The Wassenaar Arrangement is a multilateral export control regime that has existed and been updated annually since...
1996. The Wassenaar Arrangement is agreed upon by 41 participating countries, including the United Kingdom, France, Italy, Germany, Russia, Ukraine, Mexico and the United States. The agreement states that the decision to transfer or deny transfer of any item is the sole responsibility of each participating state. All measures with respect to the arrangement are taken in accordance with national legislation and policies, and are implemented on the basis of national discretion. Therefore the national authorities in that country decide on the specifics of export controls in participating states; The U.S. Department of Commerce Bureau of Industry and Security (BIS) is the governing entity for the United States.
In 1996, members of the Wassenaar Arrangement agreed to control a wide range of goods. In 2013, the list of goods was amended to include technologies used for testing, penetrating and exploiting vulnerabilities in computer systems and networks relating to intrusion software, which includes threat intelligence data.
The proposed rules of the Wassenaar Arrangement for July 2015 state that the following technologies "would require a license to export, reexport, and transfer (in-country) to all destinations, except Canada."
- "Systems, equipment or components specially designed for the generation, operation or delivery of, or communication with, intrusion software;"
- "Software specially designed or modified for the development or production of such systems, equipment or components; software specially designed for the generation, operation or delivery of, or communication with, intrusion software;"
- "Technology required for the development of intrusion software;"
- "Internet Protocol (IP) network communications surveillance systems or equipment and test, inspection, production equipment, specially designed components therefor, and development and production software and technology therefor."
On July 20, 2015, Google formally submitted comments and questions on the proposed rules to the United States Commerce Department's BIS. The comments include topics such as the risks of "broad and vague" rules, not needing a license to report a bug to get it fixed, sharing information globally, the necessity of clear controls and why the controls should be changed immediately.
The rules restrict the export of cyber tools that could be used for malicious purposes by organized crime, terrorist groups and hacking groups -- including state-funded. The export license would allow tracking and accountability. The fee for the license would probably be nominal since these groups are typically well-funded. Despite the best intentions of the Wassenaar Arrangement, many security pundits believe these rules would have a detrimental effect on research and threat intelligence sharing.
Effects on security research
Google and other search engine vendors gather an enormous amount of data about user online experience around the world. However, since 2010, Google has paid over $4 million to researchers around the world in its Security Rewards Program and Vulnerability Security Program for identifying bugs and vulnerabilities in Google and Chrome version releases, most of which are in developer and beta versions. This program has enabled remediation of bugs and vulnerabilities before they could reach the main user population. But the Wassenaar Arrangement, according to Google, could impede security researchers by requiring them to obtain software licenses before reporting bugs to the manufacturers.
Based on national discretion
All measures with respect to the arrangement are taken in accordance with national legislation and policies, and are implemented on the basis of national discretion. This means each participating state may decide how to implement the rules and they may not be consistent with those of the United States.
Security pundits believe the rules proposed by the U.S. are much more restrictive than those put forth by other countries. Overall, this appears to be an arbitrary decision, though assuredly it was not intended to be. The proposed rules need to address this more carefully before they are finalized.
Software traffic on the Internet
Researchers state that the rules would make it unlawful to export hacking tools outside of their country of origin. This is troublesome because researchers worry they will no longer have access to the tools they use to spot vulnerabilities in software and networks.
Additionally, if researchers discover security flaws, the proposed Wassenaar rules would prohibit them from presenting their findings at security conferences or posting them publically. It would also be illegal for them to upload research, findings and code to a foreign server. This would have a significant effect on threat intelligence sharing, even internally for companies that have threat intelligence labs around the globe.
The intent of the proposed Wassenaar Arrangement rules is to restrict the export of cybertools that could be used for malicious purposes. However, the rules as written pose a detrimental effect on research and threat intelligence sharing around the globe by imposing an export license and restricting what content can be shared even internally for international companies. The U.S. Commerce Department BIS has received a large number of comments on the proposed rules and agreed to propose a second draft before the annual Wassenaar Arrangement meeting this month. In a public statement, Ambassador Gonzalo de Salazar Serantes of Spain, the Wassenaar Arrangement plenary chair for 2015, said the organization plans to "conduct further work on addressing new challenges, including emerging technologies of concern, in order to keep pace with advances in technology, research and innovation" in 2016.
Check out this buyer's guide to threat intelligence services
Learn how global threat intelligence fits into a security strategy
Find out if the concept of a bug bounty program is flawed