IT security firms given guidance over supplying pariah states
Report comes after technology from western software firms such as Blue Coat and Gamma International ended up in wrong hands
A report outlining the cybersecurity measures firms can take to ensure their technology is not used to suppress human rights around the world was released today.
Assessing Cyber Security Export Risks is the first report of its kind and provides guidance to tech firms on ensuring their exported products are not used by dictators and other groups to spy on and suppress dissidents, and ensure that the cybersecurity industry does not impinge on human rights.
Ruth Davis, head of cyber, justice and emergency services at TechUK, which wrote the report in association with the Institue for Human Rights and Business (IHRB), told CRN: "The tech industry needs to take a lead in making sure while they expand and grow overseas, they do so responsibly and in a way that respects human rights.
"This should be done by all companies, whether they are the provider, the reseller, or the distributor," she said.
The report, which is based on research into past cases of human rights abuses and experience from companies operating overseas, noted two major examples where cybersecurity firms have directly or indirectly sold their products to regimes which have used them to suppress human rights.
The first example is the UK-based firm Gamma International, which sold its software package Finfisher – which contains programs capable of monitoring Skype calls, emails and collecting passwords – to the autocratic regime of Hosni Mubarak in Egypt. This was discovered after activists found documents relating to the government's intention to buy the software during the Egyptian Revolution of 2011.
The second example noted is of security vendor Blue Coat, which ended up selling its web-monitoring software to the Bashar al-Assad regime in Syria via Middle East-based distributor Computerlinks FZCO. Blue Coat was eventually cleared of knowingly selling its products to Syria and Computerlinks was fined £2.8m.
Davis commented that the report highlights the key steps companies need to take to make sure their products are not being used to suppress human rights.
"What we are saying to companies is first you need to filter the deal, decide whether there are any relevant trade sanctions or embargoes on the country and whether the product you are selling is under any export controls.
"We outline focus on what the product could be used to do – how it could be used to turn on citizens and what sort of political context is in that country," she said.
Davis also commented that companies need to take great care when looking at resellers and distributors, and to whom they might sell on the product.
Ed Vaizey, minister for culture and digital industries and co-chairman of the Cyber Growth Partnership, said: "TechUK's guide is a valuable and accessible tool which will help British companies respond with confidence to opportunities in the global cybersecurity market. I am grateful to all those who have contributed and I am proud to endorse this guidance, the first of its kind in the world."