Adding Exploits to Wassenaar Is Bad for Security, Says the Industry
The U.S. Department of Commerce’s Bureau of Industry and Security (BIS) has published a proposal for the implementation of the Wassenaar Arrangement with regard to cyber intrusion and surveillance systems. Experts are worried about the negative effects of these rules on the industry.
The Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies is a multilateral export control regime with 41 participating states. The goal is to promote transparency and greater responsibility in the transfer of arms and dual-use goods and technologies in an effort to improve national and international security and stability.
In December 2013, intrusion software was added to the list of regulated technologies in an effort to protect activists and dissidents who might be targeted by totalitarian regimes. The European Union adopted these changes in October 2014 and now the United States wants to do the same.
The BIS published its proposal last week and is requesting comments on the matter over the next two months.
The main problem with the Wassenaar Arrangement’s intrusion software clause is that the definition of intrusion software is overbroad.
Intrusion software is defined as “software specially designed or modified to avoid detection by ‘monitoring tools’, or to defeat ‘protective countermeasures’, of a computer or network capable device, and performing any of the following: a) The extraction of data or information, from a computer or network capable device, or the modification of system or user data; or b) The modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions.”
In a blog post published on Monday, the Switzerland-based security researcher known as Halvar Flake pointed out that any proof-of-concept (PoC) exploit that defeats a protection system and achieves code execution falls under this definition.
“Even worse — by using a formulation such as ’standard execution path’ without properly defining how this should be interpreted, it casts a shadow of uncertainty over all experimentation with software. Nobody can confidently state that he knows how this will be interpreted in practice,” the researcher said.
Some had hoped that since it delayed implementation of the new Wassenaar rules, the United States would address the issue of the overbroad definition.
“After the E.U. adopted the 2013 changes in October 2014, we speculated that the delay by BIS beyond its announced September 2014 date for releasing a proposed rule was that it perhaps was struggling with the impact of Wassenaar’s overbroad definition of ‘intrusion detection software.’ But we were wrong,” Robert Clifton Burns, counsel at business and litigation firm Bryan Cave LLP, wrote in a blog post on Lexology.
“The proposed rule adopts the Wassenaar changes without clarification of the scope of coverage of intrusion detection software. Instead, the delay seems to have been wholly occasioned by housekeeping matters: specifying the reasons for control, deciding that no license exceptions would apply, and so forth,” he added.
Yahoo’s Chief Information Security Officer Alex Stamos says he will file comments on the proposal and get Yahoo to do it as well.
“The redirection of some of infosec’s greatest minds towards selling weapons is a travesty, but this isn’t the solution,” Stamos said on Twitter.
“The complete moral abdication by some people I otherwise greatly respect is saddening, but not shocking. Money changes people,” Stamos noted. “Still, we should fight speech with more speech, and code with more code, not laws.”
Many members of the security industry are concerned about the impact of adding exploits to the Wassenaar Arrangement. Halvar Flake has highlighted that the addition of exploits provides governments the means to control public security research, it encourages the sale of exploits to local governments while making cross-border collaborative research risky, and it provides a way to prohibit white hats from disseminating attack tools found on compromised computers. The expert also believes the changes could lead to the fragmentation, balkanization and even militarization of the public security research community.
“The intention of those that supported the amendment to Wassenaar was to protect freedom of expression and privacy worldwide; unfortunately, their implementation achieved almost the exact opposite,” wrote Halvar Flake. “With friends of such competence, freedom does not need enemies.The changes to Wassenaar need to be repealed, along with their national implementations.”
Errata Security’s Robert Graham believes the Electronic Frontier Foundation (EFF) and the American Civil Liberties Union (ACLU) are partly responsible.
“Today’s Wassenaar proposal to limit 0days — and thereby virtually all cybersecurity products — is partly the result of lobbying by the ACLU and EFF. The principle technologist of the ACLU called 0day sellers ‘merchants of death’. The EFF called for 0day sales to governments to be the center of any policy debate on cybersecurity,” Graham said. “Yet, they deny responsibility for Wassenaar — because the regulations go too far, and appear to restrict virtually all cybersecurity software and any free-speech on the topic. These groups now back off and claim they never called for 0day restrictions in the first place.”
EFF representatives said they are preparing a statement on the matter.