Wassenaar Arrangement 'inhibits international cyber-security efforts'

Wassenaar: inhibiting the world trade in 1s and 0s?
Wassenaar: inhibiting the world trade in 1s and 0s?

The Wassenaar Arrangement controlling the sale of technology and software which could be used as weapons is threatening the choke the cyber-security industry, according to a consortium of cyber-security companies.

The Coalition for Responsible Cybersecurity, supported by Microsoft among others, agrees with the principle of Wassenaar but believes that when it comes to cyber-security it “misses the mark”.

“Because the regulation is so overly broad, it would require cyber responders and security researchers to obtain an export license prior to exchanging essential information to remediate a newly identified network vulnerability, even when that vulnerability is capable of being exploited for purposes of surveillance,” wrote Alan Cohn from the CRC on a Microsoft blog.

This view was reinforced by Microsoft assistant general counsel Cristin Goodwin who was speaking at the RSA Asia Pacific Security conference in Singapore. She said, in its current form, Wassenaar would force Microsoft to apply for 3800 arms export licenses in a year.

The Wassenaar Arrangement has 41 signatory countries. Member states voted to begin controlling cyber-security tools in December 2013, starting with intrusion software.  

Goodwin, alongside Symantec director of government affairs Brian Fletcher, told the audience at RSA that it's difficult to untangle the complexities of Wassenaar because of the secrecy that surrounds the negotiations and the resulting policies.

She complained also that the technical advisory committee have historically failed to engage on cyber-security issues.

The significant consequence of Wassenaar is to impede the ability of the international cyber-security community to respond in a timely manner to threats and attacks, Fletcher and Goodwin claimed.

This includes inhibiting the sharing of proof-of-concept and exploit code, creation and use of pen testing tools, deploying response teams and consultants and even sharing information within a company across national boundaries.

The procedures and rules for licensing equipment and software for export also differs from country to country, further complicating the issue, they said.

They argued that the cyber-security community needs a seat at the table with a view to creating a process that works for the cyber-security industry rather than attempting to shoehorn it into the mould of the traditional arms control discussion.

Last year, Hewlett-Packard (HP) and its Zero Day Initiative (ZDI) team pulled their sponsorship of the Pwn2Own hacking competition in Japan this year over confusion about the Wassenaar Arrangement and difficulty in meeting its standards.

Harley Geiger, director of Public Policy at Rapid7, told SCMagazineUK.com, "The Wassenaar Arrangement was intended to help prevent malware and cyber weapons from falling into the hands of bad actors and repressive regimes. However, as originally written, the agreement and the proposed US export controls that followed risked imposing significant new licensing requirements on legitimate cyber-security activity, such as security research, info sharing, systems testing and more.

“Cyber-security is a global problem that requires cross-border collaboration. The US government now seems to recognise these risks and is negotiating for improvements to the Arrangement. We are hopeful that the Arrangement will be revised to better protect the development of needed and beneficial cyber-security tools – but recognise that getting consensus among all the countries participating in the Arrangement will not be easy."

Steve Armstrong, managing director at Logically Secure, said, “Until this agreement is clarified and properly worded to allow for defenders to share information, it could become the International version of the Anti-Hacking law that saw large numbers of security researchers leaving or moving their data out of Germany in 2007. Vague and incomplete regulations prevent information exchange and allow certain regimes to apply inappropriate pressure on honest researchers with relative impunity.

“With relatively low burden-of-proof requirements, these proposed amendments are a worrying addition to already complex regulations. Given the cautionary comments already submitted I believe that this whole arrangement needs considerably more public and international scrutiny than it has thus far been afforded.”

Graham Mann, managing director at Encode Group UK, said, "This is a great example of the complexity of international law-making and the unintentional consequences when you get it wrong. The intrusion software export controls of the Wassenaar Arrangement were created to stop the cross-border proliferation of cyber-weapons. Inadvertently, in its current form, the legislation will negatively impact the ‘white hat' community. We are already fighting a losing battle in cyber-warfare and could do without this own goal. At least it seems that the US legislators have now understood what the issues are but the international legislative train left the station some time ago. The task now is to convince the other legislative groups around the globe, like the EU, to change their own derivative versions."