Google, Security Firms Warn About Impact of Wassenaar Cybersecurity Rules

Several leading cybersecurity firms have formed a coalition whose goal is to prevent the U.S. Department of Commerce from adopting Wassenaar Arrangement regulations that could have a negative impact on the industry. Google has also submitted comments on the proposed export control rules.

The Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies is a multilateral export control association with 41 participating states. Members have agreed to control the transfer of arms and dual-use goods and technologies in an effort to improve national and international security and stability.

The implementation proposed by the Department of Commerce’s Bureau of Industry and Security (BIS) on May 20 regarding intrusion and surveillance items has been criticized by many experts, particularly because of overbroad definitions.

Google formally submitted comments on Monday, the last day on which the BIS accepted comments on the proposed Wassenaar Arrangement rules.

The search giant believes the proposed changes would have a significant negative impact on the open security research community. The company is also concerned that the rules would affect its ability to defend itself and its customers.

The broad and vague language is one of Google’s main concerns. The company fears that if the changes are adopted, it would have to request thousands or tens of thousands of export licenses.

“Since Google operates in many different countries, the controls could cover our communications about software vulnerabilities, including: emails, code review systems, bug tracking systems, instant messages – even some in-person conversations!” Google said.

Another problem, according to Google, is that there should be standing license exceptions for researchers who want to report vulnerabilities to manufacturers for the purpose of getting them fixed.

Furthermore, Google believes global companies should not have to be concerned about sharing information on intrusion software with employees who are physically located in other countries.

The company has pointed out that not everyone has a skilled team of lawyers ready to help them interpret the complex and confusing controls.

“If BIS is going to implement the proposed controls, we recommend providing a simple, visual flowchart for everyone to easily understand when they need a license,” Google said.

The company believes members of the Wassenaar Arrangement should hold a meeting in December 2015 to fix the scope of the intrusion software controls.

Cyber security firms are also displeased with the proposed changes. That is why Symantec, Ionic Security, FireEye, Synack, Global Velocity, WhiteHat, and others have joined forces in the Coalition for Responsible Cybersecurity.

“These rules, if they were adopted as they stand today, would put the entire U.S. cybersecurity industry—and everyone who relies on that industry for protection—at risk,” commented Cheri McGuire, VP of global government affairs and cybersecurity policy at Symantec. “The rule as written is going to hurt cybersecurity research, slow innovation in cybersecurity technology, and put a damper on cybersecurity information sharing.”

Members of the coalition believe the proposed changes, as drafted by the BIS, would have four major effects on security firms and technologies.

First, they believe research will be curtailed because the rule hinders experts from testing networks and sharing technical details on new security holes across borders. Second, the availability of tools will be constrained due to the restriction of exports.

The proposed changes would also have a negative impact on cybersecurity collaboration because U.S. companies will no longer be able to share information with non-U.S. persons, including their own employees.

As for the impact on technologies, experts believe the network surveillance controls could create difficulties in the development of innovative perimeter security products.

“Inclusion of features and functionality, such as network monitoring and pre-programmed actions, including for example, IP blocking may require a license if sold outside the U.S. and Canada,” members of the coalition noted.

The European Union adopted the rules covering intrusion software in October 2014 and the Wassenaar Arrangement indeed appears to have a negative impact on security research. A student from the University of Northumbria in the UK said he was unable to publish exploits developed as part of his dissertation on bypassing Microsoft EMET 5.1 protections partly due to the Wassenaar Arrangement.