Security pros issue comments before Wassenaar Arrangement deadline
Waste no time patching Windows Schannel, OLE bugs, experts warn Waste no time patching Windows Schan
The call for comments on the Wassenaar Arrangement closed on Monday after multiple heavy-hitting tech experts and companies filed their responses, which included calls for amendments to the rules and total redactions or clarification.
The Wassenaar Arrangement aims to control the export of various goods, software and information. Of particular concern to the tech industry, however, is the limitation on technologies related to “intrusion software.” The arrangement functions as, more or less, a suggested export guideline with each of the 41 participating countries enforcing it to its liking.
In May, the U.S. Department of Commerce's Bureau of Industry and Security (BIS) proposed implementing December 2013 additions to the Wassenaar Arrangement, which invoked the comment period.
As BIS explains in its proposal, it would add to the list of controlled technology: “systems, equipment, components and software specially designed for the generation, operation or delivery of, or communication with, intrusion software include network penetration testing products that use intrusion software to identify vulnerabilities of computer and network-capable devices.”
Researchers argued at the time, and in their comments, that this definition could impact more than the intended items; critical research devices, and even researchers themselves, could ultimately be seen as breaking the proposed rules.
Rapid7, for example, wrote that “the proposed rule would place significant restriction on exports, reexports, and transfers of penetration test platforms, and would not distinguish between products that possess characteristics and features that deter misuse, and those that do not.”
Separately, Eric Wenger, director of global government affairs at Cisco Systems noted that while the company understands the government's concerns over unregulated exports of weaponized software, “many of the same techniques used by the attackers are important to developers testing their defenses and developing new effective responses.”
While BIS began posting the 164 comments its received, many commenters made their thoughts public on Tuesday, and often included in them were suggestions for improving the proposal.
The Electronic Frontier Foundation (EFF) said a more clearly worded rule would be better than the one proposed now.
“The vagueness of the WA control lists has real world chilling effects on fundamental academic research,” the comment states.
Christopher Sogohian, who filed separately from his employer, the American Civil Liberties Union (ACLU), took a different approach and asked BIS to expand the controlled technologies to include exported security exploits to governments for surveillance. He goes on to mention Hacking Team's data breach, which exposed the inner-workings of a company selling surveillance software through its hoarding of zero-day vulnerabilities and other exploits.
BIS will wade through the comments and come back with its final rule in the coming weeks.