Security Experts:

Connect with us

Hi, what are you looking for?



Google, Security Firms Warn About Impact of Wassenaar Cybersecurity Rules

Several leading cybersecurity firms have formed a coalition whose goal is to prevent the U.S. Department of Commerce from adopting Wassenaar Arrangement regulations that could have a negative impact on the industry. Google has also submitted comments on the proposed export control rules.

Several leading cybersecurity firms have formed a coalition whose goal is to prevent the U.S. Department of Commerce from adopting Wassenaar Arrangement regulations that could have a negative impact on the industry. Google has also submitted comments on the proposed export control rules.

The Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies is a multilateral export control association with 41 participating states. Members have agreed to control the transfer of arms and dual-use goods and technologies in an effort to improve national and international security and stability.

The implementation proposed by the Department of Commerce’s Bureau of Industry and Security (BIS) on May 20 regarding intrusion and surveillance items has been criticized by many experts, particularly because of overbroad definitions.

Google formally submitted comments on Monday, the last day on which the BIS accepted comments on the proposed Wassenaar Arrangement rules.

The search giant believes the proposed changes would have a significant negative impact on the open security research community. The company is also concerned that the rules would affect its ability to defend itself and its customers.

The broad and vague language is one of Google’s main concerns. The company fears that if the changes are adopted, it would have to request thousands or tens of thousands of export licenses.

“Since Google operates in many different countries, the controls could cover our communications about software vulnerabilities, including: emails, code review systems, bug tracking systems, instant messages – even some in-person conversations!” Google said.

Another problem, according to Google, is that there should be standing license exceptions for researchers who want to report vulnerabilities to manufacturers for the purpose of getting them fixed.

Furthermore, Google believes global companies should not have to be concerned about sharing information on intrusion software with employees who are physically located in other countries.

The company has pointed out that not everyone has a skilled team of lawyers ready to help them interpret the complex and confusing controls.

“If BIS is going to implement the proposed controls, we recommend providing a simple, visual flowchart for everyone to easily understand when they need a license,” Google said.

The company believes members of the Wassenaar Arrangement should hold a meeting in December 2015 to fix the scope of the intrusion software controls.

Cyber security firms are also displeased with the proposed changes. That is why Symantec, Ionic Security, FireEye, Synack, Global Velocity, WhiteHat, and others have joined forces in the Coalition for Responsible Cybersecurity.

“These rules, if they were adopted as they stand today, would put the entire U.S. cybersecurity industry—and everyone who relies on that industry for protection—at risk,” commented Cheri McGuire, VP of global government affairs and cybersecurity policy at Symantec. “The rule as written is going to hurt cybersecurity research, slow innovation in cybersecurity technology, and put a damper on cybersecurity information sharing.”

Members of the coalition believe the proposed changes, as drafted by the BIS, would have four major effects on security firms and technologies.

First, they believe research will be curtailed because the rule hinders experts from testing networks and sharing technical details on new security holes across borders. Second, the availability of tools will be constrained due to the restriction of exports.

The proposed changes would also have a negative impact on cybersecurity collaboration because U.S. companies will no longer be able to share information with non-U.S. persons, including their own employees.

As for the impact on technologies, experts believe the network surveillance controls could create difficulties in the development of innovative perimeter security products.

“Inclusion of features and functionality, such as network monitoring and pre-programmed actions, including for example, IP blocking may require a license if sold outside the U.S. and Canada,” members of the coalition noted.

The European Union adopted the rules covering intrusion software in October 2014 and the Wassenaar Arrangement indeed appears to have a negative impact on security research. A student from the University of Northumbria in the UK said he was unable to publish exploits developed as part of his dissertation on bypassing Microsoft EMET 5.1 protections partly due to the Wassenaar Arrangement.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...


Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Vulnerability researchers at Google Project Zero are calling attention to the ongoing “patch-gap” problem in the Android ecosystem, warning that downstream vendors continue to...