Export Controls and Intangible Goods
From Russia’s membership in the Wassenaar Arrangement to an intangible goods economy replete with AI systems and spyware, it is clear that the current approach to multilateral export controls merits a significant upgrade. Aside from how to design the export control regime of the future—for example balancing whether one new regime is superior to a series of mini sectoral regimes—it is clear that next-generation regimes will need better infrastructure and mechanisms for governing intangible goods.
Q1: What are intangible goods, and what distinguishes them from software?
A1: Intangible goods are by nature difficult to define and vary immensely in their ability to affect U.S. national security. Examples of intangible goods include non-fungible tokens (NFTs) and spyware that can be covertly installed on mobile devices. The key challenges in controlling intangible goods stem from their nonphysical nature and the lack of consensus among international partners in determining whether data is a commodity and, if so, who retains ownership rights over that commodity—a question the EU Data Act seeks to answer definitively. While some bulk data is rather innocuous, for example facilitating the remote delivery of medicines through uncrewed aerial vehicles, bulk data can also serve as a weapon in adversaries’ toolkits that can accelerate the development of bioweapons or create chokepoints over the global food supply.
Software is largely an intangible service, meaning it is not an intangible good per se. Artificial intelligence (AI), on the other hand, is a mix of both tangible components, such as semiconductors, and services, such as software. These intangible components to AI can be thought of as measured and unmeasured. Measured intangible components include the specific software the hardware runs, while the unmeasured intangible components include the databases the technology analyzes or produces. There is also a fundamental difference in the use of intangible goods, such as algorithms and cloud computing, in computers. Cloud computing, for example, encounters physical limits since there is a maximum level that can be run simultaneously on graphics processing units. This physical limitation highlights the ongoing importance of hardware and performance measurements in determining controls. Yet, many AI systems rely on open-source information, making them significantly harder to control since they lack the same physical chokepoints, and, in many cases, the information has already become public. The difficulties of controlling open-source AI systems, however, do not mean that control mechanisms—whether export control regulations or ethical standards—cannot be designed and implemented effectively.
Q2: What are the primary challenges to expanding current U.S. export control regimes to intangible goods?
A2: Applying export controls to intangible goods poses unprecedented challenges, primarily due to the non-physical nature of the items in question. For instance, while officers can inspect shipments for controlled microelectronics at borders, the same is not immediately true for exported intangible goods and services. Some types of data, such as medical data, are easier to control than others. But controlling data that is open source, such as that available on AI platforms, is significantly more difficult because it is non-physical, often decentralized, and publicly available.
Q3: How does the Wassenaar Arrangement deal with intangible goods?
A3: The Wassenaar Arrangement, established in July 1996, is a voluntary export control regime with 42 members. Its primary objective was to replace controls on weapons and dual-use goods promulgated by its Cold War predecessor, the Coordinating Committee for Multilateral Export Controls (COCOM). Wassenaar distinguished itself from COCOM in that it was not meant to target any specific state or group of states, and it did not allow states to block each others’exports. Given that the arrangement is consensus-based, it provides members, such as Russia, with veto authority. Furthermore, although it remains the world’s preeminent dual-use control regime, the arrangement was built for the hardware age.
Initially, the Wassenaar Arrangement primarily covered software that was directly related to controlled hardware. In this sense, software was not necessarily viewed as a good that required controls on its own. Accordingly, the Wassenaar Arrangement’s general technology and software notes deal with intangible goods largely to the extent that they are linked to controlled goods or specific end-uses that pose a threat to national security.
The Wassenaar Arrangement specifically implements controls on including computational lithography software, Air Traffic Control (ATC) software, Electronic Computer-Aided Design (ECAD) software, and intrusion software. The controls on computer network intrusion software were updated in December 2017. Prior to this update, critics were wary of extending controls to tools and information necessary to defend networks from intrusion. The ECAD decision, published in January 2022, reflects a movement toward implementing controls on intangible goods in and of themselves.
Despite its relatively targeted controls on software and intangible goods, experts have recommended broadening the control list to include controls on software designed or marketed to aid hypersonic system development. For example, reports have emerged that China is using Western software in its hypersonic missile program. AI systems used to spot security vulnerabilities are also currently not controlled by the multilateral regime. More broadly, however, the Wassenaar Arrangement’s inability to target specific countries in some ways constrains its ability to address national security concerns associated with intangible goods.
Q4: How does the U.S. government deal with intangible goods regulations?
A4: The U.S. government does not necessarily distinguish its regulations on intangibles from those on tangible goods. According to the U.S. State Department, “The United States makes no legal distinction between ‘tangible’ and ‘intangible’ transfers of controlled technology, the form that the technology takes and the means of transfer is not relevant.”
The U.S. Department of Commerce’s Bureau of Industry and Security (BIS) maintains the Commerce Control List (CCL), which includes over 3,000 items covered by the Export Administration Regulations (EAR). This list governs the export of commodities, software, and technology that are viewed as critical to national security. The CCL includes items on the Wassenaar Arrangement’s Dual-Use List as well as additional items that the United States has included under its statutory authority. Not unlike the Wassenaar Arrangement, the CCL typically deals with intangible goods by identifying their connections to defense purposes or tangible goods, but there is often a delay in the alignment of the two lists. In October 2021, after years of negotiations regarding controls on intrusion software, BIS published an interim final rule amending the EAR and establishing new requirements for the export of cybersecurity items, many of which had already been addressed by the European Union following the 2013 Wassenaar Arrangement’s controls on “intrusion software.”
When considering the U.S. government’s approach to export controls, it is also necessary to evaluate them in the context of their First Amendment implications. The Bernstein cases, for example, revealed that source code is subject to the First Amendment. Under this argument, it is difficult to see regulations like the European Union’s General Data Protection Regulation (GDPR) passing muster in the Supreme Court. However, the U.S. Department of State’s International Traffic in Arms Regulations (ITAR) has controlled services such as aerospace for some time. This could serve as a model for export controls moving forward.
Q5: How is Russia restraining progress within multilateral export control regimes?
A5: Since the Russian invasion of Ukraine, when the United States led the Global Export Control Coalition in restricting advanced technology to Russia, Russia has accelerated its obstruction of progress within the Wassenaar Arrangement. Because Wassenaar operates by consensus, just one member can block any proposal, essentially giving Russia veto authority over the organization. Under Secretary of Commerce for Industry and Security Alan Estevez has recently questioned the consensus-based structure of the Wassenaar Arrangement, suggesting that a new export control regime may not need to be run by consensus.
Although the proceedings and votes are confidential, it has been argued that the 2022 Wassenaar Arrangement likely demonstrated Russia’s ability to block additional controls. It remains unclear, however, why Russia did not block the modest 2021 amendment, which implemented new multilateral controls on ECAD. Estevez has recently questioned the consensus-based structure of the Wassenaar Arrangement, suggesting that a new export control regime may not need to be run by consensus.
Q6: Where should the United States go from here?
A6: The Wassenaar Arrangement is a necessary legal framework governing dual-use goods with both civilian and military applications. Furthermore, many countries’ export control legal structures are based on the Wassenaar Arrangement’s controls, meaning a move away from the framework overall would be immensely complex. Russia’s membership in the arrangement, coupled with Wassenaar’s design for the post-Cold War hardware age, nonetheless begs fundamental questions on its suitability in the digital and intangible economy. “I believe we need a fifth mechanism outside the existing ones, which still work in their varying areas—missile control, nuclear control, chem/bio, the Australia Group, for example . . . and all those were built in the 90s for the world of the 90s,” Estevez said.
As CSIS recently argued, if the United States, Netherlands, and Japan succeed in reaching an agreement on the October 7 semiconductor controls—and if the parties can hammer out the details and then implement and enforce a deal—this creates a new de facto mini export control regime for advanced semiconductors. This, in turn, underscores that it is possible to create new sectoral regimes governing advanced dual-use technologies. While it remains unclear whether a series of mini arrangements is best suited to supplement Wassenaar, it is clear that international partners need to begin thinking about new frameworks for the governance of intangible goods. CSIS will publish recommendations for governing intangible goods in a forthcoming report. As the world barrels deeper into digitization, claiming that governing data and intangible goods cannot be done is a losing strategy. To build such controls, it is necessary to continue bridging the gap between policymakers and industry representatives.
Margot Putnam is an intern with the Scholl Chair in International Business at the Center for Strategic and International Studies (CSIS) in Washington, D.C. Emily Benson is director of the Project on Trade and Technology and a senior fellow with the Scholl Chair at CSIS.