A two-year attempt to change the language used in relation to export controls around surveillance software and other hacking tools has collapsed after the US government failed to renegotiate parts of the Wassenaar Arrangement.
The Wassenaar Arrangement is an arms control pact between 41 countries. While most of this refers to conventional arms, in 2013 it was broadened in scope to include surveillance software—or intrusion software as it's branded in the agreement. This wording banned the export of software that could be used to conduct cyber warfare, in particular, tools to exploit and attack vulnerable IT infrastructure.
These changes were set to be implemented by member countries last year in a bid to prevent repressive regimes from gaining access to commercial malware.
Critics have labelled the current language in the agreement as too broad as it includes tools that IT professionals use on a daily basis, such as penetration testing tools and other legitimate security software. It also includes proof-of-concept exploits used during vulnerability research and disclosure. As it stands, the rules as written have not been implemented in the US.
With the talks collapsing, it will now be up to the incoming Trump administration to decide whether to continue renegotiations. It was hoped that the talks would have clarified matters allowing security researchers to participate in events such as Pwn2Own and share research among professionals and academics.
In the US, the bipartisan Congressional Cybersecurity Caucus has urged the incoming administration to continue talks.
Congressman Jim Langevin (D-RI), cofounder and co-chair of the Congressional Cybersecurity Caucus and a senior member of the House Committees on Armed Services and Homeland Security, said in a statement that he was “deeply disappointed that Wassenaar member states declined to make needed updates to the intrusion software controls, particularly those related to technologies necessary for their development.”
“For over a year, I have led my colleagues in Congress in calling for a careful review of these controls, which could harm our nation's cybersecurity by making it more difficult to quickly share defensive tools and close vulnerabilities. The small changes clarifying the role of ‘command and control' functionality that were made at the annual meeting, while needed, are simply insufficient to address the broader flaws in the language.”
Stephen Gates, chief research intelligence analyst at NSFOCUS, told SC Media UK it's well known in cybersecurity circles that ethical hackers, researchers, penetration testers, and security vendors often have tools that can be used to hack, loaded on virtual machines, running on the very laptops they carry.
“These tools are used for ethical purposes to demonstrate how hacks work, and what defences can defeat the various hack tools,” he said.“Ethical hackers and the like must be made aware of the fact, if they travel internationally, and enter a country where these tools are identified as ‘weaponry', these individuals could face criminal charges and other possible penalties. Best to remove the tools, before you travel.”