The Wassenaar Arrangement is a multilateral export control regime designed to prevent the trans-national proliferation of weapons. There are 41 participating states, including 26 independent members of the European Union (plus the UK). The EU, per se, does not participate.
In 2013 the export-restricted technologies were expanded to include internet-based surveillance systems including ‘intrusion software’. The wording, however, does not adequately differentiate between intrusion software for beneficial purposes and intrusion software for malevolent purposes. Despite recent changes, the wording remains broad and potentially harmful to the cybersecurity industry and security research community.
The intention was to make it harder for companies such as FinFisher GmbH and HackingTeam to provide surveillance technology to repressive regimes for use against dissidents. These products can still be exported, but only with a valid export license. The wording of the Wassenaar Arrangement, however, potentially prohibits the export of penetration testing technology designed to strengthen network security.
Four Members of Congress wrote (PDF) to the US Bureau of Industry and Security in July 2015: “We see two significant challenges in applying the deemed export rules to these technologies. Third parties often disclose vulnerabilities to anonymous email addresses established specifically for this purpose. A security researcher thus has no way of knowing who precisely will see the disclosure. Requiring a careful chain of custody for researchers to ensure they don’t inadvertently “export” a vulnerability by sharing it with foreign national employed by a developer could easily disrupt the entire reporting ecosystem… [and] Companies may be unable to share threat data with their own international affiliates, at least not in a timely manner.”
The second issue is particularly relevant to global organizations. For example, Harley Geiger, director of public policy at Rapid7, warns that Wassenaar’s “broad description could result in security researchers and companies having to obtain export licenses in order to share exploit code across borders. Sharing this kind of information is currently a relatively routine part of identifying and mitigating security vulnerabilities.”
It could even imply, he told SecurityWeek, that “multi-national organizations could need to obtain an export license to transfer penetration software between its own subsidiaries in different countries around the globe.”
The problematic language within the Arrangement is particularly disturbing for the US, with its large number of global technology companies. For the last year a US delegation has sought to change the wording of the Arrangement to allow ‘legitimate’ trans-national transfer of, for example, exploit code (between researchers) and penetration testing code (within organizations).
Changes to the Arrangement require the agreement of all 41 members — more than half of which are members of the European Union. December’s meeting agreed some minor wording changes, but did not agree to the US requests. As a result, all of the existing concerns about the effect of the Arrangement on legitimate security research remain.
“I am deeply disappointed that Wassenaar member states declined to make needed updates to the intrusion software controls, particularly those related to technologies necessary for their development,” said Congressman Jim Langevin in a statement issued Monday.
“This year’s #Wassenaar outcomes were a bummer. Let’s hope the next administration supports us continuing the efforts,” tweeted Katie Moussouris, CEO of Lutasecurity and an industry advisor to the US delegation.
Some people pointed at the EU for the failure. @marasawr tweeted, “If there’s a 1-line answer to ‘What fscked Wassenaar?’, it’s probably ‘EC No. 428/2009’.” Regulation 428/2009 (PDF) is the EU’s own ‘dual-use’ regime.
In July, a leaked draft proposal shows that the European Commission has embarked on updating 428/2009. However, early assumptions are that it will not clarify the legitimate use of intrusion software.
“A potential unintended consequence of this type of dual-use regulation,” F-Secure security advisor Erka Koivunen told SecurityWeek, “would be that security researchers would not be able to collaborate, share information or publish their results in fear of breaching the rules. It is not clear at this stage whether this is an unfounded fear, but I think it is correct to say that as a company we are following this regulation carefully.”
For the moment, it looks as if the EU is intent on maintaining the existing Wassenaar approach, rather than solving the terminology issues. This could be down to motivations. The primary driver for the EU approach is political, while the primary driver for the US approach is economic.
However, while business and security researchers might be disappointed in the limited changes to Wassenaar, things certainly aren’t worse than they have been.
“We shouldn’t panic over this,” Katie Moussouris told SecurityWeek. “It’s a disappointment, less than we wanted to accomplish this round, but we already knew we’d need to go back next year for additional work on the language. The only question is whether the next administration supports us continuing. The bipartisan Congressional Cybersecurity Caucus supports and recommends us going forward with renegotiations next year — so let’s hope the advice is heeded.”