Written by Puneeth Nagaraj, With Assistance From Sidharth Deb and Varsha Rao

Wassenaar Woes: Impact of the Failed Negotiations on Cybersecurity Technology on
India
Written by Puneeth Nagaraj, with assistance from Sidharth Deb and Varsha Rao
Note: This paper was written in February 2017. On 7th December 2017, India was admitted as a
member of the Wassenaar Arrangement at the plenary meeting held in Vienna, becoming the
Arrangement’s 42nd participating member, pending completion of some formalities.1 In light of this,
the impact of negotiations on India may need to be revaluated.
1. Introduction
A year ago, negotiations led by the United States to change the terms of the Wassenaar Arrangement
collapsed.2 At the behest of the United States, the December 2016 Wassenaar Plenary was tasked with
re-evaluating the amendments made in the 2013 Plenary (2013 amendment) which introduced the
regulated export of dual-use cyber technologies, namely intrusion software and IP surveillance
networks.3 The Wassenaar Arrangement is one of several non-proliferation arrangements India has
sought to enter,4 and it is therefore pertinent to analyse the implications of the 2013 Amendment
regulating the export of intrusion software and IP surveillance networks.
This paper examines the failed negotiations from an international and an Indian perspective. There is
a closely related debate on overbroad definitions and the potential weakening of legitimate
cybersecurity practices. These questions are flagged as being important from an Indian perspective.
But they are not addressed in detail here. Part two of this paper looks at the background to these
negotiations with a brief outline of the history and purpose of the Wassenaar Arrangement and 2013
Amendment. Part three of our analysis examines the concerns which arise from these failed
negotiations and its implications for India. In this context, we analyse the European Commission’s
recent proposal to regulate the export of cybersecurity technologies.

1
Special Correspondent, India gets entry into the Wassenaar Arrangement, The Hindu, December 8th, 2017,
http://www.thehindu.com/news/national/india-gets-admission-into-wassenaar-arrangement/article21347560.ece,
accessed December 30th, 2017.
2
Tami Abdollah, US fails to renegotiate arms control rule for hacking tools, AP News, December 20th, 2016,
https://apnews.com/c0e437b2e24c4b68bb7063f03ce892b5/US-fails-to-renegotiate-arms-control-rule-for-
hacking-tools, accessed January 2nd, 2017.
3
Sean Gallagher, Congrats, hackers: you’re now a munition (sort of), Ars Technica, December 21st, 2016,
http://arstechnica.com/tech-policy/2016/12/us-fails-in-bid-to-renegotiate-arms-trade-restrictions-on-exploit-
data-export/, accessed January 2nd, 2017; The Wire Staff, India’s NSG dream is becoming a distant mirage, The
Wire, November 29th, 2016, https://thewire.in/83355/indias-nsg-dream-is-becoming-a-distant-mirage/, accessed
2nd January, 2017.
4
The others are the Nuclear Suppliers Group (NSG), the Australia Group (AG), the Missile Technology Control
Regime (MTCR) and the Chemical Weapons Convention (CWC). See, the Wire Staff, India’s NSG dream is
becoming a distant mirage, The Wire, November 29th, 2016, https://thewire.in/83355/indias-nsg-dream-is-
becoming-a-distant-mirage/, accessed 2nd January, 2017; Langevin Statement on Wassenaar Arrangement
Plenary Session; December 19th, 2016, http://langevin.house.gov/press-release/langevin-statement-wassenaar-
arrangement-plenary-session, accessed January 2nd, 2017.
Electronic copy available at: https://ssrn.com/abstract=3094834

2. Background to the negotiations at the Wassenaar Plenary
The Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and
Technologies (1996) is the successor to NATO’s Coordinating Committee on Multilateral Export
Controls (COCOM). COCOM was signed during the Cold War era to preclude Soviet Union/ Eastern
Bloc countries from advancing militarily by stifling access to technologies which could be
characterised as “dual use technology”.5 The Arrangement has 41 members (or ‘Participating States’)
and has become a broader, consensus-based voluntary forum to harmonize policies on exports of
conventional arms and armaments, dual-use equipment and sensitive technologies.6
2.1 Membership and Aims of the Wassenaar Arrangement
The Wassenaar Arrangement’s objective is to contribute towards international and regional security.7
It aims to do this by transparently monitoring the responsible transfer of items, which have been
categorised as conventional arms and dual-use goods and technologies. Participating States aim to
prevent the accumulation of these items in the hands of destabilising parties such as terrorists.8 They
seek to monitor the activities of participating states with a focus on “states of concern”, although there
is no consensus on who these states are.9 However, the Wassenaar Arrangement is a non-binding
instrument and its controls have legal effect only if implemented at a national level.10 It has been
argued that participating countries were unable to arrive at a list of states of concern since the
Wassenaar Arrangement operates by consensus.11 Thus one state blocking a proposal could defeat it.
Membership to the Wassenaar Arrangement is based on consensus of the parties to the arrangement.12
It must be established that an applicant nation has met the requisite criteria. First, the country must

5
Rajeswari P. Rajagopalan and Arka Biswas, Wassenaar Arrangement: The Case of India’s Membership, ORF
Occasional Paper #92 p.3, OBSERVER RESEARCH FOUNDATION, May 5, 2016,
http://www.orfonline.org/wp-content/uploads/2016/05/ORF-Occasional-Paper_92.pdf, accessed January 2nd,
2017.
6
Ibid.
7
About Us, The Wassenaar Arrangement, http://www.wassenaar.org/about-us/, accessed January 2nd, 2017.
8
Id.
9
The Wassenaar Arrangement at a Glance, ARMS CONTROL ASSOCIATION, October 2012,
https://www.armscontrol.org/factsheets/wassenaar, accessed January 2nd, 2017.
10
Privacy International, “A Guide to the Wassenaar Arrangement”, December 9th, 2013,
https://www.armscontrol.org/factsheets/wassenaar, accessed January 8th, 2017.
11
Daryl Kimball, “The Wassenaar Arrangement at a Glance”, October 2012,
https://www.armscontrol.org/factsheets/wassenaar, accessed January 8th, 2017.
12
Wassenaar Arrangement, NUCLEAR THREAT INITIATIVE, July 8, 2016, http://www.nti.org/learn/treaties-
and-regimes/wassenaar-arrangement/, accessed January 2nd, 2017; Also see Annex 4 of Guidelines &
Procedures,
including the Initial Elements, The Wassenaar Arrangement, December, 2016, http://www.wassenaar.org/wp-
content/uploads/2016/12/Guidelines-and-procedures-including-the-Initial-Elements-2016.pdf, at p. 12 see
Appendix 4, accessed January 2nd, 2017.
Electronic copy available at: https://ssrn.com/abstract=3094834

produce/ export arms or concomitant dual-use technology.13 Second, it must have a national export
control list which references the Wassenaar Arrangement Control Lists.14 Finally, the prospective
member must adhere to international non-proliferation norms and guidelines, which include, inter
alia, the Treaty on the Non-proliferation of Nuclear Weapons (NPT), Missile Technology Control
Regime (MTCR), Australia Group (AG) Chemical Weapons Convention (CWC) and the UN Register
of Conventional Arms.15
2.1.1 India’s Membership Bid
Rajagopalan and Biswas argue that India is actively seeking to position itself as a potential member of
various international arrangements including Wassenaar.16 Recent reports also point to India’s
accession to the MTCR and unsuccessful bid for membership of the NSG being linked to a future bid
for the membership of the Wassenaar Arrangement.17 In August, 2015 India added a list of 16
categories of defence equipment18 to its export control policy, reportedly so that it would comply with
the Wassenaar Arrangement.19
The Wassenaar Arrangement’s influence is limited to establishing non-binding best practices without
a formal compliance mechanism since it is a voluntary association not arising from a treaty.20 Its’
influence, however extends beyond its members. For instance, Israel has aligned its export control

13
The Wassenaar Arrangement, December, 2016, http://www.wassenaar.org/wp-
content/uploads/2016/12/Guidelines-and-procedures-including-the-Initial-Elements-2016.pdf, see Appendix 4, p
12, accessed January 2nd, 2017.
14
content/uploads/2016/12/Guidelines-and-procedures-including-the-Initial-Elements-2016.pdf, see Appendix 4, p
12, accessed January 2nd, 2017.
15
content/uploads/2016/12/Guidelines-and-procedures-including-the-Initial-Elements-2016.pdf, see Appendix 4,
accessed January 2nd, 2017.
16
Occasional Paper #92, pp.9-10, OBSERVER RESEARCH FOUNDATION, May 5, 2016,
2017.
17
Alyssa Ayres, India, Global Governance and the Nuclear Supplier’s Group, Forbes, June, 2016,
http://www.forbes.com/sites/alyssaayres/2016/06/06/india-global-governance-and-the-nuclear-suppliers-
group/#6f1357b93446, accessed January 2nd, 2017; Charu Sudan Kasturi, India in missile club, eye on two
others, The Telegraph, June, 2016,
https://www.telegraphindia.com/1160628/jsp/nation/story_93654.jsp#.WGDbP1N97IU, accessed January 2nd,
2017.
18
For a full list, see Notification No 115 (RE – 2013)/2009-2014,
http://dgft.gov.in/exim/2000/NOT/NOT13/not11513.pdf, accessed January 8th, 2017.
19
Occasional Paper #92 p.9, OBSERVER RESEARCH FOUNDATION, May 5, 2016,
2017.; Manu Balachandran, “India is Finally Walking the Talk on Becoming A Global Arms Exporter,”
Quartz India, September 02, 2015, http://qz.com/489410/india-is-finally-walking-the-talkon-becoming-a-global-
arms-exporter/ , accessed January 6th, 2017.
20
Privacy International, “A Guide to the Wassenaar Arrangement”,
https://www.privacyinternational.org/node/295, accessed January 7th, 2017..
regime with the Wassenaar list despite not being a member.21 It could be argued that India has felt this
impact.
Much of India’s regulation of dual-use technology export controlled items can be found in the Special
Chemicals, Organisms, Materials, Equipment and Technology (SCOMET) list.22 The SCOMET list is
maintained under Appendix 3 of Schedule 2 of the India Trade Classification regulated by the Foreign
Trade (Development and Regulation) Act No. 22 of 1992.23 The United States Bureau of Industry and
Security acknowledges that the SCOMET list is aligned with both the MTCR and the Wassenaar
Munitions List.24
It has been reported that India will pursue joining the Wassenaar Arrangement in the near future.25 As
observed above, India seems to be trying to harmonise its domestic export-control policy to be in
compliance with the Wassenaar and other non-proliferation arrangements.26 Since India has an
interest in complying with the Wassenaar Arrangement Control Lists, the question arises as to how
India should respond to the 2013 amendment given the attempt and failure of the recent negotiations
at the December 2016 plenary. It is likely that participating states will start amending their national
policies to comply with the 2013 amendment. The amendment is controversial and India should make
note of attempts to implement these measures.
2.2 Operation of the Wassenaar Arrangement and the 2013 Amendment
The Wassenaar Arrangement provides for two control lists to track the authorized transfers and re-
transfers of items included within the lists: the Munitions List (Conventional Weapons) and the Dual-
Use Goods and Technologies List.27 The latter (which is of relevance to this paper) has been divided
into 9 categories of Basic Items including Sensors and Lasers, Propulsion, Electronics, Aerospace and
Computers; along with additional annexures under the list detailing Sensitive Items and Very
Sensitive Items.28

21
Ibid; Also see, Barbara Opall-Rome, “Israel Liberalizes Cyber Export Policy”, Defense News, June 20, 2016,
http://www.defensenews.com/story/defense/2016/06/20/cae-lands-113-million-uae-naval-training-simulation-
work/86142930/, accessed January 7th, 2017.
22
Guidelines for Export of SCOMET Items, Indian Council for Medical Research, August, 2009,
http://www.icmr.nic.in/ihd/SCOMET%20items-DGFT.pdf, accessed January 2nd, 2017.
23
Guidelines for Export of SCOMET Items, Indian Council for Medical Research, August, 2009,
http://www.icmr.nic.in/ihd/SCOMET%20items-DGFT.pdf, p. 1, accessed January 2nd, 2017.
24
India Export Control Information, Bureau of Industry and Security, United States Department of Commerce,
https://www.bis.doc.gov/index.php/enforcement/220-eco-country-pages/1058-india-export-control-information ,
accessed January 2nd, 2017.
25
The Wire Staff, India’s NSG dream is becoming a distant mirage, The Wire, November 29th, 2016,
https://thewire.in/83355/indias-nsg-dream-is-becoming-a-distant-mirage/, accessed 2nd January, 2017..
26
Id.
27
How the WA Works, THE WASSENAAR ARRANGEMENT, http://www.wassenaar.org/about-us/, accessed
January 2nd, 2017.
28
Id.
The European Commission defines “dual-use items” as goods or technology that can be used for both
civil and military purposes.29 Examples of dual use technology ranges from global positioning
systems (GPS) to wetsuits and oscilloscopes.30 The Wassenaar Arrangement includes guidelines for
best practices which will allow members to determine if non-listed goods/ technologies are in fact
dual-use items.31
The Guidelines and Procedures of the Wassenaar Arrangement do not explicitly prohibit the export of
items on its Control Lists to Non-Participating States. However, Participating States are expected to
notify other participants if a license is denied for an item in the Dual Use List under the terms of the
Wassenaar Arrangement to a non-participant.32 All notices denied must be shared twice a year with all
participants.33 In addition, a Participating States may make specific requests on the transfer of items in
the Dual Use list to a non-participant State.34
As a non-participating state, India can procure items on the dual use list from participating states.
However, information on such transfers may be made available to other participant states as per the
Wassenaar Arrangement. Given this context and the recent failed negotiations initiated by the US at
the Wassenaar Plenary, we now turn to the 2013 amendment to the Wassenaar Arrangement.
During the 2013 Plenary, both “IP network surveillance systems” and “intrusion software” were
added to the Dual Use Control List.35 The Plenary in their public statement announced that these
amendments were necessary as surveillance technology, under certain circumstances, posed a threat to
international and regional security and stability.36 However, this move has come under a lot of
criticism, as discussed below.

29
Article 2(1), REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL setting up a
Union regime for the control of exports, transfer, brokering, technical assistance and transit of dual-use items
(recast), European Commission, September 28th, 2016,
http://trade.ec.europa.eu/doclib/docs/2016/september/tradoc_154976.pdf, accessed January 7th, 2017.
30
For an illustrative list of dual use items, see Examples of Dual Use Items, University of Oklahoma,
http://www.ou.edu/exportcontrols/advice_for_researchers/Examples_Dual_Use.html, accessed January 7th,
2017.
31
Criteria for the selection of Dual-Use Items, The Wassenaar Arrangement, http://www.wassenaar.org/wp-
content/uploads/2016/01/08Criteria-for-the-Selection-of-Dual-Use-Goods-including-Sensitive-and-Very-
Sensitive-Items.pdf, accessed January 2nd, 2017.
32
Guidelines & Procedures, including the Initial Elements, The Wassenaar Arrangement, December, 2016,
http://www.wassenaar.org/wp-content/uploads/2016/12/Guidelines-and-procedures-including-the-Initial-
Elements-2016.pdf, see Article V (1), accessed January 2nd, 2017.
33
Article V (2), Ibid.
34
Article V (6), Id.
35
Category 4 “Intrusion Software” and Category 5A Part 1 “IP network communications surveillance systems”,
Definitions of Terms Used in These Lists, LIST OF DUAL-USE GOODS AND TECHNOLOGIES AND
MUNITIONS LIST, http://www.wassenaar.org/wp-content/uploads/2016/12/WA-LIST-16-1-2016-List-of-DU-
Goods-and-Technologies-and-Munitions-List.pdf , accessed January 2nd, 2017.
36
Public Statement of the 2013 Plenary Meeting of the Wassenaar Arrangement,
http://www.wassenaar.org/wp-content/uploads/2015/06/WA-Plenary-Public-Statement-2013.pdf, accessed
January 7th, 2017.
2.2.1 Criticism of the 2013 Amendment
The potential problems with the language used in the 2013 Amendment were brought to light when
the Bureau of Industry and Security (BIS) came out with its initial draft to implement the
amendment.37 While the decision to regulate the harmful aspects of these technologies was well
meaning, stakeholders argued that the Plenary’s definition for “intrusion software” was overbroad
and would incorporate legitimate technology used for cyber security research and development.38
Critics have argued that the 2013 Amendment and efforts to implement it domestically in the US did
not keep in mind how cybersecurity companies develop their products using methods such as
penetrative testing and that such provisions would increase the vulnerabilities across critical
information infrastructure.39
The Electronic Frontier Foundation has said that there would be a chilling effect within the
cybersecurity research community owing to the drastic increase in red tape required across
jurisdictions to avail necessary export licenses.40 They believe that in the present scenario the sharing
of information and usage of practical vulnerability testing mechanisms such as fuzzers41 will be in
jeopardy of regulation depending on jurisdictional implementation.42
This chilling effect is demonstrated by an apprehension about sharing information on international

fora due to potential violation of export norms. For example, we have already witnessed lowered
participation in exploitation competitions such as Pwn2Own,43 where new penetrative testing and
cyber security techniques are shared between industry experts. Criticism has been directed at the

37
Wassenaar Arrangement 2013 Plenary Agreements Implementation: Intrusion and Surveillance Items
A Proposed Rule by the Industry and Security Bureau, United States Federal Register, May 20th, 2015,
https://www.federalregister.gov/documents/2015/05/20/2015-11642/wassenaar-arrangement-2013-plenary-
agreements-implementation-intrusion-and-surveillance-items, accessed January 2nd, 2017.
38
See for instance, Comments to the U.S. Department of Commerce on Implementation of 2013 Wassenaar
Arrangement Plenary Agreements, Electronic Frontier Foundation, July 20th, 2015,
nd
https://www.eff.org/files/2015/07/21/jointwassenaarcomments-final-1.pdf, accessed January 2 , 2017; and
Privacy International BIS Submission, Privacy International, 2015,
,https://privacyinternational.org/sites/default/files/Privacy%20International%20BIS%20submission.pdf,
accessed January 6th, 2017.
39
Kim Zetter, “Why an Arms Control Pact has Security Experts up in Arms”, Wired June 24th, 2015,
https://www.wired.com/2015/06/arms-control-pact-security-experts-arms/, accessed 8th January, 2017.
40
Comments to the U.S. Department of Commerce on Implementation of 2013 Wassenaar Arrangement Plenary
Agreements, Electronic Frontier Foundation, July 20th, 2015,
https://www.eff.org/files/2015/07/21/jointwassenaarcomments-final-1.pdf, accessed January 2nd, 2017.
41
Sergey Bratus, D J Capelis, Michael Locasto, Anna Shubina, Why Wassenaar Arrangement’s Definitions of
Intrusion Software and Controlled Items Put Security Research and Defense At Risk—And How To Fix It,
Dartmouth.EDU, October 9th, 2014, http://www.cs.dartmouth.edu/~sergey/drafts/wassenaar-public-
comment.pdf, page 12, accessed January 2nd, 2017.
42
Nate Cardozo & Eva Galperin, What Is the U.S. Doing About Wassenaar, and Why Do We Need to Fight It,
Electronic Frontier Foundation, May 28th, 2015, https://www.eff.org/deeplinks/2015/05/we-must-fight-
proposed-us-wassenaar-implementation, accessed January 2nd, 2017.
43
HP Pulled out as a sponsor to the event citing legal uncertainty arising out of the Wassenaar Arrangement.
See, Dan Goodin, Pwn2Own loses HP as its sponsor amid new cyberweapon restrictions, Ars Technica, March
9th 2015, http://arstechnica.com/tech-policy/2015/09/pwn2own-loses-hp-as-its-sponsor-amid-new-cyberweapon-
restrictions/, accessed January 7th, 2017.
usage of the term intrusion as it sweeps up legitimate forms of intrusion which are used to enhance/
shore up security of technological infrastructure.44 The term exfiltration has been suggested as an
alternative to intrusion software as a narrower, more appropriate term.45 This can be used to help
distinguish between tools commercially utilised to test systems for vulnerabilities by white hackers
and ones that siphon data and intelligence.46 Through the inclusion of the term intrusion software, the
Wassenaar Arrangement sought to regulate the export of “spyware” technology, which could be used
to extract data from devices which are network enabled. Such technologies can be used to track/
monitor specific individual targets.47 The United Kingdom characterised these technologies as tools
which would be used to gain “unauthorised access” into computer systems.48 This is indicative of the
grossly invasive potential of such software, which is why the Wassenaar plenary attempted to regulate
their export.
However, as we have discussed, the imprecision of the Wassenaar definition and subsequent domestic
implementation has the scope to hinder global cybersecurity research. Privacy International, while
commenting on the US’ 2015 implementation, called for human rights to be prioritised while
assessing whether a license can be granted..49 Due to the backlash from stakeholders, the US
recognised the flaws which prevail in the 2013 amendment and declared that they would go back to
the Plenary and seek to renegotiate the terms of these provisions.50 As we know now those
negotiations bore no fruit.
3. Fallout of the failed negotiations at the Wassenaar Plenary
The failure to make significant changes to the Wassenaar regime means several problems from the
2013 amendment remain. With respect to the overbroad definition for “intrusion software”, a
resolution seems difficult. A member of the US delegation to the Plenary suggested that the

44
Sean Gallagher, US to renegotiate rules on exporting “intrusion software”, ArsTechnica, March 2nd, 2016,
http://arstechnica.com/tech-policy/2016/03/us-to-renegotiate-rules-on-exporting-intrusion-software-under-
wassenaar-arrangement/, accessed January 2nd, 2017.
45
Sergey Bratus, D J Capelis, Michael Locasto, Anna Shubina, Why Wassenaar Arrangement’s Definitions of
Intrusion Software and Controlled Items Put Security Research and Defense At Risk—And How To Fix It,
Dartmouth.EDU, October 9th, 2014, p. 4, http://www.cs.dartmouth.edu/~sergey/drafts/wassenaar-public-
comment.pdf , accessed January 2nd, 2017.
46
Id .
47
,https://privacyinternational.org/sites/default/files/Privacy%20International%20BIS%20submission.pdf, p. 3,
48
Cyber Growth Industry Guidance: Assessing Cybersecurity Export Risks: Human Rights, National Security,
Tech UK, 2013,
https://www.techuk.org/images/CGP_Docs/Assessing_Cyber_Security_Export_Risks_website_FINAL_3.pdf,
49
,https://privacyinternational.org/sites/default/files/Privacy%20International%20BIS%20submission.pdf,
50
Nate Cardozo & Eva Galperin, Victory! State Department Will Try to Fix Wassenaar Arrangement, Electronic
Frontier Foundation, 29th February, 2016, https://www.eff.org/deeplinks/2016/02/victory-state-department-will-
try-fix-wassenaar-arrangement, accessed January 2nd, 2017.
preciseness of language to target a specific type of technology which translates equitably across 41
jurisdictions is a difficult task.51 Without a resolution to the contentious provisions, the transfer of
technology across borders could be affected. Even if the rules are not implemented at a national level,
the HP example serves as an illustration of the kind of impact the Wassenaar Arrangement can have
on cybersecurity technology.52
A recent European Commission proposal on export control regulations takes a different approach
from the Wassenaar Arrangement. Given the failure of the Wassenaar negotiations, it is worth
examining as a way out of the deadlock.
3.1 European Commission Proposal
The European Commission recently adopted a resolution to modernise their export regulations of dual
use technologies, in September, 2016. The proposal addresses associated human security concerns and
aims to prevent severe human rights violations caused via cyber surveillance technologies.53 The
proposal talks about an EU autonomous list of specific cyber surveillance technologies which are of
concern and must be subject to controls i.e. data retention systems and monitoring centres.54
This is accompanied by a “targeted catch-all control” that can facilitate export control of non-listed
technologies, where evidence of misuse prevails.55 This system can be applicable when the proposed
end-user may misuse the technology causing grave violations of international humanitarian/ human
rights laws in countries of final destinations.56 Article 14 of the proposed regulations specifically

51
Sean Gallagher, Congrats, hackers: you’re now a munition (sort of), Ars Technica, December 21st, 2016,
http://arstechnica.com/tech-policy/2016/12/us-fails-in-bid-to-renegotiate-arms-trade-restrictions-on-exploit-
data-export/, accessed January 2nd, 2017.
52
Dan Goodin, Pwn2Own loses HP as its sponsor amid new cyberweapon restrictions, Ars Technica, March 9th
2015, http://arstechnica.com/tech-policy/2015/09/pwn2own-loses-hp-as-its-sponsor-amid-new-cyberweapon-
restrictions/, accessed January 7th, 2017.
53
Commission proposes to modernise and strengthen controls on exports of dual-use items, European
Commission, September 28th, 2016, http://trade.ec.europa.eu/doclib/press/index.cfm?id=1548, accessed January
2nd, 2017.
54
Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL setting up a
(recast), European Commission, September 28th, 2016,
http://trade.ec.europa.eu/doclib/docs/2016/september/tradoc_154976.pdf , p. 9, accessed January 2nd, 2017.
55
(recast), European Commission, September 28th, 2016
http://trade.ec.europa.eu/doclib/docs/2016/september/tradoc_154976.pdf , Clause 9, p. 13, accessed January
2nd, 2017.
56
states that they should assess the “respect for human rights in the country of final destination as well
as respect by that country of international humanitarian law”.57
Since these regulations are still in a nascent stage, it is important for stakeholders to push for firmer
language and strong risk assessment criteria with respect to the same.58 Privacy International
expressed concern that the proposal suffers from issues of overbreadth, but welcomed the document’s
ability to reconcile trade with human rights.59 Access Now has criticised the catch-all control
provision in the proposal. They argue that the proposal places reliance on companies to voluntarily
submit themselves for review by export controls authorities.60 It has been said that this places
excessive reliance on companies’ internal compliance programmes.
Since both the Wassenaar Plenary and the European Commission deliberations over an export control
regime concluded recently, there has been little research that examines the impact of the proposed
rules. We will continue to follow these developments and update this memo in the future. From an
Indian perspective, it is important to be aware of the concerns expressed in the criticisms of the
Wassenaar Arrangement.
Conclusion
This memo has been drafted as a response to the failed negotiations at the 2016 annual Wassenaar
Plenary. We have observed that the Wassenaar Arrangement is a non-proliferation, export control
regime for conventional weapons and dual-use goods and technologies, which India has reportedly
sought to join. The government has tried to harmonise their export control lists with regimes like
Wassenaar and the MTCR.
We recommend that governments exercise caution while enacting their export control measures in
line with the Plenary’s 2013 amendment. Although the Wassenaar Arrangement helps set non-binding
best practices for the global community to follow, the amendment in its present form can have a
detrimental impact on global cybersecurity research/ defence and human rights.

57
58
Edin Omanovic, Landmark changes to EU surveillance tech export policy proposed, leaked policy document
shows, Privacy International, June, 2016, https://www.privacyinternational.org/node/909, accessed January 2nd,
2017.
59
http://trade.ec.europa.eu/doclib/docs/2016/september/tradoc_154976.pdf , accessed January 2nd, 2017.
60
Lucie Krahulcova, EU wants to limit export of surveillance technologies without hurting security research,
Access Now, December, 2016, https://www.accessnow.org/eu-wants-limit-export-surveillance-technologies-
without-hurting-security-research/ , accessed January 2nd, 2017.
First, the overbroad definition of intrusion software means that there will be export control/ licensing
requirements required to share basic cybersecurity research/ information among researchers. These
excessive requirements have the potential to stymie the ability of local cybersecurity communities’
ability to keep their security walls updated and capable of warding off potential threats. Second, the
regime cannot fulfil its goal because, as discussed above, companies who wish to bypass these
regulatory constraints can operate from jurisdictions where such restrictions do not prevail.
The European Commission’s (September, 2016) proposal is a first step in terms of aligning
surveillance export policy with human rights. They have taken the initial steps to ensure that any
potential human rights violations have to be factored, before allowing sensitive cyber surveillance
technology to reach an end-user.

Written by Puneeth Nagaraj, With Assistance From Sidharth Deb and Varsha Rao

Uploaded by

Written by Puneeth Nagaraj, With Assistance From Sidharth Deb and Varsha Rao

Uploaded by

Wassenaar Woes: Impact of the Failed Negotiations on Cybersecurity Technology on

Electronic copy available at: https://ssrn.com/abstract=3094834

2.1 Membership and Aims of the Wassenaar Arrangement

Electronic copy available at: https://ssrn.com/abstract=3094834

2.1.1 India’s Membership Bid

2.2 Operation of the Wassenaar Arrangement and the 2013 Amendment

This chilling effect is demonstrated by an apprehension about sharing information on international

3. Fallout of the failed negotiations at the Wassenaar Plenary

3.1 European Commission Proposal

You might also like