Unsuitable addendum: Wassenaar Arrangement
A proposed amendment to the long-standing Wassenaar Arrangement has been raising a ruckus among cybersecurity research and threat response experts.
A contentious amendment to an international export treaty has been causing an uproar in the security communities, reports Karen Epper Hoffman.
Few issues have united the threat response community, cybersecurity researchers and even lawmakers in the United States as completely and intensely as their dislike of a proposed rule that would limit the ability to share information and export surveillance and intrusion software.
This proposed amendment to the long-standing Wassenaar Arrangement, a multilateral export control regime among 41 countries established to create controls for transferring or selling potentially dangerous arms or technologies, has been raising a ruckus among cybersecurity research and threat response experts and their supporters for more than a year. The amendment recommended adding to the list of export controlled items internet-based surveillance systems and “intrusion software” – basically any software that could be used to overcome a computing system's protections. While the initial amendment was added to the Arrangement in December 2013, concerns kicked into high gear last May, when the U.S. Department of Commerce's Bureau of Industry and Security (BIS) offered up its proposal for implementing it and opening a comment period.
“After the Commerce Department released its proposed implementation of the Wassenaar definitions for inclusion into U.S. law (an implementation that included dangerously vague language about regulating the export of software used to create exploits), all hell broke loose,” according to a February 2016 blog post co-authored by Eva Galperin (left), global policy analyst for the San Francisco-based Electronic Frontier Foundation. “Countless security companies, as well as EFF, pointed out that the proposed rule would have had dire and far-reaching consequences for the IT security industry.”
The basic idea behind the amendment was that, much like an automatic rifle or a missile-launching system, intrusion software and surveillance technology could be used by bad actors or terrorists to devastating effect. Not a bad idea in theory, threat response experts say. But in practice, demanding stricter export rules and procedures on these technologies that are the life's blood of their work could actually have a chilling effect on cybersecurity research and the development of better protections.
Alan Cohn, attorney, Steptoe & Johnson
Eva Galperin, global policy analyst, Electronic Frontier Foundation
Jim Langevin, Congressman (D-R.I.)
Cheri McGuire, VP, global government affairs & cybersecurity policy, Symantec
Katie Moussouris, chief policy officer, HackerOne
“This amendment is written so broadly it would act as a dragnet, sweeping in all the useful tools,” says Katie Moussouris, chief policy officer for HackerOne, and one of the leading voices decrying the export controls amendment to the Wassenaar Arrangement. “First and foremost, I would love to see [this amendment] rolled back and removed. Export controls are not the right place to deal with these concerns.”
Moussouris, an MIT-educated former hacker, Linux developer and all-around ambassador of the global threat research community, has been one of the main voices leading the rallying cry among fellow threat response and cybersecurity researchers and other allies in the government and the larger IT security arena to roll back or at least revise the proposed amendment (see our May 2014 issue). Moussouris and like-minded experts believe this proposal would significantly hamper their ability to research and conduct penetration testing, execute coordinated vulnerability response and offer “bug bounties” to hackers who help weed out potential weaknesses in software and systems.
For example, if a U.S. researcher discovered a vulnerability in software made by a foreign company, that researcher would need to get a license before it could notify the software-maker – a development that would stymie quick bug detection and bug bounty programs alike. The proposal would not only stifle conveying vulnerability information across the global offices of a single company, it could even limit sharing threat information within single U.S. IT security-focused companies should the researchers involved not be U.S. citizens (in which case, they would need an export license to confer with their colleagues, even in the same office).
“Our view has been clear from the start, this rule is much too expansive,” says Cheri McGuire, vice president of government affairs and cybersecurity policy for Symantec. “Security does not differentiate intent of use.”