Political and military interest in cryptography is nothing new, but international controls on the sharing and export of information security technology is an ever more pressing concern for businesses.
Ciphers have been used to obfuscate sensitive messages as far back as Julius Caesar, but cryptography's importance for national security really grew following the decryption of Enigma and Lorenz. Today, robust cryptography is fundamental to meeting the demands of customers and governments. Businesses are heavily exposed to regulations making it a criminal offence to export or transfer abroad hardware and software that, not just performs, but merely has the potential to engage cryptography.
Setting the bar low
Despite the increasing use of cryptography, applicable laws are not new. The origins of information security export controls lie in the Wassenaar Arrangement, under which 41 states have agreed to control the spread of "Dual-Use" goods and technology with both civilian and military application. The basic thresholds have not moved for over a decade, and as a result the strength of cryptography that attracts government attention is painfully low. Controls apply to hardware or software that can engage anything stronger than 512-bit asymmetric algorithms or 56-bit symmetric algorithms. It isn't just strong cryptography that companies need to worry about.
Products that simply use cryptography already present in a device or operating system can also be caught - they don't need to actually provide or perform the algorithms themselves in order to be controlled. Therefore these controls could easily apply to:
- communication and file storage,
- middleware messaging,
- development and deployment software,
- public or private cloud applications and architecture,
- third-party products.
The immediate consequence for FinTech is that this captures almost every product, tool, and component handled. Controls can even capture specific information in emails and messages relating to the development, production and use of such products. This has the potential to severely impact both research and responses to cyber crime. So how do companies deal with the potentially burdensome requirements of cyber export controls?
The good news is that, for jurisdictions implementing the Wassenaar treaties, certain kinds of product are carved out for policy reasons. These provide a toolkit for companies to 'decontrol' cryptographic products. Inter alia, there are exemptions for consumer products, some banking and transactional products, and products with technical limitations to the use of cryptography.
Open and accessible licencing regimes in some countries make it easier for businesses to obtain and manage the clearances they need. However, conflicting regimes can make it hard for companies to manage the pressures across their key locations - in particular if a readily available solution in one country makes it harder to implement a compliance program elsewhere.
Risk and requirements - a global question
The penalties for non-compliance can range greatly. This may depend on national legislation, regulators' appetite for enforcement, and the availability of voluntary disclosure programmes. UK penalties can range from imprisonment to unlimited fines, as well as an adverse impact on future licensing. Some jurisdictions may reduce penalties in return for voluntary disclosure and remedial steps to mitigate past violations.
The US and Germany have some of the most generous licencing options for cryptographic software, making registration and record keeping a relatively simple process. The UK, Ireland, and others promote engagement and discussion to find pragmatic solutions for businesses. France, Poland and Russia also impose stricter restrictions on the import, supply or use of certain products.
Regional centres are also key to technology and development. Singapore and Malaysia have adopted controls aligned with Wassenaar, and their enforcement agencies responsible are rapidly adopting more sophisticated approaches. China has a unique regime requiring foreign companies to apply for permits for the import and use of information security items.
As countries vie to protect their national interests, and the information security controls expand beyond cryptography into the realms of network surveillance and penetration testing, it is ever more important for companies to be on the ball with legal developments and get to grips with their movements of security products and technology.
Contributors: Ross Evans, Sven Bates