Proposed Wassenaar pact changes will harm cyber defenders instead of attackers

The comment period for the proposed amendments to the Wassenaar Arrangement regarding “cybersecurity items” has ended, and the overwhelming majority of the 150+ comments submitted are negative.

As a reminder: the Wassenaar Arrangement includes 41 participating states, and was established to help promote transparency and responsibility in transfers of conventional arms and dual-use goods and technologies.

The US Commerce Department’s Bureau of Industry and Security (BIS) proposes to implement the agreements by the Wassenaar Arrangement at the Plenary meeting in December 2013 with regard to cybersecurity items, and a license requirement for the export, reexport, or transfer of these items to all destinations (except Canada).

The new amendments have been contested by the likes of companies like Google, but also by a number of security researchers.

Google considers the new rules to be dangerously broad and vague, and an obstacle to sharing intrusion information globally. “If we have information about intrusion software, we should be able to share that with our engineers, no matter where they physically sit,” Neil Martin, Export Compliance Counsel for Google and Tim Willis from the Chrome Security Team explained.

The company also worries that the proposed rules would negatively affect vulnerability research and would prove as a deterrent for security researchers that report vulnerabilities, exploits, or other controlled information to manufacturers. Bug bounty programs would also come in question.

“We believe that these proposed rules, as currently written, would have a significant negative impact on the open security research community. They would also hamper our ability to defend ourselves, our users, and make the web safer. It would be a disastrous outcome if an export regulation intended to make people more secure resulted in billions of users across the globe becoming persistently less secure,” they noted.

Well known security researchers Jonathan Zdziarski and Charlie Miller also submitted their comments.

“The tools and techniques I have developed are by no means ‘intrusion’ tools, however due to the excessively broad nature of the Wassenaar proposal, would fall under its regulations as they bypass security mechanisms of devices and collect information from them,” says forensics expert Zdziarski.

“As all of my research is done personally, I have no large company with lawyers to address the impossible spider web of export regulations that would be introduced by Wassenaar. The current proposal as is would harm far more than simply the information security industry, but would also greatly damage the forensics industry and ultimately limit the quality of tools available to law enforcement agencies for conducting lawful forensics.”

“Had Wassenaar been place in 2008, I would not have felt as though I could openly share my research publicly without risk of prosecution, which would have deprived the community as a whole – including the United States – of valuable information that has led to the greater good,” he concluded.

“The proposed rule regarding exploitation licensing would outlaw almost everything I do and have done in my professional career,” Charlie Miller commented, and explained: “In its simplest form, I discover new vulnerabilities, new techniques to exploit systems, etc and then discuss this with the manufacturer in question, give talks and write papers about these vulnerabilities/techniques so that as a community, we can get better and improve the state of information security everywhere.”

“Attackers will always continue to find new techniques and vulnerabilities and they are not hindered by laws which limit sharing. Only defenders will be penalized by limiting sharing of technical details of vulnerabilities and techniques,” he pointed out.