The U.S. executive branch this week changed its stance on the controversial 2013 amendment to the Wassenaar Arrangement that closely regulates the international export of cyber hacking and surveillance technologies. The Administration is now deferring to the opinion of many cybersecurity experts, who believe that export policies on so-called “intrusion software” don't just need a rewrite, but need to be renegotiated altogether.
Neither the State Department nor the Department of Commerce's Bureau of Industry and Security (BIS) has responded to SCMagazine.com's request for an official statement. However, the policy shift was acknowledged in a statement posted online by Congressman Jim Langevin (D-R.I.), senior member of the House Committee on Homeland Security and co-founder of the Congressional Cybersecurity Caucus.
Langevin echoed concerns frequently cited by the cybersecurity community that under its current proposed language, the revised Wassenaar Arrangement would create a chilling effect, prohibiting security experts from sharing software and code across borders for the legitimate purpose of detecting and exposing exploits and malicious network intrusions. Though the Arrangement was originally developed to prevent rogue nations and cybercriminal organizations from trading in dual-use weapons, including cyber weaponry, the unintended result would be that white-hat activities like penetration testing and bug bounty programs would be jeopardized, experts have argued.
“Today's announcement represents a major victory for cybersecurity here and around the world. While well-intentioned, the Wassenaar Arrangement's “intrusion software” control was imprecisely drafted, and it has become evident that there is simply no way to interpret the plain language of the text in a way that does not sweep up a multitude of important security products,” said Langevin in the statement.
Digital rights group the Electronic Frontier Foundation (EFF) concurred with this sentiment in its own online post. “Countless security companies, as well as EFF, pointed out that the proposed rule would have had dire and far-reaching consequences for the infosec industry,” said the EFF article.
“It appears that the State Department has heard these concerns loud and clear,” the organization continued.
After an interagency effort to draft the U.S. government's official policy on intrusion software export controls—in alignment with the revised Wassenaar Arrangement—the BIS in May 2015 publicly opened up its policy for public comment. The response was overwhelmingly negative, with companies like Google warning in its blog that the new rules “would have a significant negative impact on the open security research community” and would “hamper our ability to defend ourselves, our users, and make the web safer.”
In response to the feedback, the Administration originally intended to rewrite its document to ease the most restrictive language. But under continued pressure, the Administration now appears to be in favor of removing intrusion software altogether from the Wassenaar Arrangement control lists or at least significantly narrowing the scope of affected technologies.
“Ever since software became the dominant form of technology, technology export controls have a long history of failure. They invariably impact legitimate use of technology by the good countries more than they impede the use of the same technologies by the evil countries,” said John Pescatore, director, emerging security trends, at information security research and education organization SANS Institute, in an email to SCMagazine.com. “The Wassenaar Arrangement rules on intrusion and network surveillance technology were continuing that tradition, but were worded so broadly that they were doomed to just be ignored, which was probably the best outcome."
The Coalition for Responsible Cybersecurity, an alliance of security companies formed in opposition to the Commerce Department's proposed export control regulations, was similarly pleased. Alan Cohn, of counsel with Steptoe & Johnson LLP, which represents the Coalition, told SCMagazine.com that the Coalition was "encouraged by the U.S. government's announcement, and is pleased that the Administration has listened to the feedback provided by U.S. industry, researchers, and academics.
Cohn said that the Wassenaar Arrangement's control language was "ill-conceived, and we look forward to the U.S. government taking a leadership role in correcting this inclusion." Coalition members include FireEye, Symantec, WhiteHat and others.
Katie Moussouris, chief policy officer at HackerOne, told SCMagazine.com today at the RSA Conference in San Francisco, "We can definitely do a bit of a victory dance," adding, “This represents a complete reversal by the State Department."
Still, the issue is far from resolved, as now the U.S. must convince the 40 other countries that have entered into this agreement to also drop the intrusion software policy. The European Union already introduced its own version of the intrusion software amendment in October 2014.
Craig Spiezle, executive director and president of the Online Trust Alliance (OTA), told SCMagazine.com that export controls on software have always been a balancing act. “We need to strike the balance of promoting innovation and establish controls and processes to help improve our nation's security and resiliency," said Spiezle. "The bad guys will find ways to acquire these tools. What we need is the ability to control and revolt privileges as needed. Industry needs to put these controls and circuit breakers in place.”