Us to renegotiate rules on exporting intrusion software. Rapid7s comments on the wassenaar arrangement proposed. Join us for an interactive panel on august 6 where members of our community will dive into how the wassenaar arrangement will affect the larger security industry. It defined such software as programs capable of extracting or modifying data and other hacking. The fuzzy analytical meaning of intrusion software during the 2010s wassenaar debate inferred from the department of commerce 2015 and the wassenaar arrangement 2018 for summarizing the key observations and ambiguities, an analytical conceptual model is presented in fig. In december, new export control rules for computer network intrusion software were published by the wassenaar arrangement, an international. Wassenaar arrangement 41 member multilateral export control regime. The former is dangerous because wassenaar fails to make the impossible distinction between intrusion software. Dec 21, 2017 infosec controls relaxed a little after latest wassenaar meeting. Controlled items put security research and defense at risk. How the wassenaar arrangement threatens responsible. The wassenaar arrangement was established to contribute to regional and international security and stability by promoting transparency and greater responsibility in transfers of conventional arms and dualuse goods and technologies, thus preventing destabilizing accumulations. The united states successfully negotiated researchuse exceptions to export controls on surveillance tools at the december 2017 meeting of the wassenaar arrangement, a club of advanced economies. In numerous press declarations, the hacking team ceo argues that his company respects international law, and notably the wassenaar arrangement, triggering numerous debates on the topic.
Microsofts comments on the proposed rule under the. May 02, 2016 sc media home security news features unsuitable addendum. Participating states seek, through their national policies, to ensure that transfers of these items do not contribute to the development or enhancement of military capabilities which undermine these goals, and are not. As a september technical meeting of wassenaar export control group countries draws closer, sources believe members of the arms control organization will coalesce around language narrowing the scope. Coalition for responsible cybersecurity, bsa the software. Rethinking intrusion software control and regulation in anticipation of additional technical discussions that wassenaar arrangement participating states will be having on the intrusion software control, we offer these thoughts publicly to government policymakers engaged in those discussions and welcome engagement on this topic from the. Compiled by the wassenaar arrangement secretariat december 2019.
How the wassenaar arrangement threatens responsible vulnerability disclosures. This paper analyzes a recent debate on regulating cyber. May 29, 2015 in short, security researchers and research activities such as sharing of discovered exploits should be excluded from the new export controls of the wassenaar arrangement around intrusion software since doing so restricts and causes harm to the proper functioning of the community. Jul 07, 2015 how the wassenaar arrangement threatens responsible vulnerability disclosures. The wassenaar arrangement defines intrusion software as technology used to avoid detection by monitoring tools or. The 20 revision added intrusion software to wassenaars list of controlled goods. May 21, 2015 the broad definition of intrusion software could mean that we end up with control of commonplace research, as opposed to the technologies the wassenaar arrangement set out to control. In 20, the wassenaar arrangement on export controls for conventional arms and dual. The united states government wants to take intrusion software out of the global wassenaar arrangement over concerns it could outlaw currently legitimate security tools and research. The bureau of industry and security bis proposes to implement the agreements by the wassenaar arrangement wa at the plenary meeting in december 20 with regard to systems, equipment or components specially designed for the generation, operation or delivery of, or communication with, intrusion software. The wassenaar arrangements language on intrusion so. Controls would not apply to intrusion software itself.
Usbacked effort to ease software export limits fails wassenaar arrangement. Three years ago, the wassenaar arrangement, an international arms control pact, placed restrictions on the exports of certain intrusion software tools. Jul 24, 2015 by cristin goodwin, senior attorney, microsoft. The hacking team data leak shed light on the business of zerodays and intrusion software, notably in countries such as ethiopia, sudan, russia or kazakhstan. The wassenaar arrangement wassenaar or wa on export controls for conventional arms and dualuse goods and technologies is a group of 41 likeminded states committed to promoting responsibility and transparency in the global arms trade, and preventing destabilizing accumulations of arms. In december, new export control rules for computer network intrusion software were published by the wassenaar arrangement, an international body that governs trade in goods with military and. Rethinking intrusion software microsoft cybersecurity. The wassenaar arrangement bsa the software alliance. Moussouris wrote an oped in wired criticizing the move as harmful to the vulnerability disclosure industry due to the overlybroad definition and encouraged security experts to write in to. Katie moussouris is an american computer security researcher, entrepreneur. Software specially designed or modified to avoid detection by monitoring tools, or to defeat protective countermeasures, of a computer or network capable device, and performing any of the. But rather than control intrusion software itself, the arrangement put export controls.
Wassenaar defined intrusion software as software specially designed or modified to avoid detection by monitoring tools, or to defeat protective countermeasures and that either extracted data from a computer or network device or modified the standard execution path of a program to allow the execution of externally provided instructions. In 20, members of the wassenaar arrangement agreed to impose export controls on hardware and software specially. May 09, 2016 while wellintentioned, the wassenaar arrangements intrusion software control was imprecisely drafted, said langevin in the february statement, and it has become evident that. The coalition for responsible cybersecurity, together with bsa the software alliance, applauds the efforts of the u. Sc media home security news features unsuitable addendum. The background relates to the amending of the international wassenaar arrangement with offensive cyber security technologies known as intrusion software. Jul 20, 2015 join us for an interactive panel on august 6 where members of our community will dive into how the wassenaar arrangement will affect the larger security industry. Without much fanfare, negotiators crafting changes to the wassenaar arrangement earlier this month moved to make things easier for infosec whitehats.
In 20, the wassenaar arrangement, a 41country international forum that seeks consensus among its members on dualuse export controls, adopted new controls on intrusion software and carrier class. The broad definition of intrusion software could mean that we end up with control of commonplace research, as opposed to the technologies the wassenaar arrangement set out to. In 20, members of the wassenaar arrangement agreed to impose export controls on hardware and software specially designed or modified for the generation, operation or delivery of, or communication with intrusion software. Wassenaar arrangement defines intrusion software and thus also. Why wassenaar arrangements definitions of intrusion software. Many of you may have heard about the recent debate regarding the u. May 28, 2015 the wassenaar arrangement includes controls for technology connected to intrusion software. Department of commerces proposed rule to implement the wassenaar arrangement 20 plenary agreement on intrusion and.
While wellintentioned, the wassenaar arrangements intrusion software control was imprecisely drafted, said langevin in the february statement, and it has become evident that. In 20, the wassenaar arrangement, a 41country international forum that seeks consensus among its members on dualuse export controls, adopted new controls on intrusion software and carrier class network surveillance tools. Rethinking intrusion software control and regulation in anticipation of additional technical discussions that wassenaar arrangement participating states will be having on the intrusion software control, we. Microsofts comments on the proposed rule under the wassenaar. Participating states seek, through their national policies, to. What does the addition of intrusion software to the list of dual use controlled items mean for security research, bug bounty programs and our overall privacy. In 20, the wassenaar arrangement on export controls for conventional arms and dualuse goods and technologies was amended to include intrusion software. What does the addition of intrusion software to the list of dual use controlled items mean for security research, bug bounty programs. The department had been engaged in a monthslong standoff with the departments of. The proposal addressed a new type of cyber weapons known as intrusion. These export controlsrequirements that organizations selling or sending technologies with potential military applications abroad obtain a license from the commerce. New changes to wassenaar arrangement export controls will. Today i participated in the center for strategic and international studies csis discussion on decoding the bis proposed rule for intrusion. Rapid7s comments on the wassenaar arrangement proposed rule.
Today i participated in the center for strategic and international studies csis discussion on decoding the bis proposed rule for intrusion software platforms and the important topic of the department of commerces proposed rule on intrusion software under the wassenaar arrangement. Why wassenaar arrangements definitions of intrusion software and. In this post, i describe the original wassenaar export controls. The modification of the standard execution path of a program or. Katie moussouris is the chief policy officer for hackerone, a platform provider for coordinated vulnerability response and structured bounty programs.
Implicitly, such software is related to previously unregulated software vulnerabilities and exploits, which also make the ongoing debate particularly relevant. Silicon valley squares off with white house over arms. For the past two months, the department of commerces bureau of industry and security bis has been running a public consultation to solicit feedback on its proposal for implementing. In may 1996 41 countries came to wassenaar, a small town in the netherlands, to sign what was to be called the. Why an arms control pact has security experts up in arms wired. The bureau of industry and security bis proposes to implement the agreements by the wassenaar arrangement wa at the plenary meeting in december 20 with regard to systems, equipment or. May 25, 2015 guest blog by james gannon, director and principal of cyber invasion, ltd. The wassenaar arrangement on export controls for conventional arms and dualuse goods and technologies is a multilateral export control regime mecr with 42 participating states including. Mar 02, 2016 us to renegotiate rules on exporting intrusion software. Infosec controls relaxed a little after latest wassenaar meeting. Wassenaar arrangement control implementation nist computer. Jun 08, 2015 bug bounties in crosshairs of proposed us wassenaar rules. Guest blog by james gannon, director and principal of cyber invasion, ltd. Cybersecurity and the wassenaar arrangement what needs.
Jul 24, 2015 for the past two months, the department of commerces bureau of industry and security bis has been running a public consultation to solicit feedback on its proposal for implementing export controls for intrusion software under the wassenaar arrangement. Bug bounties in crosshairs of proposed us wassenaar rules. In 20, members of an export control regime known as the wassenaar arrangement were concerned about hackers using certain types of tools to violate human rights and threaten national. The wassenaar arrangement was established on 12 july 1996 in wassenaar, the netherlands by 33 founding members to contribute to regional and international security and stability. Confusion over the department of commerces proposed implementation of the latest changes to the wassenaar arrangements export controls continues. The modification of the standard execution path of a program or process. Mar 01, 2016 the united states government wants to take intrusion software out of the global wassenaar arrangement over concerns it could outlaw currently legitimate security tools and research. In december, new export control rules for computer network intrusion software were published by the wassenaar arrangement, an international body that governs trade in goods with. For those of you who are new to the debate over wassenaar and would like to know just what it is and why you might care about it, click here for our.
India is keen to join the worlds export control regimes, all four of them including the wassenaar arrangement, as part of its efforts at integrating with the global nonproliferation architecture. In may 1996 41 countries came to wassenaar, a small town in the netherlands, to sign what was to be called the wassenaar arrangement on export controls for conventional arms and dualuse goods and technologies. Wassenaar is an armscontrol pact in which more than 40 nations agreed to limit the export of certain types of weaponry and dualuse products. Federal register wassenaar arrangement 2016 plenary. The wassenaar arrangement s first foray into cybersecurity export controls has created a multitude of unintended consequences and implementation challenges. Infosec controls relaxed a little after latest wassenaar. Department of commerces proposed rule to implement the wassenaar arrangement 20 plenary agreement on intrusion and surveillance software rin 0694ag49, as published in 80 fed. To resolve these, microsoft proposes to evolve the intrusion software control over time to a narrowly tailored and well understood control that can help protect those involved in human rights advocacy, and protecting our security online. Jun 12, 2015 confusion over the department of commerces proposed implementation of the latest changes to the wassenaar arrangements export controls continues.
Implicitly, such software is related to previously unregulated software. Commerce department faq on proposed wassenaar implementation. The wassenaar arrangement is a 41country, voluntary export control agreement. Usbacked effort to ease software export limits fails.
127 767 405 1385 1115 291 316 371 1355 109 181 558 1191 35 1404 1549 515 1263 1308 513 1425 781 241 915 137 812 1255 573 955 827 795 1210 612 1323 957 738 299 1435 308 997 1238 1293 1348 739