Security Experts:

Connect with us

Hi, what are you looking for?



Experts Concerned About Effects of Proposed Wassenaar Cybersecurity Rules

Adding Exploits to Wassenaar Is Bad for Security, Says the Industry

Adding Exploits to Wassenaar Is Bad for Security, Says the Industry

The U.S. Department of Commerce’s Bureau of Industry and Security (BIS) has published a proposal for the implementation of the Wassenaar Arrangement with regard to cyber intrusion and surveillance systems. Experts are worried about the negative effects of these rules on the industry.

The Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies is a multilateral export control regime with 41 participating states. The goal is to promote transparency and greater responsibility in the transfer of arms and dual-use goods and technologies in an effort to improve national and international security and stability.

In December 2013, intrusion software was added to the list of regulated technologies in an effort to protect activists and dissidents who might be targeted by totalitarian regimes. The European Union adopted these changes in October 2014 and now the United States wants to do the same.

The BIS published its proposal last week and is requesting comments on the matter over the next two months.

The main problem with the Wassenaar Arrangement’s intrusion software clause is that the definition of intrusion software is overbroad.

Intrusion software is defined as “software specially designed or modified to avoid detection by ‘monitoring tools’, or to defeat ‘protective countermeasures’, of a computer or network capable device, and performing any of the following: a) The extraction of data or information, from a computer or network capable device, or the modification of system or user data; or b) The modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions.”

In a blog post published on Monday, the Switzerland-based security researcher known as Halvar Flake pointed out that any proof-of-concept (PoC) exploit that defeats a protection system and achieves code execution falls under this definition.

“Even worse — by using a formulation such as ’standard execution path’ without properly defining how this should be interpreted, it casts a shadow of uncertainty over all experimentation with software. Nobody can confidently state that he knows how this will be interpreted in practice,” the researcher said.

Some had hoped that since it delayed implementation of the new Wassenaar rules, the United States would address the issue of the overbroad definition.

“After the E.U. adopted the 2013 changes in October 2014, we speculated that the delay by BIS beyond its announced September 2014 date for releasing a proposed rule was that it perhaps was struggling with the impact of Wassenaar’s overbroad definition of ‘intrusion detection software.’ But we were wrong,” Robert Clifton Burns, counsel at business and litigation firm Bryan Cave LLP, wrote in a blog post on Lexology.

“The proposed rule adopts the Wassenaar changes without clarification of the scope of coverage of intrusion detection software. Instead, the delay seems to have been wholly occasioned by housekeeping matters: specifying the reasons for control, deciding that no license exceptions would apply, and so forth,” he added.

Yahoo’s Chief Information Security Officer Alex Stamos says he will file comments on the proposal and get Yahoo to do it as well.

“The redirection of some of infosec’s greatest minds towards selling weapons is a travesty, but this isn’t the solution,” Stamos said on Twitter.

“The complete moral abdication by some people I otherwise greatly respect is saddening, but not shocking. Money changes people,” Stamos noted. “Still, we should fight speech with more speech, and code with more code, not laws.”

Many members of the security industry are concerned about the impact of adding exploits to the Wassenaar Arrangement. Halvar Flake has highlighted that the addition of exploits provides governments the means to control public security research, it encourages the sale of exploits to local governments while making cross-border collaborative research risky, and it provides a way to prohibit white hats from disseminating attack tools found on compromised computers. The expert also believes the changes could lead to the fragmentation, balkanization and even militarization of the public security research community.

“The intention of those that supported the amendment to Wassenaar was to protect freedom of expression and privacy worldwide; unfortunately, their implementation achieved almost the exact opposite,” wrote Halvar Flake. “With friends of such competence, freedom does not need enemies.The changes to Wassenaar need to be repealed, along with their national implementations.”

Errata Security’s Robert Graham believes the Electronic Frontier Foundation (EFF) and the American Civil Liberties Union (ACLU) are partly responsible.

“Today’s Wassenaar proposal to limit 0days — and thereby virtually all cybersecurity products — is partly the result of lobbying by the ACLU and EFF. The principle technologist of the ACLU called 0day sellers ‘merchants of death’. The EFF called for 0day sales to governments to be the center of any policy debate on cybersecurity,” Graham said. “Yet, they deny responsibility for Wassenaar — because the regulations go too far, and appear to restrict virtually all cybersecurity software and any free-speech on the topic. These groups now back off and claim they never called for 0day restrictions in the first place.”

EFF representatives said they are preparing a statement on the matter.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Vulnerability researchers at Google Project Zero are calling attention to the ongoing “patch-gap” problem in the Android ecosystem, warning that downstream vendors continue to...