The only way to fix the scope of the intrusion software controls is to do it at the annual meeting of wassenaar arrangement members in december 2015. Dec 21, 2016 i am deeply disappointed that wassenaar member states declined to make needed updates to the intrusion software controls, particularly those related to technologies necessary for their development, said congressman jim langevin in a statement issued monday. Wassenaar arrangement decides to make india its member. Wassenaar allies to include generally available encrypted software has not prevented the clinton administration the. Cybersecurity industry remains concerned over wassenaar. The wa membership is also expected to build up a strong case for. Last month, changes to the wassenaar arrangement on export controls for conventional arms and dualuse goods and technologies wassenaar arrangement placed zerodays, other computer exploits, and potentially more categories of software under this multilateral export control regime. Why wassenaar arrangements definitions of intrusion software and. Dec 21, 2016 wassenaar weapons pact talks collapse leaving software exploit exports in limbo.
Software specially designed or modified for the development or. On may 20th 2015, the bureau of industry and security bis published its proposal for implementing new export controls under the wassenaar arrangement. The broad definition of intrusion software could mean that we end up with control of commonplace research, as opposed to the technologies the wassenaar arrangement set out to. Why an arms control pact has security experts up in arms wired. The decision was taken at the twoday plenary meeting of the grouping in vienna. Wassenaar arrangement recommendations for cybersecurity. Changes to export control arrangement apply to computer. Jan 16, 2018 in december, new export control rules for computer network intrusion software were published by the wassenaar arrangement, an international body that governs trade in goods with military and. To resolve these, microsoft proposes to evolve the intrusion software control over time to a narrowly tailored and well understood control that can help protect those involved in human rights advocacy, and protecting our security online. As a result of the 20 addition, the wassenaar arrangement requires restrictions on exports for technology, software, and systems that develop or operate intrusion software. The wassenaar arrangement s first foray into cybersecurity export controls has created a multitude of unintended consequences and implementation challenges. Mar 18, 2016 as a result of the 20 addition, the wassenaar arrangement requires restrictions on exports for technology, software, and systems that develop or operate intrusion software. India joins elite multilateral export control regime.
May 22, 2015 marsh ray, a prominent security software developer, says the controls would change the entire industry, causing problems for even defensive security researchers. These items were added to the wassenaar arrangements control list of dual use. Jul 07, 2015 of note, italy is a signatory to the wassenaar arrangement. In december, new export control rules for computer network intrusion software were published by the wassenaar arrangement, an international body that governs trade in goods with. Productsdesigned for penetration testing are included. The former is dangerous because wassenaar fails to make the impossible distinction between intrusion software that is necessary to test security and intrusion software intended to be used for malicious or government intelligence purposes. The provision would cover the software toolkits that companies sell to law enforcement and intelligence agencies to carry out intrusive surveillancesee for example hacking teams notorious rcs package. Google just joined the fight against the controversial new export regulations known as the wassenaar arrangement. Today i participated in the center for strategic and international studies csis discussion on decoding the bis proposed rule for intrusion software platforms and the important topic of the department of commerces proposed rule on intrusion software under the wassenaar arrangement.
The international rules that have the security world on alert. Apr 07, 2020 after nearly a yr of protests from the facts security industry, security researchers, and others, us officers have introduced that they plan to renegotiate rules at the trade of tools related to intrusion software. Intrusion and surveillance items, released in the federal register on may 20, 2015. On july 5, 2015, a 400 gb document dump of files from hacking team, including emails and financial data, were shared on bittorrent. We believe that these proposed rules, as currently written, would have a significant negative impact on the open security research community. Rethinking intrusion software microsoft cybersecurity.
The wassenaar arrangement, also known as export controls for conventional arms and dualuse goods and technologies, is an international armscontrol agreement among 41 nations, including most of. May 29, 2015 in doing so, they also try to restrict information that may be used to develop intrusion software. May 21, 2015 the broad definition of intrusion software could mean that we end up with control of commonplace research, as opposed to the technologies the wassenaar arrangement set out to control. Katie moussouris is an american computer security researcher, entrepreneur, and pioneer in vulnerability disclosure, and is best known for her ongoing work advocating responsible security. Usbacked effort to ease software export limits fails.
The bureau of industry and security bis proposes to implement the agreements by the wassenaar arrangement wa at the plenary meeting in december 20 with regard to systems, equipment or. To resolve these, microsoft proposes to evolve the intrusion software control over time to a narrowly tailored and well understood control. When the wassenaar arrangement plenary agreed to add intrusion software to the annex, it was exactly technologies like hacking teams that the members intended to regulate. The wassenaar arrangements intrusion software clauses are intended to.
While wellintentioned, the wassenaar arrangement s intrusion software control was imprecisely drafted, and it has become evident that there is simply no way to interpret the plain. The hacking team data leak shed light on the business of zerodays and intrusion software, notably in countries such as ethiopia, sudan, russia or kazakhstan. Sep 20, 2016 this september, representatives from wassenaar member states will continue deliberations on the intrusion software control. Response to the us proposal for implementing the wassenaar. But rather than control intrusion software itself, the arrangement put export controls on software, systems or equipment that interacted with intrusion software. In 20, the wassenaar arrangement on export controls for conventional arms and dualuse goods and technologies was amended to include intrusion software. Wassenaar arrangement wording is everything uhwo cyber. In december, new export control rules for computer network intrusion software were published by the wassenaar arrangement, an international body that governs trade in goods with military and. I am deeply disappointed that wassenaar member states declined to make needed updates to the intrusion software controls, particularly those related to technologies necessary for. The wassenaar arrangement wassenaar or wa on export controls for conventional arms and dualuse goods and technologies is a group of 41 likeminded states committed to promoting responsibility. These items were added to the wassenaar arrangements control list of dual use technologies technologies that can be used maliciously or for legitimate purposes. Moussouris wrote an oped in wired criticizing the move as harmful to the vulnerability disclosure industry due to the overlybroad definition and encouraged security experts to write in to. Controls would apply only to systems thatgenerate, operate, deliver and communicate with intrusion software. India has become the 42nd member of wassenaar arrangement wa.
The wassenaar arrangement on export controls for conventional arms and dualuse goods and technologies is a multilateral export control regime mecr with 42 participating states including. The wassenaar arrangements first foray into cybersecurity export controls has created a multitude of unintended consequences and implementation challenges. Wassenaar arrangement 20 plenary agreements implementation. Wassenaar arrangement is a multilateral export control regime.
Today i participated in the center for strategic and international studies csis discussion on decoding the bis proposed rule for intrusion. Us to renegotiate rules on exporting intrusion software. Wassenaar weapons pact talks collapse leaving software. Since i wrote about microsofts comments on the proposed rule under the wassenaar arrangement, microsoft has been continuing to work with the wassenaar member states and the. The wassenaar arrangement was established to contribute to regional and international security and stability by. The international rules that have the security world on. Controlled items put security research and defense at risk. These export controlsrequirements that organizations selling or sending technologies with potential military applications abroad obtain a license from the commerce.
Today, the company posted an open letter raising serious concerns about the. Understanding the wassenaar arrangement controversy. State department will try to fix wassenaar arrangement. The wassenaar arrangement wassenaar or wa on export controls for conventional arms and dualuse goods and technologies is a group of 41 likeminded states committed to promoting responsibility and transparency in the global arms trade, and preventing destabilizing accumulations of arms. On july 5, 2015, a 400 gb document dump of files from hacking team, including emails and financial data, were shared on. Last month, changes to the wassenaar arrangement on export controls for conventional arms and dualuse goods and technologies wassenaar arrangement placed. Software specially designed or modified to avoid detection by monitoring tools, or to defeat protective countermeasures, of a computer or network capable device, and performing any of the. The wassenaar arrangements attempt to wrestle a mostly ethereal problem into regulatable problem was, for the most part, handled well. Wassenaar would oblige those software developers and security. Microsofts comments on the proposed rule under the. The rules were negotiated through the wassenaar arrangement on. State department will try to fix wassenaar arrangement share it share on twitter share on facebook copy link regular readers of this blog will likely be familiar with the wassenaar arrangement, a 41.
Marsh ray, a prominent security software developer, says the controls would change the entire industry, causing problems for even defensive security researchers. How the wassenaar arrangement threatens responsible. An ineffective export control regime that compromises united states economic interests. Arrangement is nonbinding and each signatory agrees to enact do mestic. Microsofts comments on the proposed rule under the wassenaar. The wassenaar arrangement was formed with the best intentions, but now major parties are speaking out against it. Hacking team series the wassenaar arrangement enisa.
The united states successfully negotiated researchuse exceptions to export controls on surveillance tools at the december 2017 meeting of the wassenaar arrangement, a club of advanced economies that coordinates export controls. Infosec controls relaxed a little after latest wassenaar. Federal register wassenaar arrangement 2016 plenary. Wassenaar weapons pact talks collapse leaving software exploit exports in limbo. The hague code of conduct against ballistic missile proliferation.
Participating states seek, through their national policies, to ensure that transfers of these items do not contribute to the development or enhancement of military. Wassenaar arrangement the wassenaar arrangement on export controls for conventional arms and dualuse goods and technologies an initiative of more than 30 countries, including the u. The wassenaar arrangement on export controls for conventional arms and dualuse goods and technologies, commonly known as the wassenaar arrangement is a multilateral expo. In doing so, they also try to restrict information that may be used to develop intrusion software. Other export control fora and relevant organisations nuclear suppliers group. Of note, italy is a signatory to the wassenaar arrangement. Three years ago, the wassenaar arrangement, an international arms control pact, placed restrictions on the exports of certain intrusion software tools. The background relates to the amending of the international wassenaar arrangement with offensive cyber security technologies known as intrusion software. Wassenaar is an armscontrol pact in which more than 40 nations agreed to limit the export of certain types of weaponry and dualuse products.
Our first information about the new wassenaar arrangement came in the form of a newspaper article, which said that export of encryption software would be prohibitedand. It defined the software it intended to control very narrowly. The wassenaar arrangement gnu project free software. New changes to wassenaar arrangement export controls will. The wassenaar arrangement on export controls for conventional arms and dualuse goods and technologies is a multilateral export control regime mecr with 42 participating states including many former comecon warsaw pact countries. The wassenaar definition of intrusion software focuses on programs that are designed to circumvent detection tools or protective countermeasures and which extract or modify data or run. In numerous press declarations, the hacking team ceo argues that his company respects international law, and notably the wassenaar arrangement, triggering numerous debates on the topic. Us to renegotiate rules on exporting intrusion software ars technica. The goals of the wassenaar arrangement wa are constructive, and our. Mar 02, 2016 us to renegotiate rules on exporting intrusion software. Read more introduction the wassenaar arrangement has been established in order to contribute to regional and international security and stability, by promoting transparency and greater responsibility in transfers of conventional arms and dualuse goods and technologies, thus preventing destabilising accumulations. Wassenaar arrangement 41 member multilateral export control regime. But rather than control intrusion software itself, the arrangement put. Technology for the development of intrusion software.
The united states successfully negotiated researchuse exceptions to export controls on surveillance tools at the december 2017 meeting of the wassenaar arrangement, a club of advanced economies. Infosec controls relaxed a little after latest wassenaar meeting. It also controlled any type of technology involved in the development of intrusion software. In a significant development, elite export control regime wassenaar arrangement wa on. The wassenaar arrangements intrusion software clauses are. The wassenaar arrangement on export controls for conventional arms and dualuse goods and technologies is a multilateral export control regime mecr with 42 participating states including many former comecon warsaw pact countries the wassenaar arrangement was established to contribute to regional and international security and stability by promoting transparency and greater responsibility. The upcoming meeting will hopefully build on progress that the governments made in june, and result in a more narrowly tailored control that supports cybersecurity response, development, and innovation. The aim is also to prevent the acquisition of these items by terrorists. The bureau of industry and security bis proposes to implement the agreements by the wassenaar arrangement wa at the plenary meeting in december 20 with regard to systems, equipment or components specially designed for the generation, operation or delivery of, or communication with, intrusion software. May 02, 2016 after an interagency effort to draft the u. Google says controversial export proposal would make the. Jul 20, 2015 members of the wassenaar arrangement have agreed to control a wide range of goods, software, and information, including technologies relating to intrusion software as theyve defined that term. Jul 24, 2015 by cristin goodwin, senior attorney, microsoft. In this post, i describe the original wassenaar export controls.
May 28, 2015 the wassenaar arrangement includes controls for technology connected to intrusion software. Wassenaar arrangement defines intrusion software and thus also. Implicitly, such software is related to previously unregulated software vulnerabilities and exploits, which also make the ongoing debate particularly relevant. State department will try to fix wassenaar arrangement share it share on twitter share on facebook copy link regular readers of this blog will likely be familiar with the wassenaar arrangement, a 41nation agreement intended to regulate the export of certain dualuse technologies, such as guns and fissile material. Our first information about the new wassenaar arrangement came in the form of a newspaper article, which said that export of encryption software would be prohibitedand this seemed to include free software. Unfotiunately, the agreed upon definition for intrusion software is quite broad, embracing a number of products that are solely intended for research. Dec 08, 2017 india has become the 42nd member of wassenaar arrangement wa. Qtnngrenn nf tq e lltnitel staten congressman jim langevin. Many of these intrusion technologies actually play a role in governance and compliance with respect to pcidss, hipaa, sox. The voluntary agreement among the 41 participating. The former is dangerous because wassenaar fails to make the impossible distinction. Why wassenaar arrangements definitions of intrusion software.
749 287 1627 453 788 76 596 15 1498 903 1521 88 1003 846 1644 240 246 1577 1412 1574 1430 298 72 1476 977 301 498 203 791 1361 1607 63 1317 204 707 413 416 1028 76 146 467 96 1070 492 1475