Many cybersecurity experts have raised concerns after the Bureau of Industry and Security (BIS) published a proposal for the implementation of the Wassenaar Arrangement with regard to cyber weapons.
The Wassenaar Arrangement focuses on export controls for conventional arms and dual-use goods and technologies. Intrusion and surveillance systems were added to the list of regulated technologies in December 2013 in an effort to protect activists and dissidents who might be targeted by totalitarian regimes. The European Union adopted these changes last year and now the United States wants to do the same. The BIS is accepting comments on the Wassenaar Arrangement over the next two months.
The problem with the BIS’s version, according to many experts, is that the definitions of the targeted cyber weapons are overbroad, which could have a negative impact on security products and research.
Some members of the industry hope that the BIS will make some modifications to its proposal based on the feedback it will receive from the community. Others don’t believe the arrangement’s cybersecurity rules will have a major impact on the industry.
And the feedback begins…
Danelle Au, Vice President of Strategy, Adallom:
“While the intent of the Wassenaar Arrangement is to clamp down on hackers selling exploits and network surveillance tools to repressive regimes, its broad language around export controls for "intrusion software" puts legitimate sharing of vulnerabilities at risk. Information sharing about zero day exploits is essential to creating better software, and is an important weapon for security researchers in understanding attack patterns. This technology ambiguity needs to be clarified so that Wassenaar achieves its objectives without impacting legitimate threat intelligence sharing.”
Ryan Smith, VP, chief scientist at Accuvant and FishNet Security, becoming Optiv Security this summer:
“Wassenaar tries to restrict the sale or transfer of what the agreement classifies as Intrusion Software. In doing so, they also try to restrict information that may be used to develop Intrusion Software. The former is dangerous because Wassenaar fails to make the impossible distinction between Intrusion Software that is necessary to test security and Intrusion Software intended to be used for malicious or government intelligence purposes. The second is dangerous because it restricts people who find vulnerabilities from disclosing information about them to a software vendor.
Wassenaar also fails to understand that many of our advancements in computer security: ASLR, DEP, NX, Heap Randomization, Stack Canaries have all been developed specifically because the Information Security community has always had a growing treasure trove of up-to-date attacks that demonstrate bypassing these types of protection. If Wassenaar were to pass unmodified, it would instantly stop the flow of insights for people trying to defend security. It would instantly make it much harder to get legitimate software tools to test security. It would make it so that people who find vulnerabilities are no longer incentivized to responsibly disclose vulnerabilities. It would cause people who have found ways around security protections to be rendered silent. I can’t imagine how this would be good for security.
One interesting thing about Wassenaar is that it does have the potential to benefit a small set of people. Government contractors who supply arms to the government have, for a long time, also supplied Intrusion Software. They have had a hard time competing in the market since it’s difficult for them to attract and retain top tier talent. This has created an opportunity for smaller companies who don’t traditionally perform government but can attract and retain top-tier talent to work with the government. These large government contractors already have lawyers working on getting licensed for Wassenaar. Wassenaar would create a beneficial market situation for these government contractors since smaller companies will have a tough time navigating export restrictions and will be forced to use the government contractors as middle men, if not lose their business entirely to them.
In the end, I have faith that people are too intelligent for Wassenaar to be implemented as it stands today. Hopefully, that faith is not misplaced.”
Steve Lowing, Director of Product Management at Promisec:
“While I agree that there are certain unforeseen consequences in the language chosen I disagree that it impacts the security industry from continuing business of selling SW that is intrusion software, just that it requires license to do so with your host government, just as Encryption software and crypto-analysis software does today. Also Intrusion detection solutions are not part of this since they are listed as exclusions.
The unforeseen consequences to me are where this would require perhaps a slight change to the Wassenaar Arrangement and subsequent legislation to conform to the way the security research part of the security industry has operated. There is a general willingness on the part of this community to share details on exploits that are uncovered, either to the vendor of the system component that an exploit was discovered that it impacts or to a vendor for the purpose of detection of a known issue (Penetration testing solutions and threat intelligence solutions are examples of vendors that would want to know about these issues and subsequently any downstream party like an IOC detector might want to consume this information). The language in the Wassenaar Arrangement would put this activity by these researchers into an export control position when in reality they are not producing commercial software but in actuality doing research for the commercial software solutions that would/could rightly be export controlled.
In short, security researchers and research activities such as sharing of discovered exploits should be excluded from the new export controls of the Wassenaar Arrangement around intrusion software since doing so restricts and causes harm to the proper functioning of the community.”
Morey Haber, VP of Technology at BeyondTrust:
“While the sale of malware is something most people and businesses would consider proper for the agreement, acceptable use of exploits and IP surveillance are not as clear. Consider commercial penetration tools. Under the requirements set forth in the PCI DSS v3, merchants processing credit cards must perform penetration testing on a periodic basis. The frequency and tester requirements are governed by the volume of transactions they perform (Merchant tier). How are businesses worldwide supposed to perform these tests if there is a restriction on the tools required under the “Intrusion Exploits” category. This would mute their ability to properly test if a hack could occur and violate their merchant agreements -- all because the tools used for testing are now illegal to distribute under the agreement. There is no guidance in the current drafts on how these restrictions affect other compliance initiatives and security best practices designed to defend systems from similar types of attacks.
The second deep problem comes from IP surveillance. While the intent is for Internet backbones, it is rather vague on what should occur at the ISP level or what is permissible for mobile devices where surveillance may be helpful for containing problems affecting cellular networks. The collection of detailed traffic information helps shape what services and applications are being used, prioritize or re-route traffic based on protocol, etc. If a cellular network can not monitor (surveillance is the same word), that percentage of individuals who are streaming from a service or watching cat videos from FaceBook will not able to adapt their networks to changes. (Think recent conversations on net neutrality and evenly distributed bandwidth.) Once you're looking at the traffic, you can identify the same things the Wassenaar agreement is trying to stop. These surveillance actions include the monitoring of communications to known “bad” locations and the content within; just as well as looking at the latest youtube video. Surveillance and monitoring is the same thing. It is just what you do with the information once it's gathered.
While I personally agree there needs to be some restrictions on the release of zero day exploits, illegal snooping of personal data, etc., using a physical non-proliferation agreement to expand enforcement for cyber security tools (not weapons unless they are misused), is a mistake. We should be addressing what these tools can be used for (like gun control), along with the their distribution and manufacturing potential."
Mike Brown, Vice President and General Manager RSA Global Public Sector, RSA:
“While at this point I don’t see the larger cybersecurity industry being affected by the Wassenaar Agreement’s proposed rule changes, as it stands the rule could be interpreted much too loosely. For example one organization’s back door is another’s vulnerability. It’s all about intent and I think that is the intent of the rule.
Currently, the rule’s definition of intrusion software can mean many things. Technology is going to continue to evolve, so I understand why some in the industry are pushing for the rule to take more of an ambiguous tone. However, better granularity will make it easier for organizations to understand what rules they need to follow, which will ultimately allow them to make better business decisions, as well as operate better in a global environment.”
Jonathan Cran, VP of Operations at Bugcrowd:
“Bug bounties have zero-day exploits submitted on a daily basis from researchers all over the world. These are quickly fixed by the vendor, neutralizing immediate privacy and security threats to everyday Internet users. If the Wassenaar Arrangement is implemented, researchers would be required to obtain an export license before submitting an exploit to a bug bounty. This would be detrimental to the security of the organization, and Internet users in general.
Approximately 33 percent of Bugcrowd researchers are based in the U.S., and if the U.S. implements the agreement as is, it will have a broad and chilling effect on their research. If you aggregate submissions to bug bounty programs, you're talking hundreds of thousands of vulnerability reports. The security and privacy of ordinary Internet users will suffer as a result.
Additionally, we've seen vulnerabilities closed which wouldn't have been discovered or reported if the Wassenaar changes are implemented. A prime example of this... vulnerabilities in Blackphone. Consider the impact of that to those who rely on the privacy and security of that service for personal protection.”
Devin Egan, Co-Founder and CTO, LaunchKey:
“The definition of ‘intrusive software’ in Wassenaar is concerning to companies because they utilize tools that would fall under these restrictions to keep their own software, networks and infrastructure safe. Restricting access to these tools would weaken the security of companies in states complying with Wassenaar while doing nothing to stop a tool’s use and proliferation in other parts of the world.
Additionally, many companies choose to actively encourage researchers to find bugs and report them through bounty programs. Bug bounty programs enable companies to reward researchers while improving their overall security. Wassenaar could cool these relationships by discouraging researchers from engaging in this critical work as the research itself, and providing the exploit, could potentially be criminalized. For these reasons and more LaunchKey will be commenting while they are still accepting feedback on these proposed rules.”
Ivan Shefrin, Vice President of Products at Breach Detection Systems developer TaaSera:
"The proposed ruling will create a great deal of confusion for cybersecurity researchers and vendors alike. The language is confusing because there are differing opinions on the rules proposed by the Bureau of Industry and Security (BIS) to comply with the proposed changes to Wassenaar.
Wassenaar was originally intended to prevent transfer of weapons - physical weapons. The challenge with adding cyber weapons is that it's impossible to distinguish bad from good. For example, the same tool can be used to find vulnerabilities to exploit, as well as vulnerabilities to protect. The BIS rules only make the Wassenaar agreement more restrictive. We fully support the non-proliferation of cyber weapons. However, BIS must find a better way to distinguish between cyber offense and cyber defense."