A nearly two-year effort to renegotiate language related to export controls around intrusion software in the Wassenaar Arrangement was rejected earlier this month during the member states’ plenary meeting.
This means that the overly broad language in the first draft of the rules, introduced in May 2015, stays for now and it will be up to President-Elect Donald Trump’s administration to decide whether to try again to renegotiate.
Wassenaar is an arms control agreement between its 41 members states, and most of the document governs conventional weapons. But in 2013, new language was introduced in an effort to control surveillance software—or intrusion software as it’s labeled in the agreement—such as those tools sold by Hacking Team, Gamma International and others. These types of tools are often sold to oppressive regimes and put civil liberties at risk in those parts of the world.
The rules as written, which have not been implemented in the United States, however, failed to include exemptions for penetration testing software and other legitimate research tools, as well as proof-of-concept exploits used during vulnerability research and disclosure. All of which would subsequently require time-consuming and expensive export control licenses under the proposed rules.
Almost immediately, in 2015, researchers were vocal about the vagaries in the Wassenaar language and warned that if they were to be adopted, serious consequences to vulnerability remediation would result. The Department of Commerce’s Bureau of Industry and Security (BIS) agreed to a rare do-over of the U.S. implementation after an initial comment period that garnered 300 responses from the research and vendor communities. The White House, in March, agreed to move forward with the renegotiation, which was rejected 10 days ago.
“It’s already had a global chilling effect on security researchers, who are not sure where they stand or where to ask their governments for help in deciding if something needs an export license. We’ve seen participation drop from researchers in European countries in exploitation competitions like Pwn2Own,” said Katie Moussouris, CEO of Luta Security and part of the U.S. delegation. “We were hoping that this year’s decision would help clarify the Wassenaar Arrangement, but we’ll just have to try again next year. The original language took more than a year to agree upon in the first place, so it’s no surprise that renegotiating it will take more than a year of effort.”
The ball is now in the Trump administration’s court, which will decide what happens next.
“This is really the only question that we need answered, and it won’t be clear until the next administration decides on its position. The Congressional Cybersecurity Caucus, a bipartisan group, is urging the next administration to stay the course and continue renegotiating,” Moussouris said. “Let’s hope this is one briefing the new president will either take, or delegate to someone who recognizes the collective expertise driving this revision must be allowed to continue.”
Congressman Jim Langevin (D-RI), cofounder and cochair of the Congressional Cybersecurity Caucus and a senior member of the House Committees on Armed Services and Homeland Security, was among the lawmakers calling for a review of the controls and warned about potential consequences to the country’s security posture.
“I am deeply disappointed that Wassenaar member states declined to make needed updates to the intrusion software controls, particularly those related to technologies necessary for their development,” said Langevin in a statement.
The plenary did make one concession to improve language so that the rules pertain to command and control systems used by hackers to manage bots and malicious code, rather than defensive products.
“Although some helpful changes were made, the problematic ‘technology’ category definition was not changed. This broad description could result in security researchers and companies having to obtain export licenses in order to share exploit code across borders,” said Harley Geiger, director of public policy at Rapid7. “Sharing this kind of information is currently a relatively routine part of identifying and mitigating security vulnerabilities. Although the ultimate goal of this control is a noble one, without further edits, this control can impede work needed to advance cybersecurity and protect technology users around the world.”
Another problematic outcome is that the implementation of the rules would have little to no effect on vendors already selling intrusion software and other high-end exploits without export licenses. Some companies, such as VUPEN, have shuttered their doors and started again in non-Wassenaar member countries.
“Singapore and the Middle East are hubs for the relocation of field offices for these companies since Wassenaar added these controls,” Moussouris said. “It’s business as usual for the original targets of these export controls, and will be no matter what the language in Wassenaar says. The rest of the world is just trying to make sure Internet defense isn’t impeded unintentionally.”
