Notice to exporters 2018/03: updates to controls on ‘information security’ products using cryptography
Controls on ‘information security’ products, notably those using cryptography, are contained in Category 5 Part 2 ‘Information Security’ of the consolidated list of strategic export controls.
With the use of cryptography becoming more widespread, there has been an increase in the number of items controlled in this category. Simultaneously, there are also more products using cryptography that are excluded from control, both by longstanding ‘decontrol’ notes, listed at the start of Part 2 (such as Note 3, the cryptography note) and by more recent additions to the text.
It has been recognised that ‘information security’ in general is a complex section of controls. Following 2 years of multilateral negotiation between the Wassenaar Arrangement participating states, changes to the text were agreed at the end of 2016 and appeared in the Annex I to Council Regulation (EC) No. 428/2009 (as last amended by Regulation (EU) No. 2268/2017) in late 2017.
Some amendments to the regulation were made in 2016 in preparation for the further 2017 changes detailed in 0.1 below:
- a new general ‘information security’ note incorporating the content of Note 1, which described the control status of information security equipment – Note 1 was subsequently deleted
- new sections of control, 5A003 (non-cryptographic information security) and 5A004 (systems … for defeating, weakening or bypassing ‘information security’), have been broken out from the previous 5A002
- renumbering and deletion of many sub-controls
- deletion of 5A002.a.7 – ‘non-cryptographic information and communications technology (ICT) security systems and devices that have been evaluated and certified by a national authority to exceed class EAL-6 (evaluation assurance level) of the Common Criteria (CC) or equivalent’
0.1 Purpose of 2017 changes
Category 5 Part 2, ‘Information Security’, has been restructured to create a set of ‘positive’ controls, to improve ease of use and clarity. The broad intent of the restructure was to maintain the scope of Category 5 Part 2, so the new text should not change the control status of most items.
The changes below are listed in the order in which they occur in the control text.
0.2 Change to Note 3 (the cryptography note)
Note 3 has been amended to clarify that it does not apply to 5A003 or 5A004.
0.3 Removal of Note 4 – relevant text incorporated in 5A002a
Note 4 excluded items with ancillary cryptography from control. Roughly speaking these are items that use cryptography but the primary function of the item is not information security, networking, sending, receiving or storing information, or computing. The cryptography is only used in support of the item’s primary function. An example of an item that was previously decontrolled by Note 4 is a vending machine that communicates using standard wifi encryption to report that it has run out of soft drinks.
Note 4 was written in the negative, excluding an item from control if the primary function was not listed. In an effort to help clear up confusion among exporters, Note 4 is being replaced with positive text in 5A002a that specifies the items subject to control.
0.4 Changes to 5A002a
Scope of control in relation to items and their ‘primary function’
This section now defines the scope of 5A002a as only applying to items:
- designed or modified to use ‘cryptography for data confidentiality’
- having a symmetric key length in excess of 56 bits of, or equivalent
- whose cryptographic capability can be used without being activated, or has been activated
In addition, these items must have a primary function that is:
- information security
- digital communication, networking, computers or other information storage or processing functions
If the primary function of the item is not listed above, but the cryptography supports a non-primary function and the component (or other incorporated equipment or software) that performs the cryptographic function would in its own right be controlled under 5A002a, then 5A002a still applies.
For most items previously classified as 5A002a1a or 5A002a1b, these classifications are now simplified to 5A002a.
Taking an example of an item that was previously decontrolled by Note 4, let’s apply the new control text to the vending machine that communicates stock levels using standard wifi encryption. The vending machine has a primary function of supplying drinks. To support this primary function, the machine performs other tasks such as taking payment, and managing stock levels. Taking the new text in 5A002a1-3, the vending machine’s primary function is not ‘information security’. It’s not a digital communication or networking system and it does not have information storage or processing as a primary function.
Taking 5A002a4, the machine would use cryptography with a key size over 56 bits (or equivalent) but this cryptography supports the primary function of supplying drinks. Assuming that the wifi connectivity is conducted by a standard COTS (commercial off-the-shelf) wifi chip, then this component would almost certainly not be controlled by Category 5 Part 2 because it would meet the decontrol conditions of Note 3.
The changes to 5A002a are explained in more detail below.
Introducing the concept of ‘cryptography for data confidentiality’
5A002a now specifies that cryptography is only controlled when used for confidentiality. As with other changes made as part of the restructure, this is intended to maintain current control scope. A list of cryptographic functions that are not considered to be confidentiality functions is provided, including:
- digital signing
- digital rights management
Most of these exclusions were explicit in the previous control text. For example, authentication and digital signature functions were previously excluded in 5A002a1 text, whereas digital rights management was excluded at the item level by former Note 4.
New local definition of ‘in excess of 56 bits of symmetric key length, or equivalent’
Previously, separate control entries existed for ‘symmetric algorithms’ (5A002a1a) and ‘asymmetric algorithms’ (5A002a1b). The new text specifies that 5A002a controls ‘systems, equipment and components … designed or modified to use “cryptography for data confidentiality”, having “in excess of 56 bits of symmetric key length, or equivalent’”.
The definition of ‘in excess of 56 bits of symmetric key length, or equivalent’ is now provided separately in technical Note 2 and gives examples of equivalent asymmetric algorithms, key sizes and parameters.
Addition of Note 1 to 5A002a
A new Note 1 to 5A002a has been added to incorporate the condition: ‘When necessary as determined by the appropriate authority … details of items must be accessible and provided to the authority upon request…’, which was in the (now deleted) Note 4 and in Note g. to 5A002a.
New Note 2 to 5A002a
The new Note 2 incorporates the previous 5A002a decontrol notes a-j. Unless mentioned below, the wording of these decontrol notes remains the same, but their numbering changes to 2.a-2.i.
Introduction of Note 2.a. to 5A002a (smart cards and smart card readers/writers)
Note 2.a. to 5A002a replaces the previous Note a to 5A002a. Paragraph 1 of the previous text has been substantially rewritten to improve clarity, but the intended scope is identical.
Removal of Note g. to 5A002a (inactive or dormant cryptography)
In keeping with the move to a positive set of controls, Note g has been removed. The scope of the control text is preserved by adding new wording to the first paragraph of 5A002a: ‘… where that cryptographic capability is usable without “cryptographic activation” or has been activated…’
As a result of the removal of Note g, former Notes h, i and j are renumbered as 2.g, 2.h and 2.i.
0.5 Changes to 5D002
As indicated above, in 2016 distinct categories of 5A002, 5A003 and 5A004 were created.
5D002 has now been adapted to better reflect these categories, so that software performing information security functions can be more clearly classified. 5D002a and 5D002c each now have 3 subcategories (5D002a1, 5D002a2, 5D002a3 and 5D002c1, 5D002c2, 5D002c3) which relate to software with the characteristics of equipment in 5A002, 5A003 and 5A004 respectively.
Separately, 5D002d has become 5D002b, with the previous text in 5D002b being removed.
0.6 New global definition of ‘authentication’
The following definition has been added to the Definitions section of the text:
Verifying the identity of a user, process or device, often as a prerequisite to allowing access to resources in an information system. This includes verifying the origin or content of a message or other information, and all aspects of access control where there is no encryption of files or text except as directly related to the protection of passwords, personal identification numbers (PINs) or similar data to prevent unauthorised access.
More information on export controls is available on the ECJU pages of the GOV.UK website, also the SPIRE export licensing database.
You can find: