A contentious amendment to an international export treaty has been causing an uproar in the security communities, reports Karen Epper Hoffman.
Few issues have united the threat response community, cybersecurity researchers and even lawmakers in the United States as completely and intensely as their dislike of a proposed rule that would limit the ability to share information and export surveillance and intrusion software.
This proposed amendment to the long-standing Wassenaar Arrangement, a multilateral export control regime among 41 countries established to create controls for transferring or selling potentially dangerous arms or technologies, has been raising a ruckus among cybersecurity research and threat response experts and their supporters for more than a year. The amendment recommended adding to the list of export controlled items internet-based surveillance systems and “intrusion software” – basically any software that could be used to overcome a computing system's protections. While the initial amendment was added to the Arrangement in December 2013, concerns kicked into high gear last May, when the U.S. Department of Commerce's Bureau of Industry and Security (BIS) offered up its proposal for implementing it and opening a comment period.
“After the Commerce Department released its proposed implementation of the Wassenaar definitions for inclusion into U.S. law (an implementation that included dangerously vague language about regulating the export of software used to create exploits), all hell broke loose,” according to a February 2016 blog post co-authored by Eva Galperin (left), global policy analyst for the San Francisco-based Electronic Frontier Foundation. “Countless security companies, as well as EFF, pointed out that the proposed rule would have had dire and far-reaching consequences for the IT security industry.”
The basic idea behind the amendment was that, much like an automatic rifle or a missile-launching system, intrusion software and surveillance technology could be used by bad actors or terrorists to devastating effect. Not a bad idea in theory, threat response experts say. But in practice, demanding stricter export rules and procedures on these technologies that are the life's blood of their work could actually have a chilling effect on cybersecurity research and the development of better protections.
Alan Cohn, attorney, Steptoe & Johnson
Eva Galperin, global policy analyst, Electronic Frontier Foundation
Jim Langevin, Congressman (D-R.I.)
Cheri McGuire, VP, global government affairs & cybersecurity policy, Symantec
Katie Moussouris, chief policy officer, HackerOne
“This amendment is written so broadly it would act as a dragnet, sweeping in all the useful tools,” says Katie Moussouris, chief policy officer for HackerOne, and one of the leading voices decrying the export controls amendment to the Wassenaar Arrangement. “First and foremost, I would love to see [this amendment] rolled back and removed. Export controls are not the right place to deal with these concerns.”
Moussouris, an MIT-educated former hacker, Linux developer and all-around ambassador of the global threat research community, has been one of the main voices leading the rallying cry among fellow threat response and cybersecurity researchers and other allies in the government and the larger IT security arena to roll back or at least revise the proposed amendment (see our May 2014 issue). Moussouris and like-minded experts believe this proposal would significantly hamper their ability to research and conduct penetration testing, execute coordinated vulnerability response and offer “bug bounties” to hackers who help weed out potential weaknesses in software and systems.
For example, if a U.S. researcher discovered a vulnerability in software made by a foreign company, that researcher would need to get a license before it could notify the software-maker – a development that would stymie quick bug detection and bug bounty programs alike. The proposal would not only stifle conveying vulnerability information across the global offices of a single company, it could even limit sharing threat information within single U.S. IT security-focused companies should the researchers involved not be U.S. citizens (in which case, they would need an export license to confer with their colleagues, even in the same office).
“Our view has been clear from the start, this rule is much too expansive,” says Cheri McGuire, vice president of government affairs and cybersecurity policy for Symantec. “Security does not differentiate intent of use.”
The language of the initial Wassenaar Arrangement amendment is “less troubling than the way [the U.S. Commerce Department] has proposed to implement it,” Galperin says. Each of the 41 countries participating in the two-decade-old Wassenaar Arrangement – a wide-ranging group that also includes the Russian Federation, the United Kingdom, Mexico and most of the European Union countries – are entitled to implement the amendment in their own fashion. “The Commerce Department put forward its proposal for how to implement it [in May 2015] and it was just terrible…very vague,” Galperin says.
In the wake of the suggested U.S. implementation, response from the threat response, penetration testing and IT security research community and its supporters has been vitriolic and widespread. Congressman Jim Langevin (D-R.I.), senior member of the House Committee on Homeland Security and co-founder of the Congressional Cybersecurity Caucus, allied his voice to the cybersecurity community when his office posted an online statement expressing his concerns about the Commerce Department's proposal. “While well-intentioned, the Wassenaar Arrangement's ‘intrusion software' control was imprecisely drafted,” said Langevin in the February statement, “and it has become evident that there is simply no way to interpret the plain language of the text in a way that does not sweep up a multitude of important security products.”
His two primary concerns, Langevin underscores in a recent interview, are that the proposal would “unintentionally make it more difficult to get threat information [disseminated] and would limit cybersecurity research.” The irony, he points out, is that in order to suss out these threats or vulnerabilities, “you need to see what the threat looks like.”
The contentious proposed regulation has even become a rallying point for some IT security companies – including Symantec, Ionic Security, FireEye, WhiteHat, Synack and Global Velocity – which in July 2015 came together to form the Coalition for Responsible Cybersecurity.
Alan Cohn (left), attorney with Steptoe & Johnson, which represents the Coalition for Responsible Cybersecurity, says that while member-companies understand the government's desire to “keep certain types of intrusion and surveillance software out of the hands of certain governments, dissidents and [terrorist] groups…a list-based export control regime will not prove the right way to achieve this policy goal.”
The language put into the Arrangement in the multinational plenary session in 2013 paints the issue with too broad a brush, Cohn says. In effect, he says, the implementation of this rule in the United States would hurt white hat hackers and threat response and research players more than it would impact the bad actors, who will flout the rule anyway.
Thankfully for the cybersecurity community, and those who benefit from it, the U.S. government has taken note of protests and concerns. In late February, the Obama administration filed a proposal to change the controls that it would have introduced under the 2013 amendment, specifically those on the development and use of intrusion software and surveillance technology. Deferring to the threat response and security research community, the administration changed its stance and will push to renegotiate the terms of these controls.
Now, a discussion of rolling back the language will be on the Wassenaar Arrangement agenda for April, when representative of the 41-country group will review roughly 80 or more proposals related to the Arrangement. In June, industry experts and other interested parties will be allowed to formally express their concerns on the impact of the controls for the United States, and after several months of negotiation and consensus-building on language, the over-arching Wassenaar body will get together again in December for a plenary session.
The response from IT security experts was immediate and resoundingly positive. “It appears that the State Department has heard these concerns loud and clear,” Galperin wrote on an EFF blog post the same day news of the announcement broke. Not only has all talk of finalizing the proposed rule as drafted come to halt, but State has put ‘removal of the technology control' on the agenda for the December 2016 meeting at Wassenaar.
Moussouris (left) contends that the Administration could not afford to ignore the “groundswell of voices from technologists…loudest here in the United States,” which boasts the world's largest cybersecurity research and threat response community. Speaking to Congress members, like Rep. Langevin, and getting them on board with concerns also helped get the ear of legislators and government, she adds.
The Congress Subcommittee on Information Technology of the Committee on Oversight and Government Reform hosted hearings on the subject in January 2016, featuring witness testimony from government officials, including Ann K. Ganzer, director of conventional arms threat reduction at the U.S. State Department's Bureau of International Security and Nonproliferation, and industry leaders, including McGuire from Symantec. The Congressional hearings were a major turning point in getting the support of the Administration, says Moussouris.
However, many IT security experts also realize that while the initial proposed implementation of the amendment to the Wassenaar Arrangement is not likely to survive here in the United States, there is still quite a long road ahead in hashing out what controls or policies might help achieve the desired objective of keeping these tools out of the hands of bad actors. After all, as Galperin and Moussouris both point out, the original purpose of the 2013 amendment to the Wassenaar Arrangement came in response to a number of human rights and privacy abuses that had been perpetrated by governments and criminal organizations using intrusion or surveillance software.
“The inclusion of intrusion software on the Wassenaar control list was done with good intentions,” Galperin said in a blog post. “Human rights advocates have recognized that surveillance software designed and sold by companies in Western countries has been responsible for serious abuses around the world.”
In 2012, there were several cases that came to light of journalists and independent citizens being spied on with FinFisher (also known as FinSpy), made by Gamma International, a British-German malware maker, Galperin points out. Even repressive regimes in Egypt, Bahrain, Ethiopia and Uganda have reportedly used these technology tools to spy on people in their own countries and outside their borders.
“Honestly, I agree that something should be done about these kinds of companies and this behavior,” Galperin says.
“The rationale politically was to prevent the use of this technology for purposes of surveillance,” says McGuire. “Those underlying reasons were good and fair. Backing away from the human rights aspect of [the amendment] will be difficult.” McGuire believes it will be important for the industry players to be realistic in their objections and have alternative options to suggest.
Adding further complexity to the process is the fact that the United States is not in this alone. The Wassenaar Arrangement is, after all, composed of 41 very different countries, which will all be viewing this objective from different angles and will almost undoubtedly implement controls in different ways. That means, even if the U.S. throws out any implementation of the intrusion software controls, IT security companies still must contend with these rules and procedures in other countries where they or their customers operate. Moussouris, who has collaborated with threat response experts outside the United States on this issue, expects that the U.S. will not be alone in its plan to renegotiate or remove the amendment. She expects the United Kingdom and Australia will also come forward with similar proposals.
“We're going back to Wassenaar with 40 other countries and trying to get them to see things the way we're seeing them,” Langevin says. “The concern I have is that other countries will be reluctant to renegotiate the language.”
Wassenaar: Needs arranging
At the end of February, the U.S. executive branch changed its stance on the controversial 2013 amendment to the Wassenaar Arrangement. The administration is now deferring to the opinion of many cybersecurity experts, who believe that export policies on so-called “intrusion software” don't just need a rewrite, but need to be renegotiated altogether.
After an interagency effort to draft the U.S. government's official policy on intrusion software export controls – in alignment with the revised Wassenaar Arrangement – the U.S. Department of Commerce's Bureau of Industry and Security (BIS) in May 2015 publicly opened up its policy for public comment. The response was overwhelmingly negative.
While the administration intended to rewrite its document to ease the most restrictive language, under continued pressure it now appears to be in favor of removing intrusion software altogether from the Wassenaar Arrangement control lists – or at least significantly narrowing the scope of affected technologies.
“Ever since software became the dominant form of technology, technology export controls have a long history of failure,” says John Pescatore, director of emerging security trends at the SANS Institute, an information security research and education organization. “They invariably impact legitimate use of technology by the good countries more than they impede the use of the same technologies by the evil countries.”
Still, the issue is far from resolved, as now the U.S. must convince the 40 other countries that have entered into this agreement to also drop the intrusion software policy. The European Union already introduced its own version of the intrusion software amendment in October 2014.
Craig Spiezle, executive director and president of the Online Trust Alliance (OTA), a Bellevue, Wash.-based nonprofit, says that export controls on software have always been a balancing act. “We need to strike the balance of promoting innovation and establish controls and processes to help improve our nation's security and resiliency,” says Spiezle. “The bad guys will find ways to acquire these tools. What we need is the ability to control and revoke privileges as needed. Industry needs to put these controls and circuit breakers in place.”