Today is the last day for public comments on the Wassenaar Arrangement, and Black Hat and Google are making their...
voices heard. With 41 participating countries, the Arrangement is a multilateral export control regime that has been in existence and updated annually since 1996.
The U.S. Department of Commerce Bureau of Industry and Security (BIS) has proposed export rules to cover "systems, equipment, components and software specially designed for the generation, operation or delivery of, or communication with intrusion software, [including] network penetration testing products that use intrusion software to identify vulnerabilities of computers and network-capable devices." Black Hat and Google publicly decried these proposed rules.
Black Hat didn't say much, leaving the majority of the discussion for a panel during the Black Hat conference next month, but noted that "as currently written, [the Wassenaar Arrangement] has the potential to significantly restrict and/or eliminate the depth and types of research curated by many members of our security community, especially those that collaborate internationally."
Google was much more detailed in a blog post today and said that the rules are "dangerously broad and vague," and, ultimately, not feasible. According to the BIS, information about vulnerabilities and their causes would not be controlled, but Google said the rules are broad enough that such information could be controlled in certain cases.
Google also spoke out against the proposed license requirement for exporting intrusion software and suggested an exception for occasions when controlled information is being reported to manufacturers for remediation.
"The proposed rules are not feasible and would require Google to request thousands -- maybe even tens of thousands -- of export licenses," Google wrote. "Since Google operates in many different countries, the controls could cover our communications about software vulnerabilities, including emails, code review systems, bug tracking systems, instant messages -- even some in-person conversations!"
Google also expressed concerns about how these rules would affect the ability to share information about intrusion software if teams are located in different countries.
Ultimately, Google said the rules need to be changed immediately, because the "proposed rules, as currently written, would have a significant negative impact on the open security research community. They would also hamper our ability to defend ourselves, our users and make the Web safer. It would be a disastrous outcome if an export regulation intended to make people more secure resulted in billions of users across the globe becoming persistently less secure."
The formal comment period ends today, but comments can still be submitted here.