Wassenaar: Turning arms control into software control

Guest blog by James Gannon, Director and Principal of Cyber Invasion, Ltd.

In May 1996 41 countries came to Wassenaar, a small town in the Netherlands, to sign what was to be called the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies. The Wassenaar meeting was intended to create a post-Cold War approach to controlling exports of conventional munitions and dual-use technologies (goods and technologies that have a both civilian and military uses).

Reading through the ‘control lists’ they produced makes for heavy reading. There are “Bombs, torpedoes, rockets, missiles and other explosive devices;” “Chemical or biological toxic agents;” and “Nuclear Power generating equipment.”

Fast forward to December 2013, when the Wassenaar signatories met for their bi-annual meeting to update the control lists. With surveillance technology, cyber-security and so-called cyber weapons on everyone’s minds at the time, guess what one of the signatory states proposed to add to the control lists?

The Additions

The first proposed addition was labelled ‘intrusion software,’ defined as software specially designed or modified to avoid detection by ‘monitoring tools’, or to defeat ‘protective countermeasures’ of a computer or network-capable device. Such tools could perform any of the following functions:

a. The extraction of data or information, from a computer or network capable device, or the modification of system or user data; or b. The modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions

Now that this new class of software has been defined, the additions go on to specify the specific software within this class that is to be subject to control. This sub class is associated with generation, operation or delivery of, or communication with, intrusion software and those for its development and production:

1 The following elements are subjected to particular control: 4.A.5. Systems, equipment, and components therefor, specially designed or modified for the generation, operation or delivery of, or communication with, “intrusion software”. 4.D.4. “Software” specially designed or modified for the generation, operation or delivery of, or communication with, “intrusion software”. 4.E.1.c “Technology” for the “development” of “intrusion software”. “Software” specially designed or modified for the “development” or “production” of equipment or “software” specified by 4.A. or 4.D. “Technology” according to the General Technology Note, for the “development”, “production” or “use” of equipment or “software” specified by 4.A. or 4.D.

The Intent

While human rights activists with good intentions were partly responsible for these new restrictions, they could backfire on Internet freedom and security by pushing security research back years. According to Rob Graham, a security researcher who created one of the world’s first desktop firewalls (BlackIce Defender) and the first Intrusion Prevention System (BlackIce Guard), “the Wassenaar arrangement is a radical step in the wrong direction, nearly outlawing security research.”

The revised arrangement attempts to shoehorn the extremely complex world of security research into what is in essence an arms limitation treaty. The problem with that is twofold. The definition adopted by Wassenaar is extremely broad. At the core of the definition of intrusion software is “modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions.” The agreement uses this as a basis to define a potential bad actor, a person who may be developing a system that may have a military application. This definition encompasses methods and tools that are common to software engineering. There is a genuine risk that these controls will chill the ability of researchers to do their jobs. The techniques defined are used across many platforms, from anti-virus software to operating systems, from malware analysis to games development.

Over the past number of years cybersecurity research has become increasingly legitimized, with companies such as Google and Yahoo hiring internal security teams composed of former ‘hackers’ and others offering ‘bug bounties’ for researchers who discover vulnerabilities in their software. With these additions to the Wassenaar Arrangement, many fear that security research will be pushed back into the underground black market, where software and exploits will be traded illegally instead of openly with the companies who have been found vulnerable. This effect will impact all of us, with vulnerabilities being used by criminal enterprises instead of being fixed and secured.

Even for some of the larger more established companies the effects are clearly evident.  VUPEN, a leading security research firm, announced on its website that, in response to the Wassenaar Arrangement changes, it would have to restrict its business to approved government agencies in approved countries. Later it would restrict or cease using most of its public facing websites and social media accounts. The firm said that it considered the newly adopted “intrusion software” restrictions applicable to its products and research. VUPEN also announced it would have to exclude countries subject to similar European Union restrictions. VUPEN is widely believed to be considering a relocation of its business to a non-Wassenaar signatory state.

Chilling Effects

Katie Moussouris, a noted figure in the security world who is Chief Policy Officer at HackerOne and former senior security strategist at Microsoft, said “The definition is too broad. It includes the fundamental components of all vulnerability research …, and will hinder the sharing and publication of important security research.” Katie was instrumental in developing the concept of ‘bug bounties’ where independent security researchers will submit bugs they find in company software in return for compensation and credit. Vulnerabilities fixed through HackerOne’s program have solved over 8800 bugs and paid out almost 3m USD in compensation as of the time of this post. Many fear that the impact of having to comply with complex export controls such as Wassenaar will have serious impact on the independent security research market. Without the legal and compliance departments of large companies to back them up many independent researchers would find themselves unable to comply with the regulations and thus may not be able to continue their research, research which is critical to safeguarding all of our online activities.

The road forward

We live a technological society. Every day we interact with hundreds of electronic systems, our personal information passes through databases and we enter our credit card details into e-commerce sites. We need all of these systems to be secure, it is critical to our ability to trust our technology. By restricting the ability of security researchers to conduct their business we are reducing the available manpower to investigate these system that we rely on. The Wassenaar arrangement is a high level treaty that will have direct effect on our day to day lives.

The U.S. Department of Commerce released its implementation proposal for Wassenaar recently and opened a 60-day public comment period. The deadline for comment is July 20 for anyone interested in affecting this agreement. You can find the document here.

Alternatives to the Wassenaar arrangement are possible. By engaging the security research community and working with them to a more suitable, well defined set of rules we can both ensure that we have a safe internet while maintaining the ability of the security research industry to grow and thrive.

Editors note: for earlier IGP blog posts in related topics see: 

Regulating the market for zero-day exploits: look to the demand side (March 15, 2013)

Technology as symbol: is resistance to surveillance technology being misdirected? (December 20, 2011)