How to Control Spy Software

The Jerusalem Post reported on December 23rd that spy software made in Israel ended up in Tehran and was being used by the Iranian government to spy on dissidents and others targeted by the regime. The story recounts how such spy software from the U.S. and Europe -- as well as Israel -- gets into the hands of the bad guys. There isn't much control, and while government leaders may be wringing their hands over it, they don't seem to know what to do about it.

For the most part, spy software is not controlled today under any export license program.  While some countries, including Israel, ban sales to adversarial nations -- e.g., Iran -- their software gets there through intermediaries. American and European spy software go far beyond friends and allies, ending up with adversaries in the Middle East, Asia and elsewhere.

The U.S. government, and its European and Israeli friends, at some point appear to have drawn a mental line -- that became a policy line -- between what they consider "munitions," like rockets or missiles or guns, which they are willing to control, and "software" that isn't lethal and so maybe doesn't count.  Yet we know from the uprising by the Iranian people after the stolen 2009 election, that bad governments use spy software to find their enemies and then arrest them or worse.  The regime was using (German-origin) Siemens packet technology to listen in on cell phones. The same kind of spy-ware can be used against our institutions, public and private. And probably is.

Is there a solution?

First, the Western mental line has to go and spy software has to be understood as part of the arsenal that nasty regimes use against their people and against others.  With a different mindset, software that can be used for electronic spying could be placed under the International Traffic in Arms Control (ITAR) rules and regulations. The ITAR system, sometimes called the Munitions List, is a strong, international control mechanism. Under the ITAR, each sale abroad must have an identified, verified end-user -- and the end user has to be a government or a defense company abroad working under the foreign government's verifiable authority. Re-export of a controlled item is permitted only if permission is granted by the sourcing country.

Right now there is a bazaar mentality on the sale and export of spy software. "Come to my store and I will sell you everything you need to go after your enemies, whoever they are - don't tell me who they are; I don't want to know." The spy-bazaar needs to be closed down; ITAR is an effective way to do it.

That loud screaming you hear comes from companies that want a free hand to sell spy software to anyone they choose. Let them scream - better that than Iranian or Syrian dissidents being identified and rounded up by the Basiji police or Bashar Assad's goons. This is a dangerous industry that needs to be brought under effective control.

Second, it should be illegal to transfer spy software electronically. There is a mindset in the computer-savvy community that information is made to be shared and restricting technology is equivalent to totalitarianism.  Facebook and Twitter encourage people to think of the world as a smaller and more open place.  In fact, however, real totalitarian governments want to take Western technology and use it precisely to repress free speech, free thought and the free exchange of views.  If a would-be hacker/spyware producer puts such spy technology on the Internet, or sends it off by email or file transfer, he or she should be made to understand the consequences and face prosecution.

Third, our friends and allies should be "requested" to take identical action. For over 50 years COCOM was the mechanism by which the US and Europeans controlled technology to the Soviet Union, China and their allies.  Our allies outside NATO generally played with COCOM rules as well.  COCOM is gone -- a casualty of the collapse of the Soviet Union and the demise of communism that encouraged the West to believe there were no more enemies.  We need to resuscitate COCOM, or a COCOM-like system to combat electronic spying threats.

Unless we all want to be victims, coordinated action is needed and needed soon to harness the threat of electronic spying.

 Dr. Stephen Bryen, President of SDB Partners, LLC, was Deputy Undersecretary of Defense and the first Director of the Defense Technology Security Administration. Shoshana Bryen has more than 30 years experience as a defense policy analyst. She is the former Senior Director for Security Policy at JINSA and was author of JINSA Reports from 1995-2011.

The Jerusalem Post reported on December 23rd that spy software made in Israel ended up in Tehran and was being used by the Iranian government to spy on dissidents and others targeted by the regime. The story recounts how such spy software from the U.S. and Europe -- as well as Israel -- gets into the hands of the bad guys. There isn't much control, and while government leaders may be wringing their hands over it, they don't seem to know what to do about it.

For the most part, spy software is not controlled today under any export license program.  While some countries, including Israel, ban sales to adversarial nations -- e.g., Iran -- their software gets there through intermediaries. American and European spy software go far beyond friends and allies, ending up with adversaries in the Middle East, Asia and elsewhere.

The U.S. government, and its European and Israeli friends, at some point appear to have drawn a mental line -- that became a policy line -- between what they consider "munitions," like rockets or missiles or guns, which they are willing to control, and "software" that isn't lethal and so maybe doesn't count.  Yet we know from the uprising by the Iranian people after the stolen 2009 election, that bad governments use spy software to find their enemies and then arrest them or worse.  The regime was using (German-origin) Siemens packet technology to listen in on cell phones. The same kind of spy-ware can be used against our institutions, public and private. And probably is.

Is there a solution?

First, the Western mental line has to go and spy software has to be understood as part of the arsenal that nasty regimes use against their people and against others.  With a different mindset, software that can be used for electronic spying could be placed under the International Traffic in Arms Control (ITAR) rules and regulations. The ITAR system, sometimes called the Munitions List, is a strong, international control mechanism. Under the ITAR, each sale abroad must have an identified, verified end-user -- and the end user has to be a government or a defense company abroad working under the foreign government's verifiable authority. Re-export of a controlled item is permitted only if permission is granted by the sourcing country.

Right now there is a bazaar mentality on the sale and export of spy software. "Come to my store and I will sell you everything you need to go after your enemies, whoever they are - don't tell me who they are; I don't want to know." The spy-bazaar needs to be closed down; ITAR is an effective way to do it.

That loud screaming you hear comes from companies that want a free hand to sell spy software to anyone they choose. Let them scream - better that than Iranian or Syrian dissidents being identified and rounded up by the Basiji police or Bashar Assad's goons. This is a dangerous industry that needs to be brought under effective control.

Second, it should be illegal to transfer spy software electronically. There is a mindset in the computer-savvy community that information is made to be shared and restricting technology is equivalent to totalitarianism.  Facebook and Twitter encourage people to think of the world as a smaller and more open place.  In fact, however, real totalitarian governments want to take Western technology and use it precisely to repress free speech, free thought and the free exchange of views.  If a would-be hacker/spyware producer puts such spy technology on the Internet, or sends it off by email or file transfer, he or she should be made to understand the consequences and face prosecution.

Third, our friends and allies should be "requested" to take identical action. For over 50 years COCOM was the mechanism by which the US and Europeans controlled technology to the Soviet Union, China and their allies.  Our allies outside NATO generally played with COCOM rules as well.  COCOM is gone -- a casualty of the collapse of the Soviet Union and the demise of communism that encouraged the West to believe there were no more enemies.  We need to resuscitate COCOM, or a COCOM-like system to combat electronic spying threats.

Unless we all want to be victims, coordinated action is needed and needed soon to harness the threat of electronic spying.

 Dr. Stephen Bryen, President of SDB Partners, LLC, was Deputy Undersecretary of Defense and the first Director of the Defense Technology Security Administration. Shoshana Bryen has more than 30 years experience as a defense policy analyst. She is the former Senior Director for Security Policy at JINSA and was author of JINSA Reports from 1995-2011.

RECENT VIDEOS