber-surveillance tools, including the Freedom Online Coalition and Pall Mall Process.
Create a platform for sharing experience and building enforcement capacity
As well as blocking undesirable transfers, export controls also empower states to prosecute companies that try to export cyber-surveillance tools without the necessary licence. In 2023, charges were filed in Germany against four individuals related to the unauthorized export of cyber-surveillance tools to Türkiye that were used to spy on the Turkish opposition movement. However, such prosecutions are rare, not least because many exports of cyber-surveillance tools involve transfers of software, which can be more challenging to detect, investigate and prosecute than physical items. States with limited resources and experience may need assistance if they are to effectively implement and cyber-surveillance export controls. The code of conduct subscribers could agree to create a platform for states to share experiences of enforcing controls on exports of cyber-surveillance tools and provide technical and legal assistance.
Towards consistent and universal controls
Export controls remain the most effective and actively utilized policy response to the risks of proliferation and misuse of cyber-surveillance tools. However, their efficacy is limited by gaps and inconsistences in the controls that have already been adopted, and the number of states committed to applying them needs to be expanded.
While the code of conduct may only have 25 subscribers to date, they include important and influential players. The third Summit for Democracy is an opportunity for them to drive the agenda forward and bring an effective global export control regime for cyber-surveillance tools a few steps closer.
With support from the Open Society Foundations, the SIPRI Dual-Use and Ams Trade Control Programme is conducting a project focused on improving the implementation of export controls related to surveillance technologies.
ABOUT THE AUTHOR(S)