The Wassenaar Arrangement controlling the sale of technology and software which could be used as weapons is threatening the choke the cyber-security industry, according to a consortium of cyber-security companies.
The Coalition for Responsible Cybersecurity, supported by Microsoft among others, agrees with the principle of Wassenaar but believes that when it comes to cyber-security it “misses the mark”.
“Because the regulation is so overly broad, it would require cyber responders and security researchers to obtain an export license prior to exchanging essential information to remediate a newly identified network vulnerability, even when that vulnerability is capable of being exploited for purposes of surveillance,” wrote Alan Cohn from the CRC on a Microsoft blog.
This view was reinforced by Microsoft assistant general counsel Cristin Goodwin who was speaking at the RSA Asia Pacific Security conference in Singapore. She said, in its current form, Wassenaar would force Microsoft to apply for 3800 arms export licenses in a year.
The Wassenaar Arrangement has 41 signatory countries. Member states voted to begin controlling cyber-security tools in December 2013, starting with intrusion software.
Goodwin, alongside Symantec director of government affairs Brian Fletcher, told the audience at RSA that it's difficult to untangle the complexities of Wassenaar because of the secrecy that surrounds the negotiations and the resulting policies.
She complained also that the technical advisory committee have historically failed to engage on cyber-security issues.
The significant consequence of Wassenaar is to impede the ability of the international cyber-security community to respond in a timely manner to threats and attacks, Fletcher and Goodwin claimed.
This includes inhibiting the sharing of proof-of-concept and exploit code, creation and use of pen testing tools, deploying response teams and consultants and even sharing information within a company across national boundaries.
The procedures and rules for licensing equipment and software for export also differs from country to country, further complicating the issue, they said.
They argued that the cyber-security community needs a seat at the table with a view to creating a process that works for the cyber-security industry rather than attempting to shoehorn it into the mould of the traditional arms control discussion.
Last year, Hewlett-Packard (HP) and its Zero Day Initiative (ZDI) team pulled their sponsorship of the Pwn2Own hacking competition in Japan this year over confusion about the Wassenaar Arrangement and difficulty in meeting its standards.