Friday, February 23, 2018

Blockchain Export Control

Wanting to withdraw from the Wassenaar Arrangement is totally sane policy position and hopefully this blogpost will help explain why.

Mara would be better off rewriting Wassenaar's regulatory language as a Solidity smart contract on top of Ethereum. They share (aside from the obtuseness of the language) several key features. In particular, they can be described as one way transaction streams.

I know that supporters of the WA, which requires 41 nations to all agree on a change before it happens, think that the current path of export control is hunky dory and well adjusted to technical realities. But even in areas that ARE NOT CYBER you only have to sit through a couple public ISTAC meetings before you see that while it is easy to CREATE regulations, it is nearly impossible to revise or erase regulations. This is why we have regulations on board that appear to apply to technology from the 50s, which one day is what people will look at all Ethereum programs as.

For technologies that change slowly, this is less of an issue. But you cannot predict the change rates in technological development before you decide to regulate something with export controls. Nor is any form of return on investment function for your regulation specified, so unused and ill-planned regulatory captures just hang around on the Wassenaar blockchain forever.

As a concrete example, let's take a look at Joseph Cox's spreadsheets, wherein he FOIA'd various UK Govt license filing information.

The 5A1J ("internet surveillance system") spreadsheet, here, specifies two real exports, one of what appears to be ETIGroup's EVIDENT system to the UAE and the other which appears to be BEA Detica to Singapore, both of which were approved.

Now I personally have spent maybe fifty hours this year trying to untangle the stunningly bad 5a1j language, which uses technically incorrect terminology, arrived vastly out of date (i.e. applies to any next gen firewall/breach detection system) and has no clear performance characteristics. All of this for something that in the UK resulted in TWO SALES, which if they had been blocked would just have resulted in the host governments putting something together from off the shelf components??!?!

Taking a look at his 4D4 "intrusion software" spreadsheet, here, you get similar results:

  • A sale to the United States
  • A sale of a blanket license for "Basically anything penetration testing related" to Jordan, Philippines, Indonesia, Kuwait, Egypt, Qatar, Oman, Saudi Arabia, Singapore and Dubai.
  • A sale to Bahrain
  • A sale to Dubai (but just for equipment "related"?)

Even if those are the most important four export control licenses ever issued I think the time anyone has spent on implementing or talking about these regulations is EXACTLY LIKE the entire rainforest fed into the blazing fire every day that is Ethereum's attempt to emulate the world's slowest Raspberry Pi running Java.

There's a weird conception among "civil society" experts that export control is useful whenever any technology can have negative uses. That's a misunderstanding of how Dual-Use works that is not shared even among the most optimistic of the specialists I've talked to in this area.

In addition, NOT issuing those licenses results in four possibilities none of which is "Country does not get said capabilities":

  1. The country develops it internally by gluing off the shelf components together (because there is basically no barrier to entry in these markets - keep in mind HackingTeam was not...a big team)
  2. The country buys it from China 
  3. The country buys it from a Wassenaar country with a different and looser implementation of the regulation. (Unlike Ethereum, every WA implementation is different, which is super fun. For example, the US has this neat concept called "Deemed export" which means you need a license if you give the H1B employee next to you something that is controlled.)
  4. The country buys it from a reseller in a country with less baggage using a cover company and then emails it to themselves using the very complicated export control avoidance tool "Outlook Express".

But for FOUR LICENSES seriously who cares? This whole thing is like having a BBQ on the side of the space shuttle. With enough expended energy you can sure toast a few marshmallows, but it's not going to be the valuable memory building Boy Scout experience for your kids that maybe you were hoping for.

And I'll tell you why I personally care and it's because all the people who should be working on policies that "make sure we don't lose an AI war to China" are instead sitting in Commerce Dept rooms defending their companies from the deadly serious rear naked choke that is Wassenaar! And it's not just cyber, it's everything.

If you want to make a number for your controlled Frommy Widget in the WA go from 4Mhz to 6Mhz then it's a simple three year process of arguing about it with various agencies and then it goes through the  system and by the time the language has changed it's already out of date, much like every valuation of your BitCoin you've ever gotten. So now you're spending your precious cycles arguing for a change from 6Mhz to 8Mhz in the very definition of a Sisyphean process.

The end result is that instead of exporting hardware around the world, we export jobs as companies set up overseas in the VERY INDUSTRIES WE CONSIDER MOST SENSITIVE AND IMPORTANT. This is a hugely real issue that should be part of the ROI discussion around any of these regulations but never is for some reason.

This could be maybe fixable by implementing a mandatory nonrenewable 5 year sunset to all Wassenaar regulations. But to do this, the US (and the international community) basically needs to hard-fork the whole idea of technological export control, which is something we should do for many reasons. A more realistic option may be to pull completely out of WA and re-implement the parts that make sense with bilateral agreements.

Another issue is that the actual technical understanding cycles spent on implementing new regulations are lower than they should be, for a process that is only a one-way diode. I.E. you need people full time on every one of the new and old issues but by definition the technical experts on these issues work on them part time. Basically you want people doing a TDY looking at all the regulations from a technical perspective, and we don't have that as a community. We could solve that by giving grants to various companies to fund it, or by hiring it within the Commerce department (and various related international equivalents). Think the DARPA PM program, but for export control experts.

But that's hugely expensive, and as pointed out, it's questionable if any of this makes any more sense to invest in than a virtual blockchain cat!




No comments:

Post a Comment