In spite of self-congratulatory pats on the back from several corners of the security world, this week’s decision from the Commerce Department’s Bureau of Industry and Security (BIS) to rewrite the proposed U.S. implementation of the Wassenaar Arrangement rules was an expected outcome—albeit an unusual one.
A 60-day comment period ended on July 20 and an outpouring of opposition from more than 300 technology companies and individual researchers against the first round of rules helped sway BIS. The rules, most argued, were too broad, sweeping up legitimate technologies such as penetration testing software, as well as encompassing white-hat research that involves the development of proof of concept exploits for new vulnerabilities.
The concern was that, as written, the rules stifle security research because of onerous requirements for exploit licenses under Wassenaar for legitimate work. High costs and fear of potential legal trouble, researchers cautioned, would not only stymie innovation, but affect product security as known and unknown vulnerabilities would be left unpatched.
The intent of the rules is to prevent not only the sale, but also support of, so-called intrusion software developed by companies such as Gamma International (FinFisher) or Hacking Team (Remote Control System). Intrusion software is used by law enforcement agencies and government agencies, including those in sanctioned nations, to monitor the activities of citizens, not only introducing computer security and privacy concerns, but also human rights issues as the personal safety of some individuals could be put at risk through the use of these tools. Some experts said that vague language in the rules’ first draft demonstrated a lack of understanding of computer security, in particular of how terms such as zero-day apply in this context.
Collin Anderson, a security researcher in the Washington, D.C., area who has studied Wassenaar and export controls, was among those who expected BIS to come out with a second proposal and another comment period, calling the first round an “information-seeking process.” He points out that in the history of BIS and the implementation of Wassenaar rules there generally isn’t a proposed rule or a comment process, and that this was a much more engaged process between the affected parties than the norm.
“I think [BIS] understood and was reflective of the process and comments made that they understood at a certain point they didn’t have the information they needed,” Anderson said. “They understood they had hit a limit in their ability to understand the impact to the security industry.”
The new rules proposal could show up anywhere in the next couple of months through the next scheduled Wassenaar Plenary in December. Until then experts urge the security community to continue to work with BIS in refining critical issues and avoiding some of the landmines that plagued the first round.
“So this is a minor win, but only a first step. The real hard work comes now,” said Nate Cardozo, staff attorney for the Electronic Frontier Foundation (EFF). Cardozo said EFF has been engaging with the Commerce Department since May 20 when the first draft was published.
“What we’re hoping for is a rethink on how export controls on software can work in a way that protects human rights, which this rule would not have accomplished,” Cardozo said, in addition to protecting security research, academics and innovators. “We have some thoughts on how this export control regime might look different: We want to define the end uses and end users you want to control sales and support to.”
Cardozo applauds the security industry’s outreach to BIS in an attempt to educate them and lobby for rules that balance goals on both ends of the spectrum. He too saw a knowledge gap for BIS and that its focus on zero-day development is not in line with how the intrusion software they’re trying to control works.
“[BIS] pretty clearly didn’t understand the actual market for the type of software they’re trying to get at. There’s this whole focus in the proposed rule on zero days, but HackingTeam and FinFisher have a couple of zero days but that’s not what they rely on,” Cardozo said. “The sorts of software they’re worried about relies on old exploits and social engineering. This focus on zero day out of BIS was weird and frankly came from NSA which is focused on zero day.”
Moving forward, experts in the U.S. figure to be involved in crafting the next draft of the rules.
“I’m hopeful and looking forward to being part of the solution of helping with the noble goal of protecting human rights, while not hindering defense,” said Katie Moussouris, chief policy officer at HackerOne. “The rule as it was written would have harmed internet defense far more than offense could have done alone.
“From a big picture standpoint, the technical security community needs to provide constructive feedback to help point out where these regulations and laws have strayed so far from their intent that they do more harm than good. A little empathy will go a long way to keep the communication lines open.”