The White House, lawmakers said yesterday, wants to renegotiate the divisive U.S. implementation of the Wassenaar Arrangement rules as they relate to intrusion software.
A draft of the rules was pulled off the table in July by the Commerce Department’s Bureau of Industry and Security (BIS) following a 90-comment period during which advocates in the security industry raised crucial objections about vagaries in the language that put much more than surveillance software within its crosshairs.
The pressure, however, remains on BIS to come up with a draft that can be scrutinized under another comment period before December’s plenary Wassenaar meeting. All this is happening, of course, as the U.S. prepares to elect a new president in November, which could also impact prioritization of the rules implementation.
Rhode Island Congressman James Langevin, a senior member of the House Committee on Homeland Security and cofounder of the Congressional Cybersecurity Caucus, called the Obama administration’s decision a victory.
“By adding the removal of the technology control to the agenda at Wassenaar, the Administration is staking out a clear position that the underlying text must be changed,” Langevin said. “Furthermore, the administration leaves open the possibility for further alterations to the control pending additional interagency review.”
The original U.S. draft was released May 20 and almost immediately, experts in the security community pointed out that legitimate research and tools would also come under Wassenaar and require expensive export control licenses. The rules were drafted to impart controls on surveillance software written by companies such as Hacking Team, Gamma International and others that is sold in oppressive regions of the world and put civil liberties at risk.
Instead, the wording of the draft was overly broad and there were no exemptions written in for commercial pen-testing tools and other legitimate security software, for example. Also, the development of proof-of-concept exploits would fall under Wassenaar and require an export license to be shared. Such exploits are crucial for vendors as they examine vulnerabilities in their products and try to reproduce the conditions that could put data at risk.
These high costs and fear of potential legal trouble, researchers cautioned, would not only stymie innovation, but affect product security as known and unknown vulnerabilities would be left unpatched.
At the recent Kaspersky Lab Security Analyst Summit, HackerOne chief policy officer Katie Moussouris told Threatpost that the first comment period was unprecedented and was a harbinger of trouble.
“They knew that they needed industry and the security research community in the United States to really look at this language and weigh in,” she said. Moussouris pointed out, however, that as of two weeks ago, she was not aware of pen being put to paper on a new draft.
“We’re running out of time in the current administration; typically you don’t pass controversial new items at the tail end of a presidential administration,” Moussouris said. “Ideally what we’ll see is something that pulls out this broad language that acts as this dragnet. If we can get the particulars about intrusion software ‘technology’; it’s that key word technology. They thought they were scoping it narrowly but actually that broadened the scope quite a bit. If that piece gets taken out, I think we’ll be in much better shape in terms of implementation.”