Software can officially and formally be munitions. Since December 2019 offensive software even more so. At least in the context of the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies, whose members are different countries around the world. The treaty regulates the selling of munitions or dual-use products (that can be used both for civilian and military applications). The treaty includes a list of controlled munitions. Examples include “bombs, torpedoes, rockets, missiles, other explosive devices”, chemical or biological agents, “riot control agents”, “armoured or protective equipment”, “high velocity kinetic energy weapon systems”, and among these - “software”.
Yes, the list includes software, until recently in this fashion: “specially designed or modified for any of the following: “(...) Development", "production", operation or maintenance of equipment specified by the Munitions List; "Development" or "production" of materials specified by the Munitions List; "Development", "production", operation or maintenance of "software" specified by the Munitions List. (...) specially designed for military use and specially designed for modelling, simulating or evaluating military weapon systems”, etc.
...and now following the December 2019 update the list explicitly includes offensive software (a.k.a “cyber tools”, or “cyber weapons”) for specific military use:
"Software" specially designed or modified for the conduct of military offensive cyber operations;
includes "software" designed to destroy, damage, degrade or disrupt systems, equipment or "software", specified by the Munitions List, cyber reconnaissance and cyber command and control "software", therefore.
Which fortunately also includes important exceptions:
does not apply to "vulnerability disclosure" or to "cyber incident response", limited to non-military defensive cybersecurity readiness or response.
Now expect signatory countries to adapt their laws.
Participating States recognize that it is important to have comprehensive controls on listed "software" and "technology", including controls on intangible transfers. National export control legislation should, therefore, permit controls on transfers of listed "software" and "technology" irrespective of the way in which the transfer takes place.
Many knew this list would be updated. It's not over yet. It will be interesting to see how specific countries will actually regulate this in the national laws.
Software is munitions. Offensive software even more so.